This tutorial uses Tails OS as an example of booting via Legacy ROM Bios using the Open Source SeaBIOS with the new Incus 6.16 CD Rom emulation. This is a great example of how a state of the art modern hypervisor like Incus can support legacy booting of a virtual machine.
This tutorial is not about Tails OS per se. You can read about Tails here. You can also read about the Tor Network here. Tails uses the Tor network because it is the strongest and most popular network to protect from surveillance and censorship.
Onion routers employ encryption in a multi-layered manner (hence the onion metaphor) to ensure perfect forward secrecy between relays, thereby providing users with anonymity in a network location. The client and onion service each select three relays (a guard and two middle relays) to route traffic to each other, never leaving the Tor network, and never transmitting plain text.
Tails OS is seen as a more secure way to access the Tor network as opposed to using a browser with Tor baked in such as the Brave Browser. So, I present an alternative to booting Tails OS bare metal by booting the Tails OS ISO image in an Incus Virtual Machine.
In 2021, I presented a tutorial entitled Self Hosting on the Dark Side where I showed how to self host on the Dark Web. You might be surprised to know that Linux has this capability built into the OS.
Again, this tutorial is not about Tor or hosting on Tor. So, let’s press on.
This is a follow on to my tutorial Super Easy Windows 11 Install in an Incus VM. This time we are going to feature both the Incus 6.16+ CD Rom support and also legacy booting.
Modern Operating Systems that boot with the Universal Extensible Firmware Interface (UEFI) will often utilize Secure Boot. Secure Boot prevents booting a system via portable media.
Legacy booting via ROM BIOS does not support Secure Boot and so we must explicitly turn that feature off. Frankly, I normally turn off secure boot for even my UEFI Linux systems in my home lab because it’s more an annoyance than a feature since I have physical access security to my Home Lab.
We are going to Boot Tails OS with the Legacy x86 ROM BIOS and Incus provides legacy ROM BIOS boot support via the Open Source SeaBIOS.
Log into your Incus server and download the ISO image for the Tails OS (Note: new versions are frequently released):
wget https://download.tails.net/tails/stable/tails-amd64-6.19/tails-amd64-6.19.iso
Be sure you are running at least Incus version 6.16 and update if you are not. Check your incus version with this command:
incus version
Create an empty Virtual Machine container in Incus. An empty VM is one with no operating system installed.
incus init tails --empty --vm
Add the installation media we just downloaded to the new container being sure to adjust the absolute path for your system.
incus config device add tails install disk source=/home/scott/demo/tails-amd64-6.19.iso io.bus=usb readonly=true boot.priority=10
Set the container to legacy CD ROM booting with security.csm=true (compatibility support module), turn off secure boot with security.secureboot=false and set the memory size to 6GB.
incus config set tails security.csm=true security.secureboot=false limits.memory=6GiB
Start Tails OS with the following command.
incus start tails --console=vga
When Tails OS starts, you will see the syslinux boot menu pop up in the Virtual Machine Remote Viewer.
If the remote viewer does not pop up, this may mean that it’s not installed on your system.
sudo apt install virt-viewer
When Tails OS boots, it asks for language and keyboard defaults. It’s my advice not to configure persistent storage because that potentially may defeat security goals.
The next screen provides the options to connect to the Tor network. I choose the first option because I am running from my local LAN which is trusted.
The system then establishes connection to the Tor Network.
Once you are connected, you can browse your Tor Circuits as a fun gee wiz.
You can now start the Tor Browser.
Once the Tor Browser is started, you can navigate to both the open web and addresses on the Dark web by accessing “.onion” addresses. Read about Tor to learn more.
Tails OS has some built in apps. Keep in mind, the idea behind Tails is that once you shut it down, all your data vanishes.
Once are done using Tails OS, you can shut it down.
Once you select the “power off” option, the remote viewer will shut down and you will be back at your terminal where you started the Tails Incus VM.
To relaunch Tails OS again:
incus start tails --console=vga