Skip to content

The Configurable Release
Compare
Choose a tag to compare
@osresearch osresearch released this 13 Apr 12:33
· 2346 commits to master since this release
v0.2.0
This tag was signed with the committer’s verified signature.
osresearch Trammell Hudson
GPG key ID: 0F948052DDECBE68
Learn about vigilant mode.
a71f84c
This commit was signed with the committer’s verified signature.
osresearch Trammell Hudson
GPG key ID: 0F948052DDECBE68
Learn about vigilant mode.

This release adds several new features, the most important of which is an easier way to configure which pieces are included into the ROM image. There are is also a overhaul of the initialization scripts, which makes a more streamlined boot process for Qubes and management of encryption keys. Documentation has moved to http://osresearch.net/ and can be edited via osresearch/heads-wiki.

sha256 hashes for a clean checkout of 0.2.0 (verified on Fedora 23+25, Ubuntu 12.04, 16.04 and 16.10):

b7db7ecfddd8707b8a49a7ff82c5d37eac62c482f8f9681ffd6a18ff23fde49b  qemu.rom
1b8503ed0d916fa19eb02e22c33c30cac44b0d0ede6ee46ec6acd784566c3b00  x230.flash.rom
d0850cfc3f8eb3bb3c17911577868cbbc811fe00040e2b9128ccd7647a558982  x230.rom

General updates

flashrom

  • flashrom is in the recovery shell and can be used to reflash the system firmware without requiring a hardware programmer to upgrade Heads.
  • A full version of gpg is installed with Yubikey support. You can now sign files in /boot as well as the root hashes for dm-verity filesystems using an external hardware token.
  • lvm is installed in the firmware image, allowing volume management instead of partitions.
  • TPM counters are used to prevent roll-back attacks on previously signed versions.
  • TPM owner password is no longer required after initial setup of NVRAM and counters.
  • TPM TOTP value is updated every thirty seconds while waiting for disk unlock code.
  • Loading kernel modules with insmod will adjust PCR 4 to prevent the TPM from unsealing secrets if any unexpected modules are loaded.
  • Network devices drivers are available as loadable kernel modules for server bootstrapping.
  • Networking tools like ssh and scp are available to fetch new firmware images or kernels.
  • Makefile documentation on how to add new submodules.

Hardware updates

Librem first boot

  • Preliminary support for the Puri.sm Librem 13 laptop and plans to ship pre-installed on their next hardware rev.
  • x230 Thinkpad image now uses all available 7 MB to fit these extra features. There is a separate x230-flash.rom that fits into the top 4MB chip to help bootstrap the installation process.
  • x230 ethernet and both side USB ports work (although note that if you have run ME cleaner on the ROM the ethernet port will not function)

Qubes specific updates

Qubes install

  • qubes-install script to simplify initial setup, qubes-update script to sign after a Qubes update.
  • seal-key / unseal-key takes into account the encrypted disk LUKS headers, as suggested by the Qubes AEM tools.
  • Qubes' initramfs is modified on bootup to install the key unsealed by the TPM.
  • ROM configuration no longer depends on hardcoded values for the UUID of / filesystem.
  • Xen 4.6.4 works with Heads (although note that the Qubes' Xen tree is not tracked, issue #159)

Known issues

Please file any you run into: https://github.com/osresearch/heads/issues

  • BP# bits are not set (issue #12)
  • PRR and FLOCKDN are not set (issue #184)
  • MRC region on x230 is measured before being written, requiring two reboots after flashing (issue #150)
  • Clean builds take a long time (issue #162 and #163 )
  • Chell chromebook builds are broken (issue #38)
Assets 5
Loading