Heads-OpenPGP
OpenPGP Authenticated Heads and long-time awaited security improvements
The work to be accomplished in this project will resolve Heads current missing accessibility, reproducibility and platforms locking improvements, including Heads missing authentication mechanisms prior of permitting recovery shell access or booting USB external media, possibly leading to data loss without evil-maid even having to unscrew anything. Also, a user currently losing his USB OpenPGP dongle would lose its private encryption subkey forever therefore losing access to all past encrypted content and lessening security until dongle replacement.
By considering Heads as a secure pre-boot "clean room" environment on initial flashing/reflashing of whole firmware, generating OpenPGP master key and subkeys in memory and implementing keys backup/restore mechanisms to/from/creating USB thumb drive encrypted storage, Heads will be able to rely further on OpenPGP (gnupg toolstack) and its detached-signing of content and signature verification against fused public (measured) key to authenticate the owner of the machine prior of letting him have access to the machine's persistent states. Having reproducible builds again will make auditability of the firmware easier, while locking the firmware prior of leaving Heads environment will prevent whole classes of SPI based persistent threats.
- The project's own website: https://github.com/linuxboot/heads/issues/1741
Why does this actually matter to end users?
Heads already strongly relies on OpenPGP to measure and verify /boot digest integrity content on top of a firmware measured attested state. It also already permit to generate OpenPGP keypairs inside of OpenPGP smartcards, so the private keys never leave the security dongle where they were generated. But if Heads authentication is enforced right now and that dongle is lost, the end user would be locked out of his machine, would need to operate it in a much unsafe way waiting for replacement dongle would require new keypair generation on received dongle. The end user would have to choose between booting an outdated Xen/Kernel/initrd detached signed/verified /boot digest, or, upgrade the OS system core binaries without having Heads able to detach-sign/verify /boot digest.
The funding will also permit to resolve the current reproducibility issues by replacing the current Make based buildsystem with linux-builder on top of Guix/Nix installable layer on any linux based distribution, which will pin all poked system binaries/libraries dependencies on top of any Linux distribution/docker image. Funding will also permit platform locking logic to prevent write access to SPI from the final kexec'ed OS, will finally make Heads work with different configurable keyboards language maps, will extend QEmu testing possibilities with software TPM (swtpm) and encrypted OpenPGP keypair thumb drive (raw disk), will include TPM2 toolchain, ease future boards integration, further Heads adoption from coreboot hardware distributors while revamping documentation so it reflects its evolved state.
Run by Insurgo INC
This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073.