Flashkeeper - at last a hardware-based root-of-trust for Heads?

TiX0 · April 22, 2025, 2:05am

Nlnet Foundation is listing a very interesting and promising project which it is currently funding: NLnet; Flashkeeper

Flashkeeper
Write Protection on SOIC-8 flash chips without soldering

The proposed device would be an easy way to have WP (SPI flash chip Write Protection) grounded, but without having to do any soldering on the MBD, a hazardous endeavor…
But even more ambitious:

For users concerned with physical attacks on their systems, for whom easy access to SPI flash pins may be seen as a risk, a variant including a microcontroller (MCU) is also being developed, allowing authenticated external reprogramming and WP control, and independently verifying the SPI flash image against a user-controlled signature each boot.

Awesome! If they can do such a thing, it means we will have a solution for the weakness of SRTM (measured boot) vs DRTM (hardware-based root of trust such as BootGuard) implementation. The problem being that the root-of-trust is software-based, coreboot’s bootblock (at reset vector) is hashing itself and other things like FMAP and then hashes the next stage romstage before execution; therefore it is the verifier that verifies itself and it can lie about TPM measurements if tampered.
Many people claim that BootGuard is safer, because the root of trust is based in the CPU hardware, ME verifying ACM (unfortunately with Intel’s key) and IBBs (signed bootblocks) before doing the reset vector and start the proper boot sequence.
As I understand it, the Flashkeeper variant would be an MCU (independent hardware) verifying the SPI flash content at each boot - therefore rendering any modification to the image impossible.
We can call this a hardware root-of-trust, or am I wrong?
To be noted: Insurgo (Thierry Laurion) is also involved in this project

FranklyFlawless · April 22, 2025, 2:58am

See also (trust level 2 and up):

Flashkeeper: The Solution to SPI Flash Firmware Tampering? - All around Qubes - Qubes OS Forum

TiX0 · April 23, 2025, 1:02am

Would very much like to read the discussion, but unfortunately it refuses to download as I am not a registered user…
Could you please print it as pdf and transmit? (private or can you post it directly on this thread?
TX

FranklyFlawless · April 23, 2025, 6:25am

Sure, I will at least quote the entire first post:

adrelanos:

TommyTran732:

What is stopping an attacker from flashing malicious firmware that will just lie about its own measurements on a Librem laptop? (Hint: nothing).

TommyTran732:

The reality of the matter is that Heads cannot provide protection against firmware tampering (and neither does PureBoot) due to the lack of an immutable RoT, while Boot Guard does.

As far as I understand, this is a known issue and being acknowledged, because Flashkeeper is supposed to address that issue.

Was mentioned here:

[#HITB2019AMS D1T1 - TOCTOU Attacks Against Secure Boot And BootGuard - Trammell Hudson & Peter Bosch] Flashkeeper will happen:

relevant links:

NLnet; Flashkeeper

Notes on how to audit a maximized flashed firmware image · Issue #107 · linuxboot/heads-wiki · GitHub

Flashkeeper

Flashkeeper - the SPI flash chip manager

Flashkeeper is a device designed for installation inside a computer, connecting to the SPI flash chip where firmware is stored and making write protection control and reprogramming easy and secure.

Developed by Dodoid and Insurgo

Write Protection on SOIC-8 flash chips without soldering

Firmware security projects such as Heads assume the firmware itself to be protected against tampering. Outside of proprietary solutions Boot Guard, partial write protection (WP) of the SPI flash chip (recently implemented by 3mdeb) is one solution. However, WP requires grounding the chip’s WP pin, something that currently requires users to solder to the chip. As many users find this difficult, this has limited “retrofit” adoption of WP.

This project is developing Flashkeeper, a device that can be permanently installed on a common SOIC-8 flash chip. It attaches to the chip with a peel-and-stick layer and spring-loaded contacts or low-profile solder-down flex cable, interfacing with the SPI flash pins for easy write protection and external reprogramming (unbricking). For users concerned with physical attacks on their systems, for whom easy access to SPI flash pins may be seen as a risk, a variant including a microcontroller (MCU) is also being developed, allowing authenticated external reprogramming and WP control, and independently verifying the SPI flash image against a user-controlled signature each boot.

//cc @Insurgo

nerd7473 · April 23, 2025, 7:57am

Any potential to integrate with existing Librem machines?

TiX0 · April 24, 2025, 1:25am

It is too early yet to be able to answer this question.
To be clear: we have yet to see a real physical device implementation of this project. Nor have any specs been published as of date.
But the good news is that we know for sure that the NLnet grant was accepted, so it is under dev now.
And T. Laurion (Heads maintainer) made a presentation about it at Qubes OS Summit '24 on sept 20: youtube video and odp slides are listed on this page:

(note: as a personal opinion only, I wouldn’t be too surprised if (and when) Purism will announce the final Librem 16 specifications, that it included this revolutionary feature. This would be a great advancement on their roadmap - imagine such a laptop with a FLOSS hardware-based root-of-trust mechanism non BootGuard, no proprietary keys, fully end-user owned in every aspect! I think they should not miss this opportunity to make history and become a leader on this niche market. If not them, someone else will anyway, and sooner than we think IMO)