Just a bit of meta info before starting out my review. Throughout this I'll post be linking to the projects Github page. If you didn't already know Github has maintained a contract with I.C.E in the United States. Obviously fuck ICE. It need to burn. I will be linking to Github sites using archive.org to avoid giving Github more traffic for those of you who click through. That being said I don't believe that the project itself endorse the actions of Github. They seem to have gained a community prior even to Github being sold to Microsoft, and as it is a project that is entirely community developed I must acknowledge that a move poses difficulties. Anyways ICE MUST DIE, let's move on.
What is heads?
In simple words, heads is a linuxboot/coreboot payload that utilizes hardware components and a hardware auth device (like a yubikey) to ensure that the boot process of your device is tamper evident. Read more about the project here and on their Git repo
What does it run on?
There are a few devices that heads can be compiled to run on. The full list. I tested with a Thinkpad x220t and an x230 but the current state of the xx20 series Thinkpads means that it has several major issues. For my review I will only be talking about the x230.
Seeing as how it was so long ago my memory of installation is not so great. What I do remember is having some initial difficulties with the docs being outdated/confusing. On the official site the build process says to build from the git repo from master. However the install docs run you through the install as if you were using the 2 year old release.
I opted to using the git repo for a few reasons. Mainly, thanks to developers at Librem the software looks super slick now. They added some magic so that now when I boot my device I am greeted a great GUI that changes the screen color depending on the severity of the warning/security issue. I've had experience using programming Bootroms prior so that was probably the easiest part of the installation. Except for the when I broke off one of the 0.3 mm resistors to the left of the chip and had to hand solder that back on. Be careful about those. :/
Following that there's a bit of configuring and if you really mess things up you may need to re-flash. I would give the installation a rating of 4 out of 10 tables flipped.
In the 6 months I've had very few hiccups. There have been a couple issues I discovered after trying to configure an edge case that required I write custom patches and reinstall. Updates are fairly painless even with custom patches. Certain install drives won't boot (such as Arch) and because it uses kexec at it's core, you can't run BSD or windows :(
I traveled with this device and although the tamper detection never got triggered I did feel a bit of comfort knowing that if my device got stolen whoever got it would have an unusable computer and no access to my data. So about it never getting triggered. Much to my own dismay I am not an individual target of any nation states. My threat model really doesn't include someone breaking into my home and implanting a modified evil kernel on my device.
That being said, I don't use BSD or windows on this device so the mild inconveniences of what this can't do are more than made up for with having a sweet super secure laptop. Besides the comfort knowing that I won't be totally screwed by border services or an evil implant I think the cool points alone make it worth it for me.
If you are just getting started with coreboot/libreboot I would suggest you try somewhere else before trying heads. If you only have 1 computer I would also try something other than heads.
If you are a security minded and like to mess around with computers and don't mind spending hours trying to fix your messed-up board give it a try.