Feature #17492

Update documentation wrt. using GRUB + Secure Boot for USB boot on EFI 64-bit

Added by intrigeri 2020-02-22 07:19:53 . Updated 2020-04-17 06:49:32 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2018-12-17
Due date:
% Done:

100%

Feature Branch:
web/release-4.5
Type of work:
End-user documentation
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

  • don’t recommend disabling Secure Boot (i.e. delete 2 lines in install/inc/steps/restart_first_time.inline.mdwn) except on Apple computers (Apple’s implementation of Secure Boot only allows starting macOS and Windows)
  • adding/changing boot options
  • booting in “Troubleshooting mode”

Subtasks

Bug #16229: Boot Loader Menu documentation does not support 32-bit UEFI Resolved

0

Feature #16410: Document how to allow macOS Startup Security Utility to boot on external media Resolved

0


Related issues

Blocks Tails - Feature #17247: Core work 2020Q1 → 2020Q2: Technical writing Confirmed

History

#1 Updated by intrigeri 2020-02-22 07:21:34

For now this is tentatively scheduled for Tails 4.5, whose RC should be published late March. But at the end of our current sprint, segfault and I will check where we’re at and possibly adjust the timeline.

#2 Updated by intrigeri 2020-02-22 07:22:32

  • Subject changed from Update documentation wrt. using GRUB for USB boot on EFI 64-bit to Update documentation wrt. using GRUB + Secure Boot for USB boot on EFI 64-bit

#3 Updated by intrigeri 2020-02-22 07:22:55

#4 Updated by intrigeri 2020-02-22 07:23:21

  • blocks Feature #17247: Core work 2020Q1 → 2020Q2: Technical writing added

#5 Updated by intrigeri 2020-02-22 17:04:46

  • Description updated

I confirm we plan to ship this in 4.5~rc1, scheduled for late March.

segfault and I will meet on March 5 at 10:00 CET. IIRC that’s not a suitable time for you but it would be a good time for us to look into any question you may have sent us earlier :)

#6 Updated by intrigeri 2020-03-19 09:42:35

#7 Updated by sajolida 2020-03-25 04:58:54

#8 Updated by sajolida 2020-03-25 05:12:19

  • Status changed from Confirmed to Needs Validation
  • Assignee changed from sajolida to cbrownstein
  • Feature Branch changed from feature/6560-secure-boot+force-all-tests to doc/17492-secure-boot

I think I’m done with this (big) branch!

@cbrownstein:

* I also worked on Feature #16410 and Feature #15122 in this same branch because I thought that it made sense to do this all at once.

* I didn’t spend a lot of time improving any old sentence affected by some smaller change, but feel free to do so: translations are going to be broken on these anyway.

* I stopped using DocBook-style CSS classes as per Bug #16221, though the new style is not documented yet in the Style Guide. Basically it’s the same logic but with and instead of our custom classes (eg. ‘application’).

* Some images overflow their

sections: forget about them. With Feature #15112 we’ll be able to make all these sections wider thanks to the space that we will gain on the right without the sidebar.

  • The wild renaming on PO files from e257c1fbee, 280701d27c, and 8657a6d1a2 were done in a batch using sed. Hopefully they will prevent some translations to break but it’s best effort: don’t review them one by one!!!

Also this is meant to be release with Tails 4.5 (April 7). I’m quite proud to have my draft ready 2 weeks in advance :) I hope it leaves you plenty of time for this long review.

@intrigeri: I’d also like you to review bits of this branch for technical correctness. I would be good if you read at least the following commits (and maybe the resulting final sections as well):

  - /doc/advanced_topics/boot_options
    - a938d82607
  - /install/mac/usb#start-tails
    - fadd9c4709
    - 53336bc6e2
  - /install/win/usb#start-tails
    - d4edefb9a7
    - 08bf1b0600
    - b794d7772a
  - /install/win/usb#welcome-screen → "Tails not starting entirely"
    - fa9130af4c

#9 Updated by intrigeri 2020-03-25 09:39:20

Hi,

> intrigeri: I’d also like you to review bits of this branch for technical correctness. I would be good if you read at least the following commits (and maybe the resulting final sections as well):

All these commits look great to me!

