The Librem Key Makes Tamper Detection Easy


#1

I just published a new blog post where I dive into some of the technical details on how the Librem Key integrates with Heads to make tamper detection easier. You can find the post here:

https://puri.sm/posts/the-librem-key-makes-tamper-detection-easy/


#2

This is great! One reason I bought the librem13v3 and now the Librem key. I have searched far and wide but see no instructs on installing heads other than their readme

Is there anything specific to Purism we should know?
Must we run PureOS to install?
I appreciate all your efforts but the press releases and blog posts point to this being doable but I can find no instructions on how to do it?
Thanks.


#3

We haven’t offered Heads yet as an option because I still consider it somewhere between Alpha and Beta in readiness. Not because of the underlying code as much as because of the user-friendliness of the interface. You still need to be somewhat technical to deal with some of the edge cases so at this point we are going to start a program of offering it as a beta test to customers who are particularly technical and who are willing to deal with the UI as it stands today. Imagine a GRUB menu where you might drop directly to a GRUB shell depending on which boot option you picked and have to understand GRUB shell command to get out of it.

For instance: by default with Heads you hard-code in which device to use for booting off of USB (say, /dev/sdb). There are good security reasons for this limitation, but it means if a Purism customer wants to use both hard drive slots in their laptop, they will need to modify Heads as well.

These are all things we are working on, and I personally am working on, but this is also why I haven’t written many docs on using it yet–we really need the UI to solidify a bit more before I document much. I really do want to have Heads as an option and ultimately as the default, but we still have UI work to do and some edge cases to clean up before it’s ready for an average non-technical user.

That said, if there are people in this thread who consider themselves technical and who are interested in beta testing Heads on their TPM-enabled Librem laptop, I’d love it if you would email me.


#4

What is the likelihood of data loss in this beta testing? :smiley: Not a deal breaker, just want to know what I am in for? Also would I need to be running PureOS on the internal drive as opposed to booting off usb if needed?
What would be the best way to get you my email? If I email support and explain would they forward to you?


#5

Actual data loss is highly unlikely. What’s more likely is some edge case dropping you to a recovery shell at some point and making it hard to boot into your OS (think being dropped to a GRUB prompt and trying to boot into an OS from there). It would be useful if you had a 2nd computer you could use to email for instructions in case that happened and you didn’t know what to do.

Since it’s the BIOS, rebooting would bring you back to the main menu and worst case you could reflash the BIOS to your original BIOS (step one would be me walking you through making that backup to a USB thumb drive) and be back where you were.

I’d prefer for people who want to beta test this use either PureOS or Qubes as those are the OSes I have prototype machines for here and so I can more easily support you from here. Debian would be fine too.

If you are interested, you can email me at firstname.lastname@puri.sm.


#6

I realized I should probably point out that I’m going to be away on vacation soon, so if you email me to join the Heads beta program and don’t hear anything back for a bit, that’s why.


#7

@Kyle_Rankin Just to clarify, are you intending to make the Heads BIOS available for non-Purism systems? Specifically, I have a Dell XPS 13 running Ubuntu and would love to use a Librem key with it.


#8

I think what they are making available is either a pre-made firmware image or a build script for making firmware for Librem devices that includes Heads. The source is available in the link Russ posted earlier, but someone would have to do the work to port it to the XPS 13. Also you would need coreboot which I don’t think is working on any version of the XPS 13 yet.


#9

We (as in Purism) won’t be shipping Heads BIOSes for non-Librem laptops, but if your laptop can run coreboot, in theory you should be able to build and flash Heads on it from their official git repo. At the moment the main two laptop brands that it runs on are Librem laptops and a few versions of Thinkpad that support coreboot.

Even without Heads though you could use a Librem Key with any laptop in its standard OpenPGP smartcard mode, you just wouldn’t have the boot-time tamper detection.


#10

ok, thanks for clarifying. Maybe I missed it, but what does the “standard OpenPGP smartcard” functionality provide?


#11

There’s a chip on the device that can store your GPG private keys in a tamper-resistant way. When you want to encrypt/decrypt/sign something, GPG will prompt you to plug in your key and type in a PIN and it will send the work over USB to the key so your private keys never leave the USB device.


#12

Is there any chance of having a Trezor device function like the Librem key?


#13

@Sascha Assuming they just use regular GPG card functionality, something like the Ledger Nano S can do that where you do pin entry and decrypt confirmation on device with a standard gpg-agent on the computer. I think the Trezor requires a separate agent (https://github.com/romanz/trezor-agent) in which case it wouldn’t work. I’ve only used the Ledger Nano S as a GPG card so I’m not entirely sure though.


#14

@Kyle_Rankin: I would relish an opportunity to participate in the HEADS Beta program. I have a recently acquired Librem15v3 w/ TPM and also a Librem Key. I also have an older Librem13v1 (w/ AMI BIOS, unlabeled kill switches, sans Purism branding) as a backup. I emailed you on October 3rd at the provided address but I understand that you are on vacation. Enjoy the rest of your time off!


#15

Yes sorry for the delay (and sorry for others who have contacted me as well!) I’m back now so I’m going to be starting the beta program in earnest, hopefully at some point this week.


#16

Looking forward to it @Kyle_Rankin. Excited to get underway with the beta program.


Guide to setting up Librem Key with Librem
#17

I’m truly sorry about the delay in the Beta program. We finally have some good news in that Librem Key support has been merged into the Heads master branch. For the brave (and impatient) and technical among you that means you could build and flash Heads yourself from the master branch.

For everyone else, I’m trying to get a couple more usability improvements into Heads (mainly around adding the ability to configure certain settings within the UI that right now require you to recompile Heads) to make the Beta program a bit simpler. Without those changes, I’ll have to maintain multiple Heads ROMs for each Librem laptop that vary depending on whether you have a SATA drive, an NVMe drive, or both!

Once I get those changes in at least a pull request, I will email everyone who’s contacted me and invite you to a community chat room and point you at the appropriate documentation.