Patching a TAILS USB Stick for UEFI Secure Boot on Ubuntu

The current latest release of The Amnesic Incognito Live System is 3.2. Ironically, the ISO of the operating system distribution that is supposed to provide you with security and anonymity does not work with Secure Boot. So, you'll either have to disable your Secure Boot (and become vulnerable to boot attacks that can compromise your anonymity), or patch the TAILS boot partition (e.g., as described below). These instructions are based on patching a USB on a Debian-derived platform, such as Ubuntu. Hopefully, you can adapt them to another platform without too much effort.

Create a TAILS USB Stick and Mount Its EFI Partition

  • Create a TAILS USB stick.
    • E.g., follow the instructions on the Tails website to create a USB.
  • Mount the TAILS EFI partition from the USB for modification.
    • Identify the partition device path.
        You could look at the output of df, mount and use cfdisk, or gparted to identify the device path of the TAILS EFI partition. We shall use /dev/sdc1 in our example.
    • Mount the TAILS EFI partition We shall mount the TAILS EFI partition at /mnt/usb in our example. You can use any other directory you find appropriate.
      mount /dev/sdc1 /mnt/usb

Setting Up Secure Boot with Shim and Grub 2

Warnings

GRUB is usually happy to load and execute unauthenticated binary code (such as GRUB modules, kernels and initrd images). To avoid that, you may want to have a signed grub.cfg that enforces signature validation, as described in other guides (e.g. https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd), since the instructions below don't include that set up.

However, you may also live without enforced signature validation, if you are using a write-protected USB stick, since, in that case, an attacker would not be able to modify any of the loaded binaries whether they are signed or not.

Set Up on Ubuntu

You can follow the code explained below, or run the BASH script that follows.

Explanation Code

# Switch to root:
sudo su -
cd /mnt/usb/EFI # Or, wherever you have mounted the USB EFI partition.

# Replace the TAILS EFI boot image:
apt-get install shim-signed
cp -i /usr/lib/shim/shimx64.efi.signed BOOT/BOOTX64.EFI

# Replace the TAILS Grub installation:
# Replace the Grub image:
apt-get install grub-efi-amd64-signed
rm BOOT/BOOTIA32.EFI
cp -i /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed BOOT/grubx64.efi

# Replace the Grub modules:
rm -Rf BOOT/grub/i386-efi/
cp -Ri /usr/lib/grub/x86_64-efi BOOT/grub/

# Replace Grub fonts:
apt-get install grub-common
cp -i /usr/share/grub/*.pf2 BOOT/grub # Or, select the fonts you want.

# Replace Grub locales:
apt-get install ufw
cp -Ri /usr/share/ufw/messages/ BOOT/grub/locale # Or, select the locales you want.

# Copy a new grub.cfg:
mkdir ubuntu

# Get the boot partition UUID:
dev_get_uuid()
{
  local DEV_PATH=$(realpath "$1")
  local F

  for F in /dev/disk/by-uuid/*; do
    if [ "$DEV_PATH" == "$(realpath "$F")" ]; then
      basename "$F"
      return 0
    fi
  done

  return 1
}

BOOT_UUID=$(dev_get_uuid /dev/sdc1) # Replace with the path to your USB boot partition.

# Write grub.cfg:
cat >ubuntu/grub.cfg <<END
function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option


set linux_gfx_mode=
export linux_gfx_mode
load_video
insmod gfxterm
terminal_output gfxterm
background_image /EFI/Boot/splash.png

menuentry 'Tails 3.2' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple' {
  insmod part_gpt
  insmod ext2
  set root='hd0,gpt1'
  search --no-floppy --fs-uuid --set=root ${BOOT_UUID}
  linux /live/vmlinuz boot=live config live-media=removable apparmor=1 security=apparmor nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails kaslr slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs quiet
  initrd /live/initrd.img
}

menuentry 'Tails 3.2 (Toubleshooting Mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-safe-mode' {
  insmod part_gpt
  insmod ext2
  set root='hd0,gpt1'
  search --no-floppy --fs-uuid --set=root ${BOOT_UUID}
  linux /live/vmlinuz boot=live config live-media=removable apparmor=1 security=apparmor nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails kaslr slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs noapic noapm nodma nomce nolapic nomodeset nosmp vga=normal
  initrd /live/initrd.img
}
END

# Unmount / sync USB:
cd /
umount /mnt/usb
sync

That's it. You're ready to boot.

A Script that Does All of the Above

tails-secure-boot.sh

To Overachieve

You can find a guide on enforcing signature validation of any binaries loaded by GRUB (e.g., if you're not using a write-protected USB stick).

You can also write a nicer theme for the GRUB menu.

Comments

Post a Comment

Popular posts from this blog

Set Up rEFInd Secure Boot Manager from Ubuntu 16.04

You can follow these instructions to set up multi-boot after installing Ubuntu on your Secure Boot machine from a USB stick. Overview of Components to Set Up Using EFI Secure Boot for booting (multiple) OS images requires that a binary image be signed with a trusted key before it can be booted. It involves: EFI System Partition (ESP): The so-called Extensible Firmware Interface partition stores all the binary boot images loaded by the BIOS and Boot Manager (rEFInd in our case). It is a FAT partition with a special file system type ID, and flags. shim (signed by developers): This is the binary that will be loaded by the BIOS. It will validate the cryptographic signature of the rEFInd binary and launch it. It will also enroll new certificates you create for signing binary images you want to boot, such as kernels you compile. Machine Owner Key (MOK):   The new private key and certificate pair that you will use to designate which kernel images are allowed to be booted. Keep the pri
Read more