We want at least basic UEFI boot including Mac.

Testing results

Ideas for future work

Other ideas

Most of the possible candidate goals that were rejected for this initial iteration are not critical. Pursuing these would require substantial effort, that is better put into other Tails improvements. Therefore, they have not made their way into our roadmap. Some have low-priority tickets on Redmine, meaning that patches are welcome, but we do not feel committed, as a project, to make it happen.

On the other hand, it appears that adding support for UEFI Secure boot will be necessary at some point. More and more off-the-shelf PC hardware is shipped with this functionality enabled. Also, having to constantly disable and re-enable Secure boot in the firmware configuration is not the best dual-boot user experience we can provide (in case the other, non-Tails operating system only starts with Secure boot enabled).

To end with, another task that we would be very happy to tackle would be to upstream our work and make it available to all Debian Live users and downstreams. However, as explained on #5691 and https://lists.debian.org/debian-live/2013/11/msg00017.html:

  1. we are still using an old version of live-build;
  2. the upgrade process requires a lot of work;
  3. we have very little incentive to upgrade;
  4. even if we upgraded to the current production-ready version of live-build (namely: 3.x), and implemented our changes in scripts/build/binary_syslinux, then we could not easily forward-port them from live-build 3.x to 4.x, nor backport them from live-build 4.x to 3.x;
  5. our past experience has shown that using in production the latest versions of live-*, that have not stabilized yet, simply requires way too much ongoing bugfixing and adapting effort for our taste and limited resources; so that's not an option either, unfortunately.

Sadly, it seems that in the current situation, the only realistic option available to us right now is to go on using custom hooks and configuration. The best we can do to be team players is to share our experience and conclusions, as well as our custom scripts and configuration. This is what we did in this document, and we hope it is useful for many.

Resources

  • The bootstrap process on EFI systems on LWN
  • lernstick Grub configuration, implemented as a live-build binary hook, that's meant to be nice with an existing syslinux configuration managed by live-build: https://github.com/imedias/lernstickAdvanced.git (oh, and they use the xmlboot gfxboot script and many crazy Grub configuration scripts)
  • hellais' TAILS-OSX scripts and the list of hardware it was tested on
  • Mac Linux USB Loader Doesn't work with Tails at the moment, but that's a frequent request to upstream. Upstream is working on fixing this. That would allow starting Tails on Mac UEFI.
  • Steve McIntyre's EFI installation progress:
  • https://lists.debian.org/debian-devel/2012/01/msg00168.html
  • Debian: switch to UEFI boot
  • Debian bug #658352 about adding UEFI support to Debian CDs
  • Liberte Linux supports UEFI (with GRUB, and syslinux for BIOS boot)
  • the SprezzOS Debian derivative is working on this too:
  • rEFIt developer, Rod Smith, may be willing to help.
  • ArchLinux' page about UEFI Bootloaders
  • syslinux 6 (released in June 2013) has UEFI support. Debian Live's UEFI support will be based on it.
    • Early users discussion and hints.
    • It seems that syslinux does not do very well with CD booting and UEFI: a FAT32 ElTorito image (with kernel, initrd and boot loader configuration) must be embedded into the ISO9660. syslinux can't read any other file system than the one it was booted from, so we have to duplicate these files. Also, this image must be smaller than 32MB. Indeed, Knoppix 7.2 uses syslinux 6, and supports "UEFI-Boot (DVD: 32 and 64bit, CD: only 32bit) after installation on USB flash disk".
  • Kanotix, based on Debian Live and GRUB2, has a isohybrid setup that allows "multi-hybrid booting" as CD-ROM (EFI or El Torito) or as a hard-drive (e.g. a USB pendrive) on Intel-Macs (EFI) and PCs (EFI or MBR). See details.
  • Debian's Linux 3.2 kernel has "UEFI stub" support, which allows it to be started directly since the EFI boot menu.
  • Running a UEFI firmware for virtual machines (after installing the ovmf package): qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd
  • Ubuntu's Firmware Test Suite
  • Peter Jones' The EFI System Partition and the Default Boot Behavior: detailed description of how the firmware picks an ESP, and how Fedora deals with it.

More technical details:

OVMF

Getting OVMF

The ed2k source package (from which ovmf is built) is a bit outdated in Debian, but it will hopefully be enough for our needs.

Else:

Usage in VM

  • Debian bug #714496 documents how to use OVMF with libvirt. The OVMF page on the Linux KVM website documents this too. In short, add this line to the <os> section:

            <loader>/usr/share/ovmf/OVMF.fd</loader>
    
  • Instructions that document -pflash & -bios options for running OVMF on QEMU can be found in the OvmfPkg/README: Update information about running OVMF thread.