What is Heads

Heads is a secure runtime environment and a build system; a build recipe cookbook, which boards configurations instructs which modules to be incorporated in the mix needed for specific platform board configuration.

Heads takes advantage of the linux kernel and common linux tools to create its runtime environment, including kexec, busybox, whiptail, cryptsetup, flashrom, LVM, the GPG toolstack, and other important and already existing tools to empower its runtime environement.

The typical output of a build are a packed initramfs and kernel, included inside a coreboot ROM image as its payload. Depending on the architecture/chipsets of a platform, it also integrates neutered/deactivated Intel ME/CSME binary blob (platform dependent), generated Gigabit Ethernet (GBE) configuration blob and an unlocked descriptor (IFD). The produced firmware images requires the platform to be flashed once externally to overwrite the origin flash chip(s) content, more specifically to overwrite locked IFD and ME/MCSE regions and to maximize the BIOS region to the extent of liberated Intel ME firmware region. Heads firmware upgrades can then happen internally for the lifetime of the platform.

Why Heads

Heads take advantage of coreboot measured boot in Static Root of Trust (SRTM) mode as a measurement base, which currently measures itself as early as possible, normally from bootblock(or romstage) into TPM a singleregister (PCR2). Heads payload is then executed after measured and extends TPM with its own measurements in distinct PCRs in the goal of sealing secrets in TPM's distinct NV regions. Kernel modules are measured prior to being loaded, LUKS drive(s) headers are measured if a TPM disk encryption key is configured, while going to the Recovery shell invalidates the TPM measurements by the same TPM extend mechanism.

From a user standpoint, those sealed secrets enables oneself to validate the integrity of the firmware either through TOTP code shown on screen on its smartphone or through HOTP (which challenges validity against supported enabled HOTP USB Security dongles). Another TPM sealed secret enables the user to release an additional LUKS disk encryption key only if the firmware is intact, that kernel modules loaded and Headers are consistent to sealed state and only if provided passphrase matches. Heads also validates user detached signed /boot digests against its fused in rom public key, which guarantees both integrity and authenticity of the trusted boot configuration prior of kexec’ing into it.

A lot happened since 2020... Let’s cover current state and where the project is heading!