Submitted by nbdy in security_culture (edited )

Just a bit of meta info before starting out my review. Throughout this I'll post be linking to the projects Github page. If you didn't already know Github has maintained a contract with I.C.E in the United States. Obviously fuck ICE. It need to burn. I will be linking to Github sites using archive.org to avoid giving Github more traffic for those of you who click through. That being said I don't believe that the project itself endorse the actions of Github. They seem to have gained a community prior even to Github being sold to Microsoft, and as it is a project that is entirely community developed I must acknowledge that a move poses difficulties. Anyways ICE MUST DIE, let's move on.

What is heads?

In simple words, heads is a linuxboot/coreboot payload that utilizes hardware components and a hardware auth device (like a yubikey) to ensure that the boot process of your device is tamper evident. Read more about the project here and on their Git repo

What does it run on?

There are a few devices that heads can be compiled to run on. The full list. I tested with a Thinkpad x220t and an x230 but the current state of the xx20 series Thinkpads means that it has several major issues. For my review I will only be talking about the x230.

Installation

Seeing as how it was so long ago my memory of installation is not so great. What I do remember is having some initial difficulties with the docs being outdated/confusing. On the official site the build process says to build from the git repo from master. However the install docs run you through the install as if you were using the 2 year old release.
I opted to using the git repo for a few reasons. Mainly, thanks to developers at Librem the software looks super slick now. They added some magic so that now when I boot my device I am greeted a great GUI that changes the screen color depending on the severity of the warning/security issue. I've had experience using programming Bootroms prior so that was probably the easiest part of the installation. Except for the when I broke off one of the 0.3 mm resistors to the left of the chip and had to hand solder that back on. Be careful about those. :/
Following that there's a bit of configuring and if you really mess things up you may need to re-flash. I would give the installation a rating of 4 out of 10 tables flipped.

Running

In the 6 months I've had very few hiccups. There have been a couple issues I discovered after trying to configure an edge case that required I write custom patches and reinstall. Updates are fairly painless even with custom patches. Certain install drives won't boot (such as Arch) and because it uses kexec at it's core, you can't run BSD or windows :(
I traveled with this device and although the tamper detection never got triggered I did feel a bit of comfort knowing that if my device got stolen whoever got it would have an unusable computer and no access to my data. So about it never getting triggered. Much to my own dismay I am not an individual target of any nation states. My threat model really doesn't include someone breaking into my home and implanting a modified evil kernel on my device.
That being said, I don't use BSD or windows on this device so the mild inconveniences of what this can't do are more than made up for with having a sweet super secure laptop. Besides the comfort knowing that I won't be totally screwed by border services or an evil implant I think the cool points alone make it worth it for me.

Final Thoughts

If you are just getting started with coreboot/libreboot I would suggest you try somewhere else before trying heads. If you only have 1 computer I would also try something other than heads.
If you are a security minded and like to mess around with computers and don't mind spending hours trying to fix your messed-up board give it a try.

8

Comments

You must log in or register to comment.

f064fb5ddb9041bc8a4cb0024 wrote

Woah, pretty cool, is it an amnesic OS too? What are the main differences? Just that you need 2FA to log in? I didn't understand the hardware part. Why did you break a resistor? Do you have to sold your components in something really specific in order to use it or what?

Except for the when I broke off one of the 0.3 mm resistors to the left of the chip and had to hand solder that back on. Be careful about those. :/

Also, do you mind if I copy paste this into the PTio forum? I'll give you the credits. Ima create a GH issue to see if they can list it, it will help with the development which seems a bit dead now.

2

nbdy OP wrote

Woah, pretty cool, is it an amnesic OS too? What are the main differences?

Nope! It’s actually a bios replacement. So it’s mostly related to tails in that it’s a tool for securing your computer. It’s based on coreboot so looking into that could give you some insight.

Also, do you mind if I copy paste this into the PTio forum? I'll give you the credits

To respond about the resistor and the soldering thing. I was just being clumsy with the soic chip flasher. And then had to clean up after myself. I’d love a link to the forum first, if you don’t mind.

Look into coreboot and check out some of the links. I think a lot of your questions will be answered that way. :)

3

f064fb5ddb9041bc8a4cb0024 wrote

Nope! It’s actually a bios replacement. So it’s mostly related to tails in that it’s a tool for securing your computer. It’s based on coreboot so looking into that could give you some insight.

Oohh, so Heads can work with different OSes? This is really interesting, I'll try to read a bit about coreboot and see if I can understand something.

To respond about the resistor and the soldering thing. I was just being clumsy with the soic chip flasher. And then had to clean up after myself.

Yeah, still no idea about what that means, I lack the knowledge, lol.

I’d love a link to the forum first, if you don’t mind.

Here you got. https://forum.privacytools.io

2