heads icon indicating copy to clipboard operation
heads copied to clipboard

Published 20 hours ago verified publisher icon linuxboot

Nlnet past funded work placeholder for Authenticated Heads project (2022-ongoing)

Open tlaurion opened this issue 1 year ago • 0 comments

This is a placeholder for NLnet funded Authenticated Heads Project (2022-ongoing) to be able to refer here in its website (they can't change references per platform limitation) under website to be changed reference at https://nlnet.nl/project/AuthenticatedHeads/

Aka "Heads-OpenPGP"

A big thanks for NlNet to have trusted me managing the project through NGI Assure fund, once again, and to all direct and indirect participants

  • Travel expenses linked to FOSDEM 2023 conference - Heads - Status Update -> @tlaurion
  • QEMU targets to ease development/testing of Heads and debugging/tracing of what happens under the hood
  • TPM2 support under Heads -> @tlaurion (Big thanks to @JonathonHall-Purism for all the help!!!! Would not have happened without your collaboration.)
  • Authenticated Heads : in memory key generation, copy to USB Security dongle and preparation uf USB Thumb drive to store keys securely -> @tlaurion
  • Support platform locking (PR0) through SMI finalizing chipset - bring support to ivy/sandy/haswell platforms (Pre-Skylake: thanks @hardenedvault for initial PR!) -> @tlaurion
  • Reduce firmware footprint -> @tlaurion
  • Have flashrom support partial region Write Protection (Big thanks to @3mdeb @Dasharo - More specifically to @SergiiDmytruk @Pokisiekk @macpijan @krystian-hebel for the development and @pietrushnic for his trust
    • Have the coreboot bootblock set as read-only on the SPI flash
    • Have the flashrom deal properly with the write-protected bootblock region
  • Alternate build system investigation to better support reproducible builds (outcome: Nix based docker image builder) -> big thanks to @mmlb!!!! -> @tlaurion

Deliverables

  • FOSDEM 2023 conference - Heads - Status Update
    • Conference presenting all the work that was to be accomplished/already accomplished: below
  • QEMU/KVM Heads testing boards, including support for TPM 1.2/2 (swtpm) and USB Security tokens
  • TPM2 support under heads
    • Create whiptail (server oriented) and FBwhiptail (desktop/laptop) TPM2 board configurations
      • https://github.com/osresearch/heads/pull/1292
  • Authenticated Heads : in memory key generation, copy to USB Security dongle and preparation uf USB Thumb drive to store keys securely
    • https://github.com/osresearch/heads/pull/1262
    • https://github.com/osresearch/heads/pull/1446
    • https://github.com/linuxboot/heads/pull/1515
    • https://github.com/linuxboot/heads/discussions/1520
  • Support platform locking (PR0) through SMI finalizing chipset - bring support to ivy/sandy/haswell platforms - Pre-Skylake
    • https://github.com/osresearch/heads/pull/1373
  • Reduce firmware footprint
    • https://github.com/osresearch/heads/pull/1121
    • https://github.com/osresearch/heads/pull/1398
    • https://github.com/osresearch/heads/pull/1381
    • https://github.com/osresearch/heads/pull/1423
    • https://github.com/osresearch/heads/pull/1422
    • https://github.com/osresearch/heads/pull/1398
  • Have flashrom support partial region Write Protection
    • Have the coreboot bootblock set as read-only on the SPI flash
      • https://github.com/Dasharo/flashrom/pull/5
      • tested flag: https://review.coreboot.org/c/flashrom/+/68179/1
      • flashrom upstream
      • https://review.coreboot.org/q/topic:more_wp
      • https://github.com/flashrom/flashrom/compare/master...3mdeb:flashrom:wp-for-more-chips
      • https://github.com/Dasharo/docs/pull/267
      • https://github.com/Dasharo/flashrom/pull/6
      • https://github.com/Dasharo/flashrom/pull/8
      • https://github.com/flashrom/flashrom/issues/185#issuecomment-1704515975
      • Discussions on adding WP to flashrom
        • https://mail.coreboot.org/hyperkitty/list/[email protected]/thread/5JIQCK7FGNV33DAZBK2M5BQV5WZA
        • https:/mail.coreboot.org/hyperkitty/list/[email protected]/thread/R4FMJE5DQLMZX2UV4N3MHIM5R3UPX
      • https://www.flashrom.org/Example_of_partial_write-protection
    • Have the flashrom deal properly with the write-protected bootblock region
      • https://github.com/Dasharo/flashrom/pull/7
      • Discussion on adding flashrom documentation for WP
        • https://mail.coreboot.org/hyperkitty/list/[email protected]/thread/5JIQCK7FGNV33DAZBK2M5BQV5WZA
        • https://mail.coreboot.org/hyperkitty/list/[email protected]/thread/R4FMJE5DQLMZX2UV4N3MHIM5R3UP
      • https://www.flashrom.org/Firmware_updates_vs._SPI_write-protection
  • Alternate build system investigation to better support reproducible builds (outcome: Nix based docker image builder)
    • https://github.com/tlaurion/heads/blob/ecbfdbc57b23ef0b884b394e1ad97491b8d2f8b6/README.md#building-heads
    • https://github.com/linuxboot/heads/pull/1661

Pending

  • Other tasks are still under grant work, to be edited when done

tlaurion avatar Aug 02 '24 22:08 tlaurion