What does HackerNews think of heads?

Ask HN: What lesser-known accessories do you use with your computer? | Apr 2023

It relies on Heads (https://github.com/osresearch/heads), tamper-evident boot software that loads from within coreboot and uses the TPM chip and the user’s own GPG keys to detect tampering within the BIOS. Here are some explanations: https://puri.sm/posts/pureboot-101-first-boot-first-update-a..., https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual....

Getting LUKS, Btrfs, Hibernation and Swap file working in tandem | Mar 2023

Expand Context ↕

You don't need to encrypt anything to verify those images, you just need to sign them. See how Heads does this.

https://github.com/osresearch/heads

Producing a trustworthy x86-based Linux appliance | Jun 2021

Relevant, HEADS firmware: https://github.com/osresearch/heads

Definitely worth reading the Wiki: https://osresearch.net/

Can be run on a variety of laptops, including a ThinkPad X230. Ships by default on Librem laptops. Uses the second-to-last approach described by the article (TOTP-based).

Geeking Out with UEFI | Oct 2020

Disclaimer: I didn't fully read the article yet.

I wanted to mention the excellent HEADS project (as in the other side of TAILS): https://github.com/osresearch/heads

This talk is great: https://trmm.net/Heads_33c3

I remember when UEFI became a thing and people were complaining in linux forums that the keys are controlled by the manufacturers and 'the whole thing is a ploy by microsoft to kill linux' (UEFI is just a convoluted standard way to write BIOS in a certain way).

Now we can control the keys, all we need to do is kick UEFI to the curb and use linux from BIOS all the way to the DE/WM (coreboot..).

Turns out we can turn the boot process into a chain of kexec's and simplify everything greatly.

GRUB2 UEFI SecureBoot Vulnerability: 'BootHole' | Jul 2020

Expand Context ↕

There is - Heads[1].

[1] https://github.com/osresearch/heads