Feature #7475

Have live-boot honor FSUUID=

Added by intrigeri 2014-06-30 13:30:49 . Updated 2020-03-09 19:01:42 .

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
Hardware support
Target version:
Start date:
2014-06-30
Due date:
% Done:

10%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

See parent ticket for the rationale, and desired user interface. boyska volunteered to add the needed support to live-boot.


Subtasks


Related issues

Has duplicate Tails - Feature #10944: When booting from DVD, if USB stick plugged, Tails ends up running from USB stick Duplicate 2016-01-15

History

#1 Updated by intrigeri 2015-07-12 03:31:46

I’ve just pinged boyska.

#2 Updated by intrigeri 2015-07-12 03:56:49

boyska can’t work on this before September, and even then he encourages me to find someone else to work on this. Not sure how to proceed — probably I’ll send a call for volunteers on tails-dev@ + debian-live@, and then unassign this from me.

Also note that live-boot (at least 5.x) already supports some kind of UUID checking, but it’s not suitable for security purposes: the UUID is generated at ISO build time, embedded in the initramfs and in the ISO filesystem, and at boot time the initramfs checks that the UUID on the boot drive is the one it knows about. Given the content of the ISO is public information, an attacker can very well plant the same in their fake Tails they put on the internal hard drive, so this doesn’t help wrt. “not load the OS from an internal hard drives, while still looking for all devices even though they say they’re not removable”.

#3 Updated by intrigeri 2015-07-12 04:18:25

  • Subject changed from Wait for live-boot to support FSUUID to Have live-boot honor FSUUID=
  • Assignee deleted (intrigeri)
  • Type of work changed from Wait to Code

intrigeri wrote:
> Not sure how to proceed — probably I’ll send a call for volunteers on tails-dev@ + debian-live@, and then unassign this from me.

Sent to tails-dev@: https://mailman.boum.org/pipermail/tails-dev/2015-July/009222.html.

#4 Updated by intrigeri 2015-07-16 06:33:57

boyska pointed out that a UI like live-media=boot-disk would be nicer than FSUUID=. However, I’m not sure if the initramfs has any reliable means to know what filesystem it was loaded from.

#5 Updated by sajolida 2015-09-22 07:48:15

  • Target version deleted (Sustainability_M1)

#6 Updated by emmapeel 2016-09-08 06:04:18

  • has duplicate Feature #10944: When booting from DVD, if USB stick plugged, Tails ends up running from USB stick added

#7 Updated by intrigeri 2017-04-11 15:09:11

This (re?)implements bits I was mentioning in Feature #7475#note-2:

It’s still not suitable for security reasons, but if we combine it with what I describe on Feature #6397#note-42 (that would be enough to solve the parent ticket), then we get a nice bonus UX improvement (no more random behavior anymore when starting a computer with two Tails sticks attached), without having to fiddle with anything bootloader-specific. These two solutions can be combined as live-boot looks for the UUID only on devices that satisfy whatever live-media= specifies.

#8 Updated by intrigeri 2017-04-11 15:11:53

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#9 Updated by intrigeri 2019-03-08 15:59:55

  • Status changed from In Progress to Confirmed

#10 Updated by intrigeri 2020-03-09 19:01:42

intrigeri wrote:
> This (re?)implements bits I was mentioning in Feature #7475#note-2:
>
> […]

These URLs are broken currently but I have a clone locally. tl;dr: embed a UUID generated at build time into both the initramfs and the SquashFS; then, live-boot will look for a SquashFS that has the same UUID as the one found in the initramfs.

> It’s still not suitable for security reasons, but if we combine it with what I describe on Feature #6397#note-42 (that would be enough to solve the parent ticket), then we get a nice bonus UX improvement (no more random behavior anymore when starting a computer with two Tails sticks attached), without having to fiddle with anything bootloader-specific.

That’s true only when the two Tails sticks have a different version of Tails. If they have the same version of Tails, then the UUID will be the same on both sides, and then the SquashFS can very well be mounted from another USB stick that the user elected to boot from ⇒ confusion. IMO that’s not good enough.

Additionally, now that we have FSUUID= passed by syslinux already (and soon by GRUB), “without having to fiddle with anything bootloader-specific” is not an advantage of this approach anymore.

So I think we’re back to square one: nothing new on this very issue allows us to drop the idea that live-boot needs to honor the value passed with FSUUID= (which has drawbacks, that I’ll discuss on the parent ticket).