Download Latest Version
v0.2.1 source code.zip (128.6 kB)
Get an email when there's a new version of Heads
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| qemu.rom | 2017-04-13 | 12.6 MB | |
| x230.flash.rom | 2017-04-13 | 4.2 MB | |
| x230.rom | 2017-04-13 | 12.6 MB | |
| README.md | 2017-04-13 | 3.7 kB | |
| The Configurable Release source code.tar.gz | 2017-04-13 | 90.1 kB | |
| The Configurable Release source code.zip | 2017-04-13 | 128.6 kB | |
| Totals: 6 Items | 29.6 MB | 0 | |
This release adds several new features, the most important of which is an easier way to configure which pieces are included into the ROM image. There are is also a overhaul of the initialization scripts, which makes a more streamlined boot process for Qubes and management of encryption keys. Documentation has moved to http://osresearch.net/ and can be edited via osresearch/heads-wiki.
sha256 hashes for a clean checkout of 0.2.0 (verified on Fedora 23+25, Ubuntu 12.04, 16.04 and 16.10):
b7db7ecfddd8707b8a49a7ff82c5d37eac62c482f8f9681ffd6a18ff23fde49b qemu.rom
1b8503ed0d916fa19eb02e22c33c30cac44b0d0ede6ee46ec6acd784566c3b00 x230.flash.rom
d0850cfc3f8eb3bb3c17911577868cbbc811fe00040e2b9128ccd7647a558982 x230.rom
General updates
flashromis in the recovery shell and can be used to reflash the system firmware without requiring a hardware programmer to upgrade Heads.- A full version of
gpgis installed with Yubikey support. You can now sign files in/bootas well as the root hashes for dm-verity filesystems using an external hardware token. lvmis installed in the firmware image, allowing volume management instead of partitions.- TPM counters are used to prevent roll-back attacks on previously signed versions.
- TPM owner password is no longer required after initial setup of NVRAM and counters.
- TPM TOTP value is updated every thirty seconds while waiting for disk unlock code.
- Loading kernel modules with
insmodwill adjust PCR 4 to prevent the TPM from unsealing secrets if any unexpected modules are loaded. - Network devices drivers are available as loadable kernel modules for server bootstrapping.
- Networking tools like
sshandscpare available to fetch new firmware images or kernels. - Makefile documentation on how to add new submodules.
Hardware updates
- Preliminary support for the Puri.sm Librem 13 laptop and plans to ship pre-installed on their next hardware rev.
- x230 Thinkpad image now uses all available 7 MB to fit these extra features. There is a separate
x230-flash.romthat fits into the top 4MB chip to help bootstrap the installation process. - x230 ethernet and both side USB ports work (although note that if you have run ME cleaner on the ROM the ethernet port will not function)
Qubes specific updates
qubes-installscript to simplify initial setup,qubes-updatescript to sign after a Qubes update.seal-key/unseal-keytakes into account the encrypted disk LUKS headers, as suggested by the Qubes AEM tools.- Qubes'
initramfsis modified on bootup to install the key unsealed by the TPM. - ROM configuration no longer depends on hardcoded values for the UUID of
/filesystem. - Xen 4.6.4 works with Heads (although note that the Qubes' Xen tree is not tracked, issue [#159])
Known issues
Please file any you run into: https://github.com/osresearch/heads/issues
- BP# bits are not set (issue [#12])
- PRR and FLOCKDN are not set (issue [#184])
- MRC region on x230 is measured before being written, requiring two reboots after flashing (issue [#150])
- Clean builds take a long time (issue [#162] and [#163] )
- Chell chromebook builds are broken (issue [#38])