A minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide a secure, flexible boot environment for laptops, workstations and servers.
This release adds several new features, the most important of which is an easier way to configure which pieces are included into the ROM image. There are is also a overhaul of the initialization scripts, which makes a more streamlined boot process for Qubes and management of encryption keys. Documentation has moved to http://osresearch.net/ and can be edited via osresearch/heads-wiki.
sha256 hashes for a clean checkout of 0.2.0 (verified on Fedora 23+25, Ubuntu 12.04, 16.04 and 16.10):
1b97745538d99702340c8b42d548e892678da421f8d5ff609c57f59af79e632f qemu.rom
5b0026c87e6b4f7ae72df420f2a56fdd2bda341c0c9149a7cc924485fc02667d x230.rom
a0843fe080598c8a8f7fa6b1293cf3afb5d6b5587d4f33a386ce4d3146bf42e1 x230.flash.rom
flashrom
is in the recovery shell and can be used to reflash the system firmware without requiring a hardware programmer to upgrade Heads.gpg
is installed with Yubikey support. You can now sign files in /boot
as well as the root hashes for dm-verity filesystems using an external hardware token.lvm
is installed in the firmware image, allowing volume management instead of partitions.insmod
will adjust PCR 4 to prevent the TPM from unsealing secrets if any unexpected modules are loaded.ssh
and scp
are available to fetch new firmware images or kernels.x230-flash.rom
that fits into the top 4MB chip to help bootstrap the installation process.qubes-install
script to simplify initial setup, qubes-update
script to sign after a Qubes update.seal-key
/ unseal-key
takes into account the encrypted disk LUKS headers, as suggested by the Qubes AEM tools.initramfs
is modified on bootup to install the key unsealed by the TPM./
filesystem.Please file any you run into: https://github.com/osresearch/heads/issues
This release adds several new features, the most important of which is an easier way to configure which pieces are included into the ROM image. There are is also a overhaul of the initialization scripts, which makes a more streamlined boot process for Qubes and management of encryption keys. Documentation has moved to http://osresearch.net/ and can be edited via osresearch/heads-wiki.
sha256 hashes for a clean checkout of 0.2.0 (verified on Fedora 23+25, Ubuntu 12.04, 16.04 and 16.10):
b7db7ecfddd8707b8a49a7ff82c5d37eac62c482f8f9681ffd6a18ff23fde49b qemu.rom
1b8503ed0d916fa19eb02e22c33c30cac44b0d0ede6ee46ec6acd784566c3b00 x230.flash.rom
d0850cfc3f8eb3bb3c17911577868cbbc811fe00040e2b9128ccd7647a558982 x230.rom
flashrom
is in the recovery shell and can be used to reflash the system firmware without requiring a hardware programmer to upgrade Heads.gpg
is installed with Yubikey support. You can now sign files in /boot
as well as the root hashes for dm-verity filesystems using an external hardware token.lvm
is installed in the firmware image, allowing volume management instead of partitions.insmod
will adjust PCR 4 to prevent the TPM from unsealing secrets if any unexpected modules are loaded.ssh
and scp
are available to fetch new firmware images or kernels.x230-flash.rom
that fits into the top 4MB chip to help bootstrap the installation process.qubes-install
script to simplify initial setup, qubes-update
script to sign after a Qubes update.seal-key
/ unseal-key
takes into account the encrypted disk LUKS headers, as suggested by the Qubes AEM tools.initramfs
is modified on bootup to install the key unsealed by the TPM./
filesystem.Please file any you run into: https://github.com/osresearch/heads/issues
A clean checkout takes about 30-50 minutes to build since it makes multiple versions of gcc and binutils. When the build is done it should produce the following sha256 hashes for the two currently working boards:
a7ca26f3b874c52b8284d3d74294fed3937274b699af0b66d50c512455306a9f qemu.rom
83df0b6845fdd6b335119f7e89e08c47ec3566f515fe93bc528fcd955587a43e x230.rom
This includes an update to Linux 4.9.7 and coreboot 4.5, and replaces the system libc with musl-libc to ensure that there are no dependencies on the build system's utilities. It still requires reflashing via a hardware SPi programmer and it is still difficult to install Qubes. Hopefully the UX will improve in the next release.
The Chell chromebook can be made to work, but needs attention to become part of the functioning build again.
Xen is not built as part of the normal make. Run make xen.intermediate
to generate build/xen-4.6.3/xen/xen.gz
. Please note the xen build is reproducible for a given compiler, but is not yet reproducible across systems.
Lots of cleanup, with some new features:
This is a the first release that is capable of a full build from a clean checkout. There are many issues remaining and, while it works on at least one x230, that is no guarantee that it will work on your x230.