2022-06-22 16:47:05 -04:00
![Heads booting on an x230 ](https://user-images.githubusercontent.com/827570/156627927-7239a936-e7b1-4ffb-9329-1c422dc70266.jpeg )
2016-08-02 23:29:46 -04:00
2016-07-25 09:06:36 -04:00
Heads: the other side of TAILS
===
2018-02-05 17:25:51 -05:00
Heads is a configuration for laptops and servers that tries to bring
more security to commodity hardware. Among its goals are:
2016-07-25 09:06:36 -04:00
* Use free software on the boot path
2016-08-02 23:29:46 -04:00
* Move the root of trust into hardware (or at least the ROM bootblock)
2016-07-25 09:06:36 -04:00
* Measure and attest to the state of the firmware
* Measure and verify all filesystems
2016-12-26 16:29:36 -05:00
![Flashing Heads into the boot ROM ](https://farm1.staticflickr.com/553/30969183324_c31d8f2dee_z_d.jpg )
2016-08-02 23:29:46 -04:00
2017-01-29 16:44:23 -05:00
NOTE: It is a work in progress and not yet ready for non-technical users.
2016-08-02 23:29:46 -04:00
If you're interested in contributing, please get in touch.
Installation requires disassembly of your laptop or server,
external SPI flash programmers, possible risk of destruction and
significant frustration.
2016-07-25 10:08:53 -04:00
2016-12-26 16:29:36 -05:00
More information is available in [the 33C3 presentation of building "Slightly more secure systems" ](https://trmm.net/Heads_33c3 ).
2019-05-21 13:23:59 -04:00
Documentation
===
2023-02-08 11:32:50 -05:00
Please refer to [Heads-wiki ](https://osresearch.net ) for your Heads' documentation needs.
2019-05-21 13:23:59 -04:00
2016-08-06 18:45:56 -04:00
2016-08-14 12:57:54 -04:00
Building heads
===
2020-03-09 14:21:46 -04:00
`make BOARD=board_name` where board_name is the name of the board directory under `./boards` directory.
2016-08-14 12:57:54 -04:00
2017-01-29 16:44:23 -05:00
In order to build reproducible firmware images, Heads builds a specific
version of gcc and uses it to compile the Linux kernel and various tools
that go into the initrd. Unfortunately this means the first step is a
2020-03-09 14:21:46 -04:00
little slow since it will clone the `musl-cross-make` tree and build gcc...
2017-01-29 16:44:23 -05:00
Once that is done, the top level `Makefile` will handle most of the
remaining details -- it downloads the various packages, verifies the
hashes, applies Heads specific patches, configures and builds them
with the cross compiler, and then copies the necessary parts into
the `initrd` directory.
There are still dependencies on the build system's coreutils in
`/bin` and `/usr/bin/` , but any problems should be detectable if you
end up with a different hash than the official builds.
The various components that are downloaded are in the `./modules`
directory and include:
* [musl-libc ](https://www.musl-libc.org/ )
* [busybox ](https://busybox.net/ )
* [kexec ](https://wiki.archlinux.org/index.php/kexec )
* [mbedtls ](https://tls.mbed.org/ )
* [tpmtotp ](https://trmm.net/Tpmtotp )
2017-03-06 13:59:06 +01:00
* [coreboot ](https://www.coreboot.org/ )
2017-01-29 16:44:23 -05:00
* [cryptsetup ](https://gitlab.com/cryptsetup/cryptsetup )
* [lvm2 ](https://sourceware.org/lvm2/ )
* [gnupg ](https://www.gnupg.org/ )
* [Linux kernel ](https://kernel.org )
We also recommend installing [Qubes OS ](https://www.qubes-os.org/ ),
2019-05-21 13:23:59 -04:00
although there Heads can `kexec` into any Linux or
2017-01-29 16:44:23 -05:00
[multiboot ](https://www.gnu.org/software/grub/manual/multiboot/multiboot.html )
kernel.
2016-08-14 12:57:54 -04:00
Notes:
2016-08-06 18:45:56 -04:00
---
2016-08-14 12:57:54 -04:00
* Building coreboot's cross compilers can take a while. Luckily this is only done once.
2017-01-29 16:44:23 -05:00
* Builds are finally reproducible! The [reproduciblebuilds tag ](https://github.com/osresearch/heads/issues?q=is%3Aopen+is%3Aissue+milestone%3Areproduciblebuilds ) tracks any regressions.
2020-03-09 14:21:46 -04:00
* Currently only tested in QEMU, the Thinkpad x230, Librem series and the Chell Chromebook.
2022-07-10 21:20:29 -04:00
** Xen does not work in QEMU. Signing, HOTP, and TOTP do work; see below.
2017-04-21 21:12:54 +02:00
* Building for the Lenovo X220 requires binary blobs to be placed in the blobs/x220/ folder.
2018-03-12 13:56:11 -04:00
See the readme.md file in that folder
* Building for the Librem 13 v2/v3 or Librem 15 v3/v4 requires binary blobs to be placed in
the blobs/librem_skl folder. See the readme.md file in that folder
2016-08-06 18:45:56 -04:00
2022-07-10 21:20:29 -04:00
QEMU:
---
OS booting can be tested in QEMU using a software TPM. HOTP can be tested by forwarding a USB token from the host to the guest.
2023-12-18 15:24:21 -05:00
For more information and setup instructions, refer to the [qemu documentation ](targets/qemu.md ).
2022-07-10 21:20:29 -04:00
2016-12-13 18:02:35 +01:00
coreboot console messages
2016-08-14 12:57:54 -04:00
---
2016-12-13 18:02:35 +01:00
The coreboot console messages are stored in the CBMEM region
2016-08-14 12:57:54 -04:00
and can be read by the Linux payload with the `cbmem --console | less`
command. There is lots of interesting data about the state of the
system.