They won’t stop you from flashing the SPI ROM.
AFAICT, there are two possibilities open to a remote attacker who has gained root-level access to an internally-flashable PC with Heads installed and enabled:
-
Flash a ROM image that will skip the steps of measuring the bootloader and of authenticating to the user via a 6-digit TPMTOTP number. This is tamper-evident, but detecting it requires the user to notice that the PC has stopped prompting them to check that number against their hardware token (or to perform a hardware dump of the ROM contents, to check against a known-good image). Many users would not notice this, and upon those users, the attack would succeed entirely.
-
Do what should perhaps be called a “BadHeads” attack, which would be much less tamper-evident. Something like:
(i) measure the existing firmware;
(ii) build a new Heads image that has a record of the existing firmware’s measurements and the ability to communicate those to the TPM (instead of its own measurements) and to process the result via TPMTOTP as usual, so that the 6-digit number would match the user’s expectation;
(iii) flash this new image to the ROM.I am not yet certain whether step (ii) is possible.
A Chromebook-style hardware switch for flashing would make both these attacks impossible for a remote attacker.