Skip to content

@osresearch osresearch released this Apr 24, 2017 · 821 commits to master since this release

This release adds several new features, the most important of which is an easier way to configure which pieces are included into the ROM image. There are is also a overhaul of the initialization scripts, which makes a more streamlined boot process for Qubes and management of encryption keys. Documentation has moved to and can be edited via osresearch/heads-wiki.

sha256 hashes for a clean checkout of 0.2.0 (verified on Fedora 23+25, Ubuntu 12.04, 16.04 and 16.10):

1b97745538d99702340c8b42d548e892678da421f8d5ff609c57f59af79e632f  qemu.rom
5b0026c87e6b4f7ae72df420f2a56fdd2bda341c0c9149a7cc924485fc02667d  x230.rom
a0843fe080598c8a8f7fa6b1293cf3afb5d6b5587d4f33a386ce4d3146bf42e1  x230.flash.rom

General updates


  • flashrom is in the recovery shell and can be used to reflash the system firmware without requiring a hardware programmer to upgrade Heads.
  • A full version of gpg is installed with Yubikey support. You can now sign files in /boot as well as the root hashes for dm-verity filesystems using an external hardware token.
  • lvm is installed in the firmware image, allowing volume management instead of partitions.
  • TPM counters are used to prevent roll-back attacks on previously signed versions.
  • TPM owner password is no longer required after initial setup of NVRAM and counters.
  • TPM TOTP value is updated every thirty seconds while waiting for disk unlock code.
  • Loading kernel modules with insmod will adjust PCR 4 to prevent the TPM from unsealing secrets if any unexpected modules are loaded.
  • Network devices drivers are available as loadable kernel modules for server bootstrapping.
  • Networking tools like ssh and scp are available to fetch new firmware images or kernels.
  • Makefile documentation on how to add new submodules.

Hardware updates

Librem first boot

  • Preliminary support for the Librem 13 laptop and plans to ship pre-installed on their next hardware rev.
  • x230 Thinkpad image now uses all available 7 MB to fit these extra features. There is a separate x230-flash.rom that fits into the top 4MB chip to help bootstrap the installation process.
  • x230 ethernet and both side USB ports work (although note that if you have run ME cleaner on the ROM the ethernet port will not function)

Qubes specific updates

Qubes install

  • qubes-install script to simplify initial setup, qubes-update script to sign after a Qubes update.
  • seal-key / unseal-key takes into account the encrypted disk LUKS headers, as suggested by the Qubes AEM tools.
  • Qubes' initramfs is modified on bootup to install the key unsealed by the TPM.
  • ROM configuration no longer depends on hardcoded values for the UUID of / filesystem.
  • Xen 4.6.4 works with Heads (although note that the Qubes' Xen tree is not tracked, issue #159)

Known issues

Please file any you run into:

  • BP# bits are not set (issue #12)
  • PRR and FLOCKDN are not set (issue #184)
  • MRC region on x230 is measured before being written, requiring two reboots after flashing (issue #150)
  • Clean builds take a long time (issue #162 and #163 )
  • Chell chromebook builds are broken (issue #38)
Assets 2
You can’t perform that action at this time.