Explain better how to disable Secure Boot
Many users contact frontdesk because they need to disable Secure Boot.
This is not easy to understand on the Install instructions (at least for this kind of users). It should be more prominent.
I send them to the microsoft page:
#4 Updated by Anonymous 2018-01-17 09:16:22
Basically, in https://tails.boum.org/install/win/usb/index.en.html#install-inc-steps-restart-first-time we could better explain “Disable Secure Boot” with an interrogation mark or by linking somewhere (https://en.wikipedia.org/wiki/Hardware_restriction#Secure_boot for example).
#7 Updated by emmapeel 2018-02-27 13:00:09
- Assignee changed from emmapeel to sajolida
I like it. Maybe with your correction my suggestion is not needed anymore, but just wanted to point out:
I have noticed that many users don’t get that the problem at boot is that they haven’t disabled the Secure Boot. The message displayed by the BIOS is not clear, or maybe too close to the Tails ISO image wording, for the users to think they have a problem with the ISO instead of with their BIOS settings.
So I think that maybe we could add something about secure boot also to the Troubleshooting section ‘if Tails does not start’.
#9 Updated by sajolida 2018-03-22 19:13:49
- Assignee changed from sajolida to emmapeel
- QA Check changed from Dev Needed to Info Needed
I’m doing a first merge of the branch.
But I don’t understand your comment…
In “Troubleshooting - Tails does not start at all” we are instructing users to:
- Get to the Boot Menu, testing various key combinations.
- Edit their BIOS settings (including disabling Secure Boot) if they can’t get to the Boot Menu or the Boot Menu doesn’t lead to the Boot Loader Menu (syslinux).
Which is what you seem to propose…
Are you saying that we should also rephrase the following paragraph to mention explicitly failures related to Secure Boot:
« If none of the potential boot menu keys identified in step 3 work or if the USB stick does not appear in the list, then try the second troubleshooting technique described below. »
What happens if you have secure boot enabled and get to the Boot Menu? Does the Tails USB stick appears in the Boot Menu? What happens if you select it?
Or maybe you mean something else that I didn’t get…
#10 Updated by emmapeel 2018-03-22 22:08:55
> What happens if you have secure boot enabled and get to the Boot Menu? Does the Tails USB stick appears in the Boot Menu? What happens if you select it?
> Or maybe you mean something else that I didn’t get…
Yes, I will try to compile the messages the users receive.
The computer will say something like ‘error on the image’ or ‘unsafe image’ and the users think they didn’t downloaded the ISO well, they don’t think their Windows is bluffing on them.
#13 Updated by sajolida 2018-03-26 19:49:09
- Assignee changed from sajolida to emmapeel
- Target version deleted (
Ok, then I’d like to have concrete examples of what happens, either a description of the screen or a photo, before writing more stuff. Could you do that?
No hurry, so I’m removing the target version and the blocking relationship with Core work 2018Q1.
#16 Updated by sajolida 2018-08-16 19:20:32
- Assignee deleted (
- QA Check deleted (
So now I understand that people somehow manage to tell their computer to try starting on a Tails USB stick with Secure Boot enabled and that’s the error message they get. I didn’t know this was possible…
We should definitely document that!
This is on our installation flow and can possibly affects a vast majority of our users, so let’s make this part of our core work.
Thanks for resurrecting this ticket u!
#19 Updated by cbrownstein 2019-01-15 19:35:53
Here is a (scary) Secure Boot experience I had the other day:
I borrowed a Microsoft Surface Laptop 2 running Windows 10 Home. My plan was to test the new Tails USB image.
The USB image copied to a USB stick using Etcher without any issues.
I left the USB stick in the laptop. I tried to boot from advanced startup.
The Microsoft logo displayed for a few seconds before the laptop booted into Windows.
No messages were displayed to explain why the laptop booted into Windows instead of Tails.
From previous experience, I suspected this was a Secure Boot issue.
I restarted the laptop and held the volume-up button on boot to access the BIOS/UEFI.
I was presented with a window on boot:
> SecureBoot violation!
> One or more of the selected boot devices had a SecureBoot violation! Returning to Surface settings. Please verify SecureBoot key configuration and boot device selection.
I disabled Secure Boot in the BIOS/UEFI.
I restarted with the USB stick in the laptop.
The laptop tried to boot into Windows. But, I was asked for a BitLocker recovery key! (See the attached picture.)
I did not have a recovery key. I was worried that I had just lost all the data on the internal drive of this laptop!
I re-enabled Secure Boot per the dialog and restarted the laptop. I was still being prompted for a recovery key.
(Very) luckily I was able to get a recovery key.
I decided not to make further attempts to boot Tails. I did not want to risk losing the data on this borrowed laptop.
#25 Updated by sajolida 2019-08-10 17:09:45
Our MOSS grant about supporting Secure Boot has been approved and we’ll have to deliver it by July 2020. It’s in while but significantly improving our documentation will be a lot of work and we have tons of other important things to do. So I propose to reject this ticket.
Maybe before closing it, you could share any relevant findings with us in case you already identified some easy things to fix.