Help with booting Kicksecure on HEADS (coreboot) bios

Support
1

Hello, this is my first post! :slight_smile:

After playing with Kicksecure (template) on Qubes OS I tried to download the live iso and run it.

My computer has HEADS/coreboot as bios and Qubes OS as main OS.

Unfortunately HEADS does not “see” Kicksecure and cannot launch it.

The following github issue tracks the problem: "kicksecure iso doesn't boot under Heads · Issue #2008 · linuxboot/heads · GitHub .
The main developer of HEADS ( tlaurion (Thierry Laurion) · GitHub ) has replicated the issue. If you have any suggestion on how to fix it (or debug it), it would be very much appreciated.

thank you in advance

3 Likes
2

Quoting from the linked issue:

Replicated. This is an hybrid ISO.
The disk needs to be mounted (sda here) not a subpartition to discover rootfs and its boot related files).

At least to me this sounds like a limitation of Heads itself and not something Kicksecure can work around. You might be able to mount the disk itself (not a subpartition) in the recovery shell, then manually boot from that mounted device, but I don’t know if Heads supports that. Until Heads gains support for this, we’d need to have a Heads-specific ISO, which I don’t think it feasible (especially since our ISO creation tooling is handled by live-build right now, and we don’t customize how it does the generation of the ISO itself to my awareness).

I did have a slightly crazy idea for getting this to work anyway… quoting a slightly modified version of my messages from the Heads room:

This might be a kind of crazy idea, but what if there were a fourth partition on the USB, which encompassed the whole entire disk, such that /dev/sda4 was then essentially an alias of /dev/sda?
would Heads then be able to boot from /dev/sda4, and then the initramfs of Kicksecure be able to find the live OS at /dev/sda?
I’m not sure we could work something like that into Kicksecure’s build system, but it might be possible to document it as a workaround.
I don’t have any device running Heads here to test on, but if that sounds plausible and it works when someone tries it, it might be something we could document.

2 Likes
3

Replied on github just now.

2 Likes
4

Thank you for your quick reply @arraybolt3 !

Yes, it is possible with the following commands in HEADS recovery shell:

``
mount /dev/sdb /media
kexec-select-boot -b /media
``

Would you be so kind to spell out what HEADS developers need to fix/develop in order to boot Kicksecure without issues? I will report the requirements to the Github issue.
Thanks !

1 Like
5

I should add that while this allows to boot Kicksecure in HEADS (from recovery shell), and all seems to work fine, there is an error printed during the boot process:

simple-framebuffer simpler-framebuffer.0: Unable to register simpl [FAILED] Failed to mount sysroot.mount - /sysroot

I am not dure if this is a separate issue or not.

1 Like
6

Probably benign, could be the result of using Heads.

Known issue, due to a Dracut bug. This is benign and can be ignored. I believe this will be resolved in Kicksecure 18, but it’s just cosmetic.

3 Likes
7

Heads has many boot comparability issues:

heads is:

I don’t like this workaround because it hooks into the initrd generation process and adds more complexity.

Quote initrd/kernel packed in ISO doesn't support exfat (#20621) · Issues · tails / tails · GitLab

Also, I would like to raise concerns on often changing used distro signing key, which is really fast paced for Heads downstream forks which provide 1 release a year (and your distro signing key that will expire in 272 days, which will cause problems for next firmware releases validating iso against detached signature and distro key fused in firmware).

2 Likes