Linux-libre with Tails

6 risposte [Ultimo contenuto]
Beko
Offline
Iscritto: 08/31/2019

I had seen the Heads project a while back trying to implement Tails without systemd or non-free drivers in the kernel. It seems that it is not being maintained at the moment, so I was wondering if one of jxself's kernels could be installed on tails. Perhaps keeping it in the persistent files and installing the kernel with every boot with a script? Would this be possible, and would it affect the fingerprinting since you would be using a Tails with a different kernel?

chaosmonk

I am a member!

I am a translator!

Offline
Iscritto: 07/07/2017

> I had seen the Heads project a while back trying to implement Tails without systemd or non-free drivers in the kernel. It seems that it is not being maintained at the moment, I was wondering if one of jxself's kernels could be installed on tails. Perhaps keeping it in the persistent files and installing the kernel with every boot with a script? Would this be possible,

Tails does allow you to create a persistent partition, encrypted with a password. Since it's a separate partition, the installed kernel can not be among the persistent files. Yes, you could store deb packages on the persistent partition and install them after booting, but at that point you'll have already booted into the default kernel. Switching kernels requires a reboot, so it's not an option without persistence. You would run into the same issue (plus other issues) if you tried to replace systemd with this approach.

If you want to use Tails with Linux-libre and/or SysVinit, I think that you will need to modify the Tails image or compile your own.

Which hardware components on your machine use non-free firmware? If there aren't any, then there's not really an issue. The firmware will exist on the system but will not have any device to run on. If there are, you might be able to physically remove them or disable them (Thinkpads for example have a hardware switch to disable WiFi/Bluetooth). If that's not an option, modifying the Tails image to blacklist any non-free modules the kernel would load might be simpler than replacing the kernel.

> and would it affect the fingerprinting since you would be using a Tails with a different kernel?

I'm not sure, but my guess is no. Assuming that you use the equivalent Linux-libre version to Tails's Linux version, I think the only difference should be is not loading any non-free kernel modules that would otherwise be loaded to support your hardware. Everyone with different hardware will have different kernel modules loaded anyway, so I wouldn't think that the fingerprinting risk would be worse than usual, assuming than an attacker has a way to test which kernel modules are loaded at all. Don't go off my word though. There could be other issues I'm overlooking. Maybe someone else who understands fimrware and Linux vs. Linux-libre better than I do can give a better answer.

Beko
Offline
Iscritto: 08/31/2019

>If you want to use Tails with Linux-libre and/or SysVinit, I think that you will need to modify the Tails image or compile your own.

I personally don't mind systemd, I heard a lot of bad about it and a lot of good, so I don't know where I stand on this subject. I specifically only cared about the kernel really.

>Which hardware components on your machine use non-free firmware? If there aren't any, then there's not really an issue.

When ordering my x200 I specifically requested a model without bluetooth, fingerprint scanner, or a front facing camera. Everything else, besides the ram and ssd I replaced personally, should be either manufactorer's or perhaps Libiquity replaced with an equivalent. I have had 0 driver problems with Trisquel and Linux-libre. Are you saying that since my machine does not require anything non-free that it should automatically just not use the non-free blobs present in the Linux kernel?

Even though the FSF doesn't see Debian as a free distro, I disagree with that, debian explicitly states at every opportunity what is non-free and what is free. Simply having a non-free repo disqualifies them from the certification. Is Tails in a similar situation where on a machine capable of 100% free hardware could essentially run Tails free?

Thanks for the great answer as always!

Beko
Offline
Iscritto: 08/31/2019

Also another thought... could a TOR Wrapper on the entire OS be possible for Trisquel? Even though it is not amnesiac?

calher

I am a member!

Offline
Iscritto: 06/19/2015

On 2/26/20 3:08 PM, name at domain wrote:
>> I had seen the Heads project a while back trying to implement Tails
> without systemd or non-free drivers in the kernel.

Unfortunately, the scope of the project is not as narrow as simply
freeing Tails. The developer also has an ax to grind against what they
perceive as "bloat," such as making it easy and accessible for people to
quickly encrypt and decrypt files without struggle.

I tried to tell the developer that the frustration of the user is often
a bottleneck in security, because most people end up just pressing the
"ignore" button and forgoing security. They did not listen.

--
Caleb Herbert
KE0VVT
(816) 892-9669
https://bluehome.net/csh

chaosmonk

I am a member!

I am a translator!

Offline
Iscritto: 07/07/2017

> Are you saying that since my machine does not require anything non-free that it should automatically just not use the non-free blobs present in the Linux kernel?

Firmware runs on a particular hardware device (i.e. a wireless card or a camera). The operating system can provide the firmware to the device, but does not actually run the device on its own. Without a device to run the firmware on, the firmware is a useless file.

> Even though the FSF doesn't see Debian as a free distro, I disagree with that, debian explicitly states at every opportunity what is non-free and what is free. Simply having a non-free repo disqualifies them from the certification.

It is not just the non-free repo. Even if Debian did not have a non-free repo, it would not meet [the FSF's requirements][1]. For example, Debian's main repository contains Snap. Snap is free software, but it is a package manager for Canonical's Snap Store, which contains non-free software. Another example is [hplip][2], whose Debian package does not contain any non-free software, but when presents the user with an option to download and install a plugin from the Internet, and the plugin is non-free. Debian's main repository only contains software under free licenses, but you do have to pay attention to make sure that you don't accidentally install something non-free from outside of Debian's main repository.

> Is Tails in a similar situation where on a machine capable of 100% free hardware could essentially run Tails free?

I believe that freedom-wise the only difference between Tails and Debian main is that Tails includes non-free firmware by default. As long as you don't have any devices that can run this firmware, I think it should be the same as Debian main in terms of freedom.

> could a TOR Wrapper on the entire OS be possible for Trisquel? Even though it is not amnesiac?

Trisquel should be secure enough for normal situations, but in a situation where anonymity is so crucial that you need all of your traffic to go through Tor, I would not use Trisquel. Trisquel is based on Ubuntu, which does not provide security updates for most of the packages in its repository (although we mitigate this by backporting newer versions of packages, including Tor). If you want a non-amnesiac alternative to Tails, I recommend [Whonix][3]. Like Tails, it is based on Debian and routes all traffic through Tor. It is meant to be run in a virtual machine, in which case it does not even have access to your hardware, so I think that firmware should not be an issue, though as a persistent system you can of course easily install Linux-libre.

[1]: https://www.gnu.org/distros/free-system-distribution-guidelines.en.html

[2]: https://packages.debian.org/buster/hplip

[3]: https://www.whonix.org/

Beko
Offline
Iscritto: 08/31/2019

>Debian's main repository contains Snap.

>Another example is [hplip][2], whose Debian package does not contain any non-free software, but when presents the user with an option to download and install a plugin from the Internet, and the plugin is non-free.

Thanks for explaining Debian, I didn't realise how many reasons there were for debian being non-free. I feel like I would be able to avoid these pitfalls because I don't install too many plugins for fear of fingerprinting. Just barebones essentials like adblock, privacy badger and the plugin that spoofs "win10mozilla" or something along those lines to fit in with a normie user.

I'm not trying to migrate to a system like Whonix I don't have that sort of threat level. I just like having the anonymity of Tails and it's convenient. I do intend to continue using Trisquel as my installed OS, I was just seeing if I could use Tails on an x200 without freedom issues. Which you have answered perfectly.