Feature #16410

Document how to allow macOS Startup Security Utility to boot on external media

Added by sajolida 2019-01-31 11:19:11 . Updated 2020-04-06 21:55:09 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Hardware support
Target version:
Start date:
2019-01-31
Due date:
% Done:

0%

Feature Branch:
doc/17492-secure-boot:53336bc6e2
Type of work:
End-user documentation
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

It could prevent from starting on an external media:

https://support.apple.com/en-us/HT208198
https://support.apple.com/en-us/HT208198

The following error message was reported to us (in French):

« Les réglages de sécurité ne permettent pas à ce Mac d’utiliser un disque de démarrage externe. »

This should affect by default, as per https://support.apple.com/en-us/HT208862:

  • iMac Pro
  • Mac mini models introduced in 2018
  • MacBook Air models introduced in 2018
  • MacBook Pro models introduced in 2018

It would be good to:

  • Have our help desk confirm that this is really happening on such machines by default
  • Test one of these machines:
    • What’s happening by default?
    • Does allowing booting from external media works?
  • Include this in our installation instructions for macOS

Subtasks


Related issues

Blocks Tails - Feature #17247: Core work 2020Q1 → 2020Q2: Technical writing Confirmed

History

#1 Updated by sajolida 2019-01-31 11:19:41

  • blocks Feature #15941: Core work 2018Q4 → 2019Q2: Technical writing added

#2 Updated by sajolida 2019-01-31 11:21:06

  • Assignee set to cbrownstein

Cody: Do you think you can have a hand on one of these machines?

Otherwise, I can try looking for one at the IFF in April.

#3 Updated by sajolida 2019-01-31 11:22:45

  • Subject changed from Document macOS Startup Security Utility to Document how to allow macOS Startup Security Utility to boot on external media

#4 Updated by sajolida 2019-07-18 16:57:18

  • blocked by deleted (Feature #15941: Core work 2018Q4 → 2019Q2: Technical writing)

#5 Updated by sajolida 2019-07-18 16:57:23

  • blocks Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing added

#6 Updated by sajolida 2019-08-29 08:57:16

I investigated this a bit more and I think that we can document this without testing it ourselves:

#7 Updated by sajolida 2019-11-22 07:48:45

  • Description updated

#8 Updated by sajolida 2020-01-05 16:27:18

  • blocks Feature #17247: Core work 2020Q1 → 2020Q2: Technical writing added

#9 Updated by sajolida 2020-01-05 16:27:25

  • blocked by deleted (Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing)

#10 Updated by sajolida 2020-03-19 02:06:52

@cbrownstein:

I’ll work on documenting Secure Boot in time for 4.5 (April 7), so I’ll make sure that this ticket is solved in time for that. I’ll try to have a draft ready for the whole thing either this week or next week.

If you have done any significant writing for this ticket already, please push it so I can review or complete it if needed. Otherwise please reassign this ticket to me so I can solve it in time for 4.5.

#11 Updated by cbrownstein 2020-03-23 02:52:18

  • Assignee changed from cbrownstein to sajolida

> If you have done any significant writing for this ticket already, please push it so I can review or complete it if needed. Otherwise please reassign this ticket to me so I can solve it in time for 4.5.

I haven’t done any significant writing for this ticket, so reassigning to you.

#12 Updated by sajolida 2020-03-24 18:31:32

Ok! I’m targetting 4.5 and the Secure Boot documentation.

#13 Updated by sajolida 2020-03-25 01:28:00

  • Status changed from Confirmed to Needs Validation
  • Assignee changed from sajolida to cbrownstein
  • Feature Branch set to doc/17492-secure-boot:53336bc6e2

Done in 53336bc6e2. I’ll push it in a few days along with doc/17492-secure-boot once I’m done with the rest of the Secure Boot doc.

The good news is that, even though we ask people to disable Secure Boot entierly, they can set a firmware password to prevent other people from starting from unauthorized media. Yeah!

#14 Updated by cbrownstein 2020-04-04 07:20:15

  • Assignee changed from cbrownstein to sajolida

Here’s a branch (that also includes my work on Feature #17492 and Feature #15122):

https://0xacab.org/cbrownstein/tails/-/commits/doc/17492-secure-boot

#15 Updated by sajolida 2020-04-06 21:55:10

  • Status changed from Needs Validation to Resolved
  • Assignee deleted (sajolida)