Dear,
More and more business customers ask to disable usb on their notebooks
for security, so we have no option other than work with grub and iso.
We working with iso's:
menuentry "tails" {
set isofile="/iso/tails.iso"
loopback loop $isofile
set root=(loop)
linux (loop)/live/vmlinuz boot=live iso-scan/filename=${isofile}
findiso=${isofile} apparmor=1 nopersistence noprompt timezone=Etc/UTC
block.events_dfl_poll_msecs=1000 splash noautologin module=Tails
slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1
union=aufs quiet toram
initrd (loop)/live/initrd.img
}
We have created a bash script with gksu or pkexec for the user for
updating their tails iso :
#!/bin/bash
cd /iso
gksu -- bash -c 'xterm -e "rm tails.iso; wget
http://95.211.190.99/astick1804/tails.iso";'
We have also a script for updating grub's 40_custom.
I am donating to tails per sold computer.
Guy
Op 31/10/18 om 11:06 schreef intrigeri:
Hi!
Meta: redirecting from tails-project@ to our development mailing list
and taking over from our Help Desk who, understandably, cannot handle
this further than "this is not supported, sorry" :)
linux-service:
We are selling opensource computers and install default a system where a
tails iso on the harddrive is booted with grub2 toram.
Interesting! There are a number of concerns with this approach but I'd
like to help you do this in a way that's reasonably safe for your
clients and does not cause us too much additional work.
The hdd(s) are not mounted. Is this way of booting tails equal secure as
booting from usb or dvd?
There are a few concerns about this approach, some of them tackle
your question:
- How do you force live-boot to start from an internal drive?
I assume you need to remove live-media=removable, no?
Note that doing this implies full trust in the internal hard drive,
which is not something the users may expect when using Tails.
- Do you communicate to your clients, somehow, that the way you're
installing this Tails system is unsupported by the Tails project
and the resulting system may behave differently than a "real" Tails?
- How do you keep the kernel command line up-to-date? Assuming you
hard-code it in the GRUB configuration, please be aware that we
sometimes change it. I'm worried your GRUB config and what the
installed ISO expects might get de-synchronized over time.
- How do handle upgrades? I'm worried that your clients are left
with an obsolete Tails and no documented way to upgrade it.
- We'll soon stop supporting the ISO image except for DVDs and
virtual machines (https://labs.riseup.net/code/issues/15292).
Probably not a big deal for you in terms of initial installation,
but this will make upgrades even harder for your clients. And an
important upcoming security improvement (persistent RNG seed) will
only work when Tails is installed on a USB stick.
- The Tails user experience relies more and more on our opt-in
persistence feature. While we still support read-only Tails, be
aware that you're shipping a flavour of Tails with a restricted
feature set. It would be nice to communicate this to your users
and point them to our doc about installing a full-blown Tails :)
Cheers,
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
