Bootstraping a slightly more secure laptop

If you suspend your transcription on, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. Unlike Tails, which aims to be a stateless OS that leaves no trace on the computer of its presence, Heads is intended for the case where you need to store data and state on the computer. It targets specific models of commodity hardware and takes advantage of lessons learned from several years of vulnerability research. This talk provides a high level overview of Heads, a demo of installing it on a Thinkpad and a tour of some of the attacks that it protects against.

Heads builds on several years of firmware security research focused on firmware vulnerabilities ("Thunderstrike: EFI bootkits for Apple Macbooks" and "Thunderstrike 2") as well as many other CCC talks ("Hardening hardware and choosing a #goodBIOS", "Beyond anti evil maid", "Towards (reasonably) trustworthy x86 laptops", etc.) and combines these ideas into a single system.

It is not just another Linux distribution - it combines physical hardening and flash security features with custom Coreboot firmware and a Linux boot loader in ROM. This moves the root of trust into the write-protected ROM and prevents further modifications to the bootup code. Controlling the first instruction the CPU executes allows Heads to measure every step of the boot process into the TPM, which makes it possible to attest to the user or a remote system that the firmware has not been tampered with. While modern Intel CPUs require binary blobs to boot, these non-Free components are included in the measurements and are at least guaranteed to be unchanging. Once the system is in a known good state, the TPM is used as a hardware key storage to decrypt the drive.

Additionally, the hypervisor, kernel and initrd images are signed by keys controlled by the user, and the OS uses a signed, immutable root filesystem so that any software exploits that attempt to gain persistence will be detected. While all of these firmware and software changes don't secure the system against every possible attack vector, they address several classes of attacks against the boot process and physical hardware that have been neglected in traditional installations, hopefully raising the difficulty beyond what most attackers are willing to spend.

Talk ID
Saal 1
2 p.m.
Type of
Talk Slug & media link

Talk & Speaker speed statistics

Very rough underestimation:
138.7 wpm
765.8 spm
145.2 wpm
800.4 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
138.7 wpm
765.8 spm
145.2 wpm
800.4 spm