This release adds several new features, the most important of which is an easier way to configure which pieces are included into the ROM image. There are is also a overhaul of the initialization scripts, which makes a more streamlined boot process for Qubes and management of encryption keys. Documentation has moved to http://osresearch.net/ and can be edited via osresearch/heads-wiki.
sha256 hashes for a clean checkout of 0.2.0 (verified on Fedora 23+25, Ubuntu 12.04, 16.04 and 16.10):
1b97745538d99702340c8b42d548e892678da421f8d5ff609c57f59af79e632f qemu.rom 5b0026c87e6b4f7ae72df420f2a56fdd2bda341c0c9149a7cc924485fc02667d x230.rom a0843fe080598c8a8f7fa6b1293cf3afb5d6b5587d4f33a386ce4d3146bf42e1 x230.flash.rom
flashromis in the recovery shell and can be used to reflash the system firmware without requiring a hardware programmer to upgrade Heads.
- A full version of
gpgis installed with Yubikey support. You can now sign files in
/bootas well as the root hashes for dm-verity filesystems using an external hardware token.
lvmis installed in the firmware image, allowing volume management instead of partitions.
- TPM counters are used to prevent roll-back attacks on previously signed versions.
- TPM owner password is no longer required after initial setup of NVRAM and counters.
- TPM TOTP value is updated every thirty seconds while waiting for disk unlock code.
- Loading kernel modules with
insmodwill adjust PCR 4 to prevent the TPM from unsealing secrets if any unexpected modules are loaded.
- Network devices drivers are available as loadable kernel modules for server bootstrapping.
- Networking tools like
scpare available to fetch new firmware images or kernels.
- Makefile documentation on how to add new submodules.
- Preliminary support for the Puri.sm Librem 13 laptop and plans to ship pre-installed on their next hardware rev.
- x230 Thinkpad image now uses all available 7 MB to fit these extra features. There is a separate
x230-flash.romthat fits into the top 4MB chip to help bootstrap the installation process.
- x230 ethernet and both side USB ports work (although note that if you have run ME cleaner on the ROM the ethernet port will not function)
Qubes specific updates
qubes-installscript to simplify initial setup,
qubes-updatescript to sign after a Qubes update.
unseal-keytakes into account the encrypted disk LUKS headers, as suggested by the Qubes AEM tools.
initramfsis modified on bootup to install the key unsealed by the TPM.
- ROM configuration no longer depends on hardcoded values for the UUID of
- Xen 4.6.4 works with Heads (although note that the Qubes' Xen tree is not tracked, issue #159)
Please file any you run into: https://github.com/osresearch/heads/issues