Comments:

  • On /install/win/usb#welcome-screen → “Tails not starting entirely”, grub-with-options.png and syslinux-with-options.png are not displayed.
  • d4edefb9a7: I don’t think the code changes behind this work warrant dropping the part about trying the other boot method (legacy vs. UEFI), if the first one fails. IMO everything (apart “Disable Secure boot”) that this commit removes is useful for troubleshooting.
  • 08bf1b0600 makes me a bit sad (we have seen cases where buggy firmware, that failed to boot Tails, were fixed by upgrading) but I understand your reasoning and I’m fine with your conclusion.

#10 Updated by sajolida 2020-03-26 23:28:10

@intrigeri:

> * On /install/win/usb#welcome-screen → “Tails not starting entirely”, grub-with-options.png and syslinux-with-options.png are not displayed.

Oops, they were broken by a renaming → fixed in 84661f96b4.

> * d4edefb9a7: I don’t think the code changes behind this work warrant dropping the part about trying the other boot method (legacy vs. UEFI), if the first one fails. IMO everything (apart “Disable Secure boot”) that this commit removes is useful for troubleshooting.

I wasn’t sure about this so that’s useful info.

We’re talking about:

  • Enabling Legacy mode
  • Enable CSM boot
  • Disable UEFI

My concern is that disabling UEFI might break starting Windows and it
might break BitLocker to enable it back. It happened to Cody :) See
https://redmine.tails.boum.org/code/issues/15016#note-19.

But we can probably find some kind of middle-ground.

What still feels safe would be:

  • Enable CSM boot

For reference:
https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#CSM_booting

  • Enabling Legacy mode as fallback, ie. without disabling UEFI

That’s what I did on my laptop until now but I don’t think that all
laptops support this, do they? This might be hard to phrase but I can
try and put some warnings around it.

  • Disable UEFI if you don’t have Windows installed

Would other Linuxes still boot in Legacy even if they were installed
in UEFI?

> * 08bf1b0600 makes me a bit sad (we have seen cases where buggy firmware, that failed to boot Tails, were fixed by upgrading) but I understand your reasoning and I’m fine with your conclusion.

Ok. I can try to add it back and add fat warnings around it. I should
also tell people to go check the support pages of the computer manufacturer.

Deal?

#11 Updated by intrigeri 2020-03-27 11:05:30

Hi,

>> * d4edefb9a7: I don’t think the code changes behind this work warrant dropping the part about trying the other boot method (legacy vs. UEFI), if the first one fails. IMO everything (apart “Disable Secure boot”) that this commit removes is useful for troubleshooting.

> […]
> What still feels safe would be:

Sounds good.

> * Enabling Legacy mode as fallback, ie. without disabling UEFI
>
> That’s what I did on my laptop until now but I don’t think that all
> laptops support this, do they? This might be hard to phrase but I can
> try and put some warnings around it.

Indeed, I doubt every firmware supports this.

> Would other Linuxes still boot in Legacy even if they were installed in UEFI?

I don’t think so.

Let’s keep in mind that there are 2 possible goals here:

  • tweaking the firmware once for all, so that the computer starts Tails and the other installed OS: that’s ideal of course, but not always achievable
  • tweaking the firmware every time one starts Tails (and toggling settings back before rebooting to the other OS): it sucks; that’s what users had to do so far when their OS requires Secure Boot; but for some users, it could be the only way to use Tails, and I am sympathetic with this situation

>> * 08bf1b0600 makes me a bit sad (we have seen cases where buggy firmware, that failed to boot Tails, were fixed by upgrading) but I understand your reasoning and I’m fine with your conclusion.
>
> Ok. I can try to add it back and add fat warnings around it. I should
> also tell people to go check the support pages of the computer manufacturer.
>
> Deal?

Deal!

