*** For the casual reader: please do not use this version of Tails.
This is just a developer preview, it won't protect you like official
releases do ***
Hey there,
During the last few weeks I've been working on porting Tails to the
arm64 architecture, with the aim to ultimately being able to run Tails
on Apple hardware again. If anyone is interested in a developer
preview, you will find two USB images at
https://mega.nz/folder/BrJFGQyR#8rsN06I_pC_YV6spqATeBA. The code is
hosted at https://gitlab.tails.boum.org/noisycoil/tails in the
"wip/arm64" and "wip/asahi" branches. The former enables general arm64
support, while the latter contains additional, currently
non-upstreamable patches that make Tails run on Apple Silicon with
M1/M2 processors (no M3 support yet). In both cases, the builds are
native (you must build the arm64 version of Tails on arm64 hardware;
I've been building it on Apple Silicon (Asahi Debian) and on a
Raspberry Pi (Raspberry Pi OS) interchangeably).
The wip/asahi patches currently break amd64 builds due to a new entry
in the APT preferences file, but this can be fixed (I didn't do so
yet because, as I said, the Asahi patches cannot be upstreamed anyway,
more on this later).
Both the wip/arm64 and the wip/asahi images use GRUB for arm64 as a
boot loader. For the former, this is all there is at the moment,
meaning that the image can run in a VM, but may not run on hardware
that needs special firmware or arrangements to make it boot. As for
the latter, GRUB is all that's needed to boot on bare metal Apple
Silicon (from the Tails side, that is).
For those unfamiliar with the boot process on arm64 Apple hardware,
here's a quick recap. Out of the box, Apple Silicon does not support
booting from external media, nor of course booting Linux. It does,
however, support booting multiple macOSes from internal storage. The
smart folks at Asahi Linux (https://asahilinux.org/) came up with a
process to boot Linux both from internal and external storage (there
may be issues with booting from large external hard drives, but this
is not relevant to Tails). What they do is they install a fake macOS
on the hard drive, which after a couple of intermediate steps runs the
U-Boot boot loader (https://docs.u-boot.org/en/latest/), which is then
able to run GRUB both from internal and from external storage. This
mechanism is currently in use to run, among others, the official remix
of Fedora for Apple Silicon (https://asahilinux.org/fedora/), and -
except for the part where you actually have to install the boot loader
and for a second small exception, see below - is 100% transparent to
the user.
So how do you boot Tails on Apple Silicon?
1) Install U-Boot on your Apple Silicon Mac. This can be done using
the official Asahi installer (see https://asahilinux.org/):
curl https://alx.sh | sh
The correct option, which should only require around 3GB of storage
space on a separate partition, is "EFI environment only (m1n1 + U-Boot
+ ESP)" and, crucially, does not require you to install a
fully-fledged Linux OS like Fedora. Once you do so, the U-Boot
partition will be set as the default boot partition. This can be
reverted at any time if you want to boot macOS by default instead (as
you probably do in the context of Tails). Also, the U-Boot partition
can be deleted at any moment if you don't need it anymore
2) Burn the Asahi Tails image onto a USB drive as usual
3) Plug the USB drive into your Mac. If the U-Boot partition is the
default boot partition, just turn on your Mac. If it isn't, turn it on
by keeping the power button pressed until it says "Entering startup
options..." and then releasing it. At that point you can select the
U-Boot partition (similarly, if the U-Boot partition is the default
and you want to boot macOS, do the same but select the macOS
partition)
4) Hit ESC when U-Boot says you can do so in order to interrupt the
boot process and get dropped to a command line. Now you must tell
U-Boot you want to boot from an external USB (this is the second small
exception mentioned above): on the command line, execute
env set boot_efi_bootmgr
run bootcmd_usb0
This is the officially supported way to boot from an external USB
drive. Maybe at some point U-Boot will support doing so without the
user entering any command, but that's not possible at the moment
AFAIK.
5) That's it. You're in
If you happen to already have Asahi Linux installed on your arm64 Mac,
you don't need to follow Step 1 as U-Boot comes installed with the OS.
Just choose your Asahi Linux boot partition in Step 3.
As for the arm64 port itself, i.e. what's in the images. Both
wip/arm64 and wip/asahi are forked from feature/bookworm. The arm64
packages that are available from the official Debian repositories are
installed from there (more on this later), whereas the Tails-specific
packages (notably: live-boot, cryptsetup, fontconfig and
network-manager) were rebuilt from source and installed manually
(using config/chroot_local-packages). For this developer preview, I
installed Heikki Lindholm's arm64 port of the Tor Browser
(https://sourceforge.net/projects/tor-browser-ports/), the source code
of which I have personally reviewed and made small contributions to
(also, Heikki gave me permission to redistribute the binaries). Of
course, this can never be upstreamed, but I thought it would be better
to see an actual working Tor Browser in the developer preview rather
than nothing. I am not aware of any other software component of Tails
that is not officially available for arm64. This makes the Tor Browser
the single blocker for Tails on arm64 AFAICS (more on this later).
