Featured Articles

WordPress Multisite on the Darknet (Mercator .onion alias)
Hardening Guide for phpList
Guide to Finding Lemmy Communities (Subreddits)
Crowdfunding on Crowd Supply (Review of my experience)
WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Detecting (Malicious) Unicode in GitHub PRs
Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Introducing BusKill: A Kill Cord for your Laptop
previous arrow
next arrow

Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)

Verifying Boot Integrity with Heads, PureBoot

This post will help to provide historical context and demystify what's under the hood of Heads, PureBoot, and other tools to provide Trusted Boot.

I will not be presenting anything new in this article; I merely hope to provide a historical timeline and a curated list of resources.


The Librem Key cryptographically verifies the system's integrity and flashes red if it's detected tampering

I've always felt bad about two things:

Because I run QubesOS, I usually disable "Secure Boot" on my laptop I travel a lot, and I don't have a good way to verify the integrity of my laptop (eg from an Evil Maid that gains physical access to my computer)

To address this, I have turned to Heads and PureBoot -- a collection of technologies including an open-source firmware/BIOS, TPM, and a USB security key that can cryptographically verify the integrity of the lowest firmware (and up the chain to the OS).

While Purism has written many articles about PureBoot and has some (minimal) documentation, I found they did a lot of hand waving without explaining how the technology works (what the hell is a "BIOS measurement"?). So I spent a great deal of
. . . → Read More: Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)