Posts

Patching a TAILS USB Stick for UEFI Secure Boot on Ubuntu

The current latest release of The Amnesic Incognito Live System is 3.2. Ironically, the ISO of the operating system distribution that is supposed to provide you with security and anonymity does not work with Secure Boot. So, you'll either have to disable your Secure Boot (and become vulnerable to boot attacks that can compromise your anonymity), or patch the TAILS boot partition (e.g., as described below). These instructions are based on patching a USB on a Debian-derived platform, such as Ubuntu. Hopefully, you can adapt them to another platform without too much effort. Create a TAILS USB Stick and Mount Its EFI Partition Create a TAILS USB stick. E.g., follow the instructions on the Tails website to create a USB. Mount the TAILS EFI partition from the USB for modification. Identify the partition device path. You could look at the output of df , mount and use cfdisk , or gparted to identify the device path of the TAILS EFI partition. We sh
Post a Comment
Read more

Set Up rEFInd Secure Boot Manager from Ubuntu 16.04

You can follow these instructions to set up multi-boot after installing Ubuntu on your Secure Boot machine from a USB stick. Overview of Components to Set Up Using EFI Secure Boot for booting (multiple) OS images requires that a binary image be signed with a trusted key before it can be booted. It involves: EFI System Partition (ESP): The so-called Extensible Firmware Interface partition stores all the binary boot images loaded by the BIOS and Boot Manager (rEFInd in our case). It is a FAT partition with a special file system type ID, and flags. shim (signed by developers): This is the binary that will be loaded by the BIOS. It will validate the cryptographic signature of the rEFInd binary and launch it. It will also enroll new certificates you create for signing binary images you want to boot, such as kernels you compile. Machine Owner Key (MOK):   The new private key and certificate pair that you will use to designate which kernel images are allowed to be booted. Keep the pri
2 comments
Read more