Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 28 million developers.Sign up
This release adds several new features, the most important of which is an easier way to configure which pieces are included into the ROM image. There are is also a overhaul of the initialization scripts, which makes a more streamlined boot process for Qubes and management of encryption keys. Documentation has moved to http://osresearch.net/ and can be edited via osresearch/heads-wiki.
sha256 hashes for a clean checkout of 0.2.0 (verified on Fedora 23+25, Ubuntu 12.04, 16.04 and 16.10):
1b97745538d99702340c8b42d548e892678da421f8d5ff609c57f59af79e632f qemu.rom 5b0026c87e6b4f7ae72df420f2a56fdd2bda341c0c9149a7cc924485fc02667d x230.rom a0843fe080598c8a8f7fa6b1293cf3afb5d6b5587d4f33a386ce4d3146bf42e1 x230.flash.rom
flashromis in the recovery shell and can be used to reflash the system firmware without requiring a hardware programmer to upgrade Heads.
- A full version of
gpgis installed with Yubikey support. You can now sign files in
/bootas well as the root hashes for dm-verity filesystems using an external hardware token.
lvmis installed in the firmware image, allowing volume management instead of partitions.
- TPM counters are used to prevent roll-back attacks on previously signed versions.
- TPM owner password is no longer required after initial setup of NVRAM and counters.
- TPM TOTP value is updated every thirty seconds while waiting for disk unlock code.
- Loading kernel modules with
insmodwill adjust PCR 4 to prevent the TPM from unsealing secrets if any unexpected modules are loaded.
- Network devices drivers are available as loadable kernel modules for server bootstrapping.
- Networking tools like
scpare available to fetch new firmware images or kernels.
- Makefile documentation on how to add new submodules.
- Preliminary support for the Puri.sm Librem 13 laptop and plans to ship pre-installed on their next hardware rev.
- x230 Thinkpad image now uses all available 7 MB to fit these extra features. There is a separate
x230-flash.romthat fits into the top 4MB chip to help bootstrap the installation process.
- x230 ethernet and both side USB ports work (although note that if you have run ME cleaner on the ROM the ethernet port will not function)
Qubes specific updates
qubes-installscript to simplify initial setup,
qubes-updatescript to sign after a Qubes update.
unseal-keytakes into account the encrypted disk LUKS headers, as suggested by the Qubes AEM tools.
initramfsis modified on bootup to install the key unsealed by the TPM.
- ROM configuration no longer depends on hardcoded values for the UUID of
- Xen 4.6.4 works with Heads (although note that the Qubes' Xen tree is not tracked, issue #159)
Please file any you run into: https://github.com/osresearch/heads/issues