Tails isn't PXE-booting; missing net modules

[beta-tester]

Tails 4.5 isn't PXE booting, because of missing network modules. /lib/modules/5.4.0-4-amd64/kernel/net/ folder is missing ethernet and phy modules.

[beta-tester]

follow these steps to create a tails-x64-hotfix-pxe.cpio.xz file that contains the network modules and a patch.

1. in p2-include-handle change handle_item '-' iso TAILS_X64; to handle_item '+' iso TAILS_X64;.
2. run bash run.sh to get tails-x64.iso downloaded and mounted.
3. be sure, you have the packages squashfs-tools, initramfs-tools and xz-utils installed.
4. modify the script down below to the actual tails iso content.
5. execute the script down below to create the file tails-x64-hotfix-pxe.cpio.xz that will contain the missing network modules and a patch-
6. rerun bash run.sh to get pxe-menu activated for tails.

#!/usr/bin/bash

# ... break=premount
# ... break=init
# ... debug
#
# sudo unsquashfs -d /tmp/test -f /srv/nfs/tails-x64/live/filesystem.squashfs
# $ ls  /tmp/test/bin/live-*
# $ ls -r /tmp/test/lib/live/*

# 2024-02-27 for tails 6.0, renamed to all-net-blocklist.conf
# 2024-02-27 for tails 6.0, updated path from /lib/modules/ to /usr/lib/modules/
# 2023-09-11 skip network de-init on boot option "break=init" to keep network alive for debugging
# 2021-11-07 /conf/net_drivers.tar.xz, /conf/conf.d/zzzz-hotfix-pxe, /etc/live/boot/zzzz-hotfix-pxe

# requires:
#   squashfs-tools  (unsquashfs)
#   initramfs-tools (cpio)
#   xz-utils        (xz)

# location, where to store temporary files
TMP=/tmp/tails-net

# full filename of the filesystem.squashfs from tails ISO
SRC=/srv/nfs/tails-x64/live/filesystem.squashfs

# full filename of the hotfix-pxe image
DST=/srv/nfs/tails-x64-hotfix-pxe.cpio.xz

if [[ -z "${TMP}" ]] || [[ -z "${SRC}" ]] || [[ -z "${DST}" ]]; then
    echo "ERROR: undefined variable"
    return -1
fi

if ! [[ -d "$(dirname ${TMP:?})" ]] && ! [[ -r "${SRC:?}" ]] && ! [[ -d "$(dirname ${DST:?})" ]]; then
    echo "ERROR: wrong file or folder"
    return -2
fi

# kernel version of tails
KVER=$(basename $(unsquashfs -l "${SRC:?}" -e /usr/lib/modules/ | grep /usr/lib/modules/ | head -n 1))
(( $? != 0 )) && return -4

# test if kernel version is correct
if [[ -n "${KVER}" ]]; then
    echo "INFO: KVER='${KVER:?}'"
else
    echo "ERROR: unknown kernel version"
    return -3
fi

do_modules() {
# extract missing network kernel drivers modules from tails
sudo unsquashfs \
    -d "${TMP:?}" \
    -f "${SRC:?}" \
    -e "/usr/lib/modules/${KVER:?}/kernel/drivers/net/phy" \
    -e "/usr/lib/modules/${KVER:?}/kernel/drivers/net/ethernet" \
    ;
(( $? != 0 )) && exit -4

# compress missing network kernel drivers modules to file
[[ -e "${TMP:?}/conf/" ]] || sudo mkdir -p "${TMP:?}/conf/"
sudo tar -ravf "${TMP:?}/conf/net_drivers.tar.xz" -C "${TMP:?}"  "usr/lib"
sudo rm -rf "${TMP:?}/usr/lib"
}

do_patch_top() {
# add hotfix for pxe boot to initrd image
[[ -e "${TMP:?}/conf/conf.d/" ]] || sudo mkdir -p "${TMP:?}/conf/conf.d/"
cat << EOF | sudo tee "${TMP:?}/conf/conf.d/zzzz-hotfix-pxe" &>/dev/null
#!/usr/bin/sh

# check if we dealing with same kernel version
if [ "\$(uname -r)" != "${KVER:?}" ]; then
    . /scripts/functions
    log_failure_msg "wrong kernel version. '\$(uname -r)'!='${KVER:?}'"
    panic "please visit: https://github.com/beta-tester/RPi-PXE-Server/issues/31"
fi

# comment out all blacklist entries
sed "s/^install/# install/g" -i /etc/modprobe.d/all-net-blocklist.conf

# replace wget script by busybox, for normal behavior
mv /usr/bin/wget /usr/bin/wget.bak
ln -sf /usr/bin/busybox /usr/bin/wget