As for the Apple Silicon port in particular, the main differences with
the pure arm64 port are:
1. custom kernel and Mesa packages, which are needed for hardware
support (including the GPU)
2. the asahi-scripts and m1n1 packages; the former is needed for
correctly building the initramfs, while the latter is possibly useless
on a live system (it deals with a stage of the boot process which
happens before the squashfs is unpacked) - but I included it anyway
because it may be needed in the future
3. unsigned, rather than signed, GRUB. This could be fixed if I figure
out why signed GRUB does not work on Apple Silicon with the Asahi
setup (I suspect this has to do with Apple Silicon not supporting UEFI
variables. Incidentally, this same thing makes tails-debugging-info
fail. But let's not delve into the gory details)
The Asahi kernel and Mesa packages are not offically packaged for
Debian yet, so they're installed from Thomas Glanzmann's repository
(Thomas gave me permission to redistribute his binaries). This is what
the Debian Bananas Team (https://wiki.debian.org/Teams/Bananas) - that
is, the team which is working on getting official Debian support for
Apple Silicon - is currently doing. In principle I could have
installed v6.1.0 of the kernel (Bookworm's), but to track the latest
hardware support I installed v6.5.0 instead (Trixie's). Not installing
these packages from the official Debian repositories is, I believe,
the single serious blocker for Tails on arm64 Macs (plus the Tor
Browser).
As for asahi-scripts and m1n1, these are already in the Debian testing
and unstable repositories. I'm installing them from the latter, since
the unstable source is already enabled on Tails.
Notably, audio is disabled for this developer preview (v6.5.0 would
actually support the M1 MacBook Air speakers, while v6.6.0 would
support most of the M1/M2 series speakers).
Finally, as to how I'm building the images:
1. since the Tails mirrors do not support the arm64 architecture, I
hijacked my own internal DNS resolution to point back to the official
Debian repositories. To do so, I patched a couple of points in the
code where GPG keys are actually verified, configured a web server to
correctly redirect stuff and pointed the DNS to that webserver using
/etc/hosts and the systemd-resolved stub resolver (I'm willing to
share more on this if anyone is interested in actually building the
images). This of course is a temporary patch that can be immediately
reverted if Tails starts to mirror arm64 packages. Note that this
implies that the wip/arm64 and wip/asahi branches won't build (not
even on amd64!) without properly hijacking your DNS!
2. I had to fork tails/live-build (and use my fork as a submodule) in
order to add a single small patch that teaches it how to deal with one
single default configuration on arm64. There are multiple ways in
which this can be reverted
3. more generally, I added a number of temporary patches which cannot
be upstreamed for various reasons, but which can be reverted under
appropriate conditions. All of them are marked as "Temporary:" in
their commit messages, and the conditions under which they can be
reverted are clearly stated. In the wip/arm64 branch, the only
temporary patch which is not under Tails's control (i.e. whose removal
does not depend on actions taken by the Tails project) is the
inclusion of Heikki's build of the Tor Browser. This is what I meant
before by "This makes the Tor Browser the single blocker for Tails on
arm64".
As for wip/asahi, most of the contents of the additional commit are
temporary anyways (again, the kernel and Mesa package are not
officially packaged yet by Debian), so the "Temporary:" label would
have been an understatement. Asahi Tails (i.e. Tails on Apple Silicon
Macs) can only be a thing if Debian puts out an official
linux-image-asahi (possibly with proper backports, given the nature of
Debian) and something like a mesa-asahi set of packages. This is,
until the Asahi changes are merged into their respective upstreams
4. I'm following the current procedure of "first build the ISO and
then convert to USB image" in order to keep the code as close as
possible to feature/bookworm. The ISO is unbootable (UEFI does not
boot ISO 9660 file systems), but the USB image works. Eventualy, one
can just try to build the USB image directly
There are tons of other details about the build process and contents
of the image I could share (e.g., off the top of my head, Tails cloner
does not work on arm64 because it doesn't find some syslinux/mbr files
which are intentionally not there anymore) and I'm already probably
forgetting important stuff, but I think this email is already long
enough, so if anybody is interested feel free to ping me. The reason
why I made this port is first, for fun. But then also, to provide a
PoC that Tails can already run on Apple Silicon machines and that with
some effort from various projects (Tails in providing arm64 mirrors
and packages, Tor in finally providing an official arm64 release of
the Tor Browser, Debian in packaging the Asahi kernel and Mesa
libraries - until the Asahi changes get merged upstream), bringing
Tails back to Apple machines, and bringing it for the first time to
arm64 hardware, is just around the corner.
Best,
NoisyCoil
P.S.: This is the first time I put my hands on the Tails codebase, so
it may very well be that I got caught in some obvious gotchas. Also, I
am not affiliated with the Asah Linux project, the Debian Bananas Team
(or the Debian project at large), the Tor project, or any other
organization mentioned above.
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
