Re: [Tails-dev] Tails for arm64 (with support for Apple Silicon)

[NoisyCoil via Tails-dev]

Hi n9iu7pk,

I can confirm that everything's still alright with DNS redirection. I can 
successfully get the build to the point where it installs the debian packages 
on 6.1/raspi. The error you see is typical of when you're trying to install the 
packages from the original Tails repo. Since I disabled Tail's APT key 
verification, you'll only be able to install packages from the Debian archive 
(or, on the 6.1/raspi branch, from Raspberry's own repo, of which I added the 
key), and if you're not correctly hijacking the DNS and actually connecting to 
the Tails repo the build will fail with that error, it sees the repo is signed 
by Tails and rejects it. Since you said you previously built on the 6.1/raspi 
branch, I assume you are now correctly redirecting 
tagged.snapshots.deb.tails.boum.org as well, like I wrote before. Then I'm not 
sure what your issue could be. Perhaps you could try deleting the apt cache 
like you did the last time you had similar issues?


Asides from this, unfortunately the 6.1 branches will never build again due to 
https://gitlab.tails.boum.org/tails/tails/-/issues/20327. Debian sid's package 
webext-ublock-origin-firefox got updated to v1.57 some time after April 6th and 
the 10-tbb local hook (config/chroot_local-hooks/10-tbb) does not apply one 
patch cleanly anymore. As a result, the 99-zzz_check-for-dot-orig-files local 
hook makes the build fail with the error

```
Checking for .orig files
E: Some patches are fuzzy and leave .orig files around:
/usr/sbin/start-stop-daemon.orig
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/ublo...@raymondhill.net/js/background.js.orig
E: config/chroot_local-hooks/99-zzz_check-for-dot-orig-files failed (exit 
non-zero). You should check for errors.
```

Since the arm64 builds don't use snapshots, there's no way for me to prevent 
this kind of things. Unfortunately, if packages in Debian get upgraded, old 
builds may well fail. Since the 6.1/* branches are essentially frozen in time, 
I will not patch them. What I can and will do is keep an eye on the 
aforementioned issue and update the wip/* branches so that the fix gets picked 
up ASAP (I already have 6.2/* branches locally, but they will fail to build too 
until the ublock thing is fixed upstream).

BTW a package upgrade, I believe, is also the reason why you didn't obtain the 
same sha256sums when you  built 6.1/raspi. Again due to the lack of arm64 
snapshots, builds are reproducible only if packages are not subject to upgrades 
between an earlier and a later build, unfortunately. I'd bet if you'd compared 
your *.packages file with mine you'd have found differences.


If going ahead you have suggestions on how to improve the patchset feel free to 
tell me! If you find it useful you may even send me MRs on Gitlab, otherwise 
write here or send me a direct email.


En passing, do you happen to know how much space the amd64 Debian snapshots in 
use by Tails take up?


Best,

NC
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Tails for arm64 (with support for Apple Silicon)

[n9iu7pk]

Hi noisycoil,

yust FYI;

* on Apr., 08. I started a new 6.1/raspi build based on the latest pull: 
Got different sha256sum's than listed for your MEGA images. I assume 
that's what you ment with "Talking of reproducibility".


* currently I'm not able to build 6.1/raspi fails (reproduceable) with 
"E: Release signed by unknown key (key id 2453AA9CE4123A9A)" - might be 
missleading / overlaying a HTTP 404 caused by my DNS hijack


* I'll stop the builds for a while and will take some time to understand 
the build and your changes/commits better.


All the best!
n9iu7pk

PGP 7426 4598 B5AD 4D12 1699 C710 [ D602 E331 4D12 FFCB ]
https://keys.openpgp.org/search?q=D602E3314D12FFCB

On 03.04.24 02:24, noisyc...@tutanota.com wrote:

Hi n9iu7pk,

Thank you! Happy to hear you were able to build the other images as well.


Talking of reproducibility, I just added two fixup commits to the various branches to make the 
images more reproducible (in the sense of reproducible builds). The first one adds timestamps to 
the contents of /EFI/debian/efi.img (efi.img is a FAT image that contains the grub binary and its 
config file; these are responsible for UEFI boot on ISO hybrid images). The second one fixes (or 
rather removes) the BCJ filter used when building the squashfs with xz compression. It turns out 
that the filter which I had selected ("arm") is specific to 32-bit arm, cannot be used 
for 64-bit arm64 (I had never actually used xz compression!), and that the "arm64" BCJ 
filter is not available yet neither to mksquashfs nor to the kernel decompression routines (it is 
in xz-utils though, AFAICS). Fun fact: adding kernel support for the arm64 filter seems to be part 
of a recent patchset whose merge is now frozen due to the compromise of xz-utils (see 
https://lkml.org/lkml/2024/3/20/1010).


Thanks to the second commit one can now build tagged arm64 images using the 
following nginx configuration for DNS hijacking + URL redirection:


server {
     server_name time-based.snapshots.deb.tails.boum.org;

     rewrite ^/(debian|debian-security)/[0-9]+(/?.*) http://deb.debian.org/$1$2;
     rewrite ^/torproject/[0-9]+(/?.*) 
http://deb.torproject.org/torproject.org$1;
     rewrite ^/[0-9.]+(/?.*) http://deb.debian.org$1;

     location ~ 
^/(debian|debian-security|tails|torproject)/project/trace/(debian|debian-security|tails|torproject)
 {
proxy_pass http://204.13.164.63:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
     }

     location ~ ^/tails {
proxy_pass http://204.13.164.63:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
     }

     listen *:80;
}

server {
     server_name tagged.snapshots.deb.tails.boum.org;

     rewrite ^/[0-9a-z.-]+/(debian|debian-security)/(.*) 
http://deb.debian.org/$1/$2;
     rewrite ^/[0-9a-z.-]+/torproject/(.*) 
http://deb.torproject.org/torproject.org/$1;

     listen *:80;
}


Note the addition of tagged.snapshots.deb.tails.boum.org, which you must 
redirect to your webserver too (e.g. via /etc/hosts) to be able to build tagged 
images. Also, as I've already told you in a private email, I am now also 
redirecting to Tor's debian repository, which does support arm64.


Non-tagged images have snapshot timestamps in their apt sources, which spoils 
reproducibility (debian-security's snapshot timestamp, in particular, gets 
updated every day AFAICS). Thanks also to the timestamping of efi.img's 
contents, tagged arm64 images should on the other hand be reproducible during 
the time frame in which the packages downloaded from the Debian archive don't 
change: if you're lucky enough to build two arm64 images with the same package 
versions, then those images should be identical byte-for-byte. Of course, this 
is not actual reproducibility (which would need actual snapshots for the arm64 
component of the Debian archive so that the images are forever reproducible), 
but still, it's better than nothing.

I created three new branches, 6.1/arm64, 6.1/asahi and 6.1/raspi, which contain the same 
source code as their current wip/* analogue, but with the commits squashed and a tag 
(6.1-arm64, 6.1-asahi and 6.1-raspi) applied at the end of them. I do not plan to modify 
the content of those branches, which you may thus consider as arm64 6.1 
"releases" of my developer preview. The binary images built on the 6.1-* tags 
are in the usual MEGA folder. If you happen to build images on those tags in the near 
future, and the contents of the *.packages files are the same (which is essential to 
reproducibility), please let me know if you obtain the same