Feature #16410: Document how to allow macOS Startup Security Utility to boot on external media

Feature #16410

Document how to allow macOS Startup Security Utility to boot on external media

Added by sajolida 2019-01-31 11:19:11 . Updated 2020-04-06 21:55:09 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Hardware support

Target version:

Tails_4.5

Start date:

2019-01-31

Due date:

% Done:

Feature Branch:

doc/17492-secure-boot:53336bc6e2

Type of work:

End-user documentation

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

It could prevent from starting on an external media:

https://support.apple.com/en-us/HT208198
https://support.apple.com/en-us/HT208198

The following error message was reported to us (in French):

« Les réglages de sécurité ne permettent pas à ce Mac d’utiliser un disque de démarrage externe. »

This should affect by default, as per https://support.apple.com/en-us/HT208862:

iMac Pro
Mac mini models introduced in 2018
MacBook Air models introduced in 2018
MacBook Pro models introduced in 2018

It would be good to:

Have our help desk confirm that this is really happening on such machines by default
Test one of these machines:
- What’s happening by default?
- Does allowing booting from external media works?
Include this in our installation instructions for macOS

Subtasks

Related issues

Blocks Tails - Feature #17247: Core work 2020Q1 → 2020Q2: Technical writing

Confirmed

History

#1 Updated by sajolida 2019-01-31 11:19:41

blocks ~~Feature #15941~~: Core work 2018Q4 → 2019Q2: Technical writing added

#2 Updated by sajolida 2019-01-31 11:21:06

Assignee set to cbrownstein

Cody: Do you think you can have a hand on one of these machines?

Otherwise, I can try looking for one at the IFF in April.

#3 Updated by sajolida 2019-01-31 11:22:45

Subject changed from Document macOS Startup Security Utility to Document how to allow macOS Startup Security Utility to boot on external media

#4 Updated by sajolida 2019-07-18 16:57:18

blocked by deleted (~~~~Feature #15941~~: Core work 2018Q4 → 2019Q2: Technical writing~~)

#5 Updated by sajolida 2019-07-18 16:57:23

blocks ~~Feature #16711~~: Core work 2019Q3 → 2019Q4: Technical writing added

#6 Updated by sajolida 2019-08-29 08:57:16

I investigated this a bit more and I think that we can document this without testing it ourselves:

The error message in English is “Security settings do not allow this Mac to use an external startup disk”
The Apple doc should be enough to guide us: https://support.apple.com/en-us/HT208198

#7 Updated by sajolida 2019-11-22 07:48:45

Description updated

#8 Updated by sajolida 2020-01-05 16:27:18

blocks Feature #17247: Core work 2020Q1 → 2020Q2: Technical writing added

#9 Updated by sajolida 2020-01-05 16:27:25

blocked by deleted (~~~~Feature #16711~~: Core work 2019Q3 → 2019Q4: Technical writing~~)

#10 Updated by sajolida 2020-03-19 02:06:52

@cbrownstein:

I’ll work on documenting Secure Boot in time for 4.5 (April 7), so I’ll make sure that this ticket is solved in time for that. I’ll try to have a draft ready for the whole thing either this week or next week.

If you have done any significant writing for this ticket already, please push it so I can review or complete it if needed. Otherwise please reassign this ticket to me so I can solve it in time for 4.5.

#11 Updated by cbrownstein 2020-03-23 02:52:18

Assignee changed from cbrownstein to sajolida

> If you have done any significant writing for this ticket already, please push it so I can review or complete it if needed. Otherwise please reassign this ticket to me so I can solve it in time for 4.5.

I haven’t done any significant writing for this ticket, so reassigning to you.

#12 Updated by sajolida 2020-03-24 18:31:32

Target version set to Tails_4.5
Parent task set to ~~Feature #17492~~

Ok! I’m targetting 4.5 and the Secure Boot documentation.

#13 Updated by sajolida 2020-03-25 01:28:00

Status changed from Confirmed to Needs Validation
Assignee changed from sajolida to cbrownstein
Feature Branch set to doc/17492-secure-boot:53336bc6e2

Done in 53336bc6e2. I’ll push it in a few days along with doc/17492-secure-boot once I’m done with the rest of the Secure Boot doc.

The good news is that, even though we ask people to disable Secure Boot entierly, they can set a firmware password to prevent other people from starting from unauthorized media. Yeah!

#14 Updated by cbrownstein 2020-04-04 07:20:15

Assignee changed from cbrownstein to sajolida

Here’s a branch (that also includes my work on ~~Feature #17492~~ and ~~Feature #15122~~):

https://0xacab.org/cbrownstein/tails/-/commits/doc/17492-secure-boot

#15 Updated by sajolida 2020-04-06 21:55:10

Status changed from Needs Validation to Resolved
Assignee deleted (~~sajolida~~)