In passing: I don’t know about Windows but on modern Linux with a decent desktop environment and a UEFI installation, one gets firmware updates for free.
Personally I haven’t had to do any manual operation to update my laptop’s firmware since a few years.
So perhaps this issue is less important than I thought, and checking manufacturer support pages is not needed in most cases.

#12 Updated by cbrownstein 2020-04-04 07:15:54

  • Assignee changed from cbrownstein to sajolida

Here’s a branch:

https://0xacab.org/cbrownstein/tails/-/commits/doc/17492-secure-boot

> * I also worked on Feature #16410 and Feature #15122 in this same branch because I thought that it made sense to do this all at once.

I also additionally worked on Feature #16410 and Feature #15122 in my branch.

> * I didn’t spend a lot of time improving any old sentence affected by some smaller change, but feel free to do so: translations are going to be broken on these anyway.

Ack.

> * I stopped using DocBook-style CSS classes as per Bug #16221, though the new style is not documented yet in the Style Guide. Basically it’s the same logic but with and instead of our custom classes (eg. ‘application’).

Ack.

> * Some images overflow their

sections: forget about them. With Feature #15112 we’ll be able to make all these sections wider thanks to the space that we will gain on the right without the sidebar.

Ack.

> * The wild renaming on PO files from e257c1fbee, 280701d27c, and 8657a6d1a2 were done in a batch using sed. Hopefully they will prevent some translations to break but it’s best effort: don’t review them one by one!!!

Ack.

> Also this is meant to be release with Tails 4.5 (April 7). I’m quite proud to have my draft ready 2 weeks in advance :) I hope it leaves you plenty of time for this long review.

You did leave me with plenty of time for my review. :-)

#13 Updated by sajolida 2020-04-06 21:50:27

  • blocked by deleted (Feature #15122: Rename Tails Greeter to be more plain)

#14 Updated by sajolida 2020-04-06 22:41:35

  • Assignee changed from sajolida to cbrownstein
  • Feature Branch changed from doc/17492-secure-boot to web/release-4.4.1

It’s a shame I didn’t see intrigeri answer before today, otherwise I would have pushed this in time for Cody’s first review.

@intrigeri: Please have a look at f1e798421d.

@cbrownstein: And also a7e182ad10 and d282b09b9e.

I pushed them straight to web/release-4.4.1 to make sure that they are released at the same time as 4.5 and to avoid more complicated operations until then.

#15 Updated by sajolida 2020-04-06 22:58:31

  • Feature Branch changed from web/release-4.4.1 to web/release-4.5

#16 Updated by cbrownstein 2020-04-06 23:07:08

@sajolida: Wrt changeset d282b09b9e, the sentence “To learn how to edit the BIOS settings…” needs a ‘.’ at the end.

Other than that, your changes look good to me!

#17 Updated by sajolida 2020-04-06 23:42:44

  • Assignee changed from cbrownstein to intrigeri

Thanks! So the last step here is for intrigeri to review 60529bd7ef (/!\ new and only commit number).

#18 Updated by intrigeri 2020-04-07 08:36:37

  • Assignee changed from intrigeri to segfault

I’m not working today, so: either someone else takes care of this, or please adjust target version + reassign to me :)

#19 Updated by sajolida 2020-04-07 14:20:52

  • Priority changed from Elevated to Normal
  • Target version changed from Tails_4.5 to Tails_4.6

Any time is fine. The doc will be lived with 4.5 and Cody reviewed it but I’d still like a last review from the FT on 60529bd7ef.

#20 Updated by intrigeri 2020-04-15 15:15:47

> So the last step here is for intrigeri to review 60529bd7ef (/!\ new and only commit number).

LGTM

#21 Updated by sajolida 2020-04-16 21:52:21

  • Status changed from Needs Validation to Resolved
  • Assignee deleted (segfault)

Thanks for the review! So I can close this ticket and not bother @segfault further, right?

#22 Updated by intrigeri 2020-04-17 06:49:32

> So I can close this ticket and not bother @segfault further, right?

Works for me.