# replace depmod, for normal behavior
mv /usr/sbin/depmod /usr/sbin/depmod.bak
ln -sf /usr/bin/kmod /usr/sbin/depmod

# excract the compressed drivers in place
tar -xf "/conf/net_drivers.tar.xz" -C /

# rebulid dependencies for added network kernel drivers modules
depmod -b /usr

# 
echo '/scripts/init-bottom/zzzz-hotfix-pxe' | tee -a /scripts/init-bottom/ORDER
EOF
(( $? != 0 )) && return -4
sudo chmod +x "${TMP:?}/conf/conf.d/zzzz-hotfix-pxe"
(( $? != 0 )) && return -4
}

do_patch_bottom() {
[[ -e "${TMP:?}/scripts/init-bottom/" ]] || sudo mkdir -p "${TMP:?}/scripts/init-bottom/"
cat << EOF | sudo tee "${TMP:?}/scripts/init-bottom/zzzz-hotfix-pxe" &>/dev/null
#!/usr/bin/sh
patch_bottom()
{
    if ! [ -n "\$break" ]; then
        # hotfix-pxe for issue with network initialisation in tails
        local path_device
        for path_device in /sys/class/net/*; do
            local name_device
            name_device=\$(basename \$path_device)
            if [ "\$name_device" != "lo" ]; then
                # set network devices down
                ip link set \$name_device down

                local path_module
                path_module=\$(readlink \$path_device/device/driver/module)
                if [ -n "\$path_module" ]; then
                    # remove used network drivers
                    local name_module
                    name_module=\$(basename \$path_module)
                    modprobe -r \$name_module
                fi
            fi
        done
    fi
}

patch_bottom
EOF
(( $? != 0 )) && return -4
sudo chmod +x "${TMP:?}/scripts/init-bottom/zzzz-hotfix-pxe"
(( $? != 0 )) && return -4
}

do_initrd() {
# create an initrd image to overlay at boot time
sudo rm "${DST:?}"
cd "${TMP:?}"
(( $? != 0 )) && return -4
find . -type f -print0 | cpio --null --create --verbose --format=newc \
    | xz --compress --extreme --check=crc32 | sudo tee "${DST:?}" &>/dev/null
(( $? != 0 )) && return -4
cd -
}

do_cleanup() {
# clean up temporary files
sudo rm -rf "${TMP:?}"
(( $? != 0 )) && return -4
}

do_modules
do_patch_top
do_patch_bottom

do_initrd

do_cleanup

echo done.

[beta-tester]

procedure not working for tails 4.8. computer turns off somewhere at initialization.

[beta-tester]

with tails 4.9, same issue as with tails 4.8. computer turns off after late initialization.

[beta-tester]

masking a tails service did the trick. systemd.mask=tails-shutdown-on-media-removal.service

tested with tails 4.15.1

[beta-tester]

tails 4.24doesn't pxe boot anymore. shows same behavior as booting without net driver patch.

[beta-tester]

fix for tails 4.24: ISSUE: overlaying net drivers into place in initrd.img isn't possible anymore for unknown reason. WORKAROUND: putting net drivers in a net_drivers.tar.xz file and extracting them into place at running boot-scripts. new script available at https://github.com/beta-tester/RPi-PXE-Server/issues/31#issuecomment-614438868

[modrz44]

This patch stopped working starting I think was Tails 6.10. I couldn't get an error code, it just refuses to boot once the initrd is download from tftp without any error. I believe the problem started when Tails switched to the Linux 6.x kernel. My best analysis is that its not the actual patch thats the problem but Linux 6.x kernels handle initrd images differently somehow which makes it refuse any appending initrd patches like thisone. I've been trying for a few weeks but got nowhere. Hopefully someone can at least establish why this happens.

[beta-tester]

for me it is working.

• i used Tails tails-amd64-5.16.1.iso
• and applied the script above.
• and PXE boot into Tails (no SecureBoot, no UEFI - just good old BIOS PXE boot)

the kernel version of Tails 5.16.1 is 6.1.0-11-amd64

[beta-tester]

i changed the script to keep network alive for debugging, if any "break" boot option is given e.g.: "break=init debug --"

[beta-tester]

script stopped working with tails 6.0

[beta-tester]

fix for tails 6.0:

• renamed to all-net-blocklist.conf
• updated path from /lib/modules/ to /usr/lib/modules/
• modified patch-top and patch_bottom

fixed the script above and added patch-tails.sh to project. script still has to be executed manually to apply the patch.