I'm thinking of getting a Librem laptop with Pureboot which uses Heads (with the Librem key) for tamper detection. But I've heard rumours that there are weaknesses or vulnerabilities so I wanted to see if anyone here knows about it. For me, I'm thinking of dual booting Qubes and Manjaro. I want to use Heads to verify no one tampered with my laptops firmware and to detect if my firmware or boot sector gets infected with malware. Is Heads able to do what I'm hoping to use it for? And are there any known vulnerabilities or weaknesses I should know about?
Asked
Active
Viewed 293 times
1 Answers
1
It depends on your threat model.
If an attacker has physical access to your computer, they can replace the flash ROM with a chip that has the content of your original firmware when it is read by Intel's ACM for measurement but will provide different instructions when it is later re-read by the CPU for booting.
They can also replace the TPM with a tempered one, they could resign the file in /boot and ultimately they can also take your phone/USB dongle from you and install a fresh version of Heads that boots whatever they want.
Or they could grab the TOPT secret from memory and flash a totally different firmware that emulates Heads.
(The TOPT check is the real security part of the Heads boot process).
If you are scared of boot malwares, Heads will protect you, but so will Tboot or just UEFI secure boot.
It is true that UEFI implementations may have bugs but malwares don't usually target the UEFI, when they do it is just for a small set of hardware and just to drop a file in the Windows partition, and anyway the malware would have to be written to target you and the small subset of people with your hardware.
A lot of work, for nothing, considering that the same could be accomplished with 15 min on your Facebook page and a carefully crafted email.
When you hear of a boot malware the story is always inflated by the media and in truth, the malware only works for specific victims that were already compromised (since writing the EFI System Partition or the flash ROM requires kernel privileges).
Firmware is not portable and it is so low-level that makes successfully infecting the target more unreliable.
Regarding vulnerabilities and weaknesses, always make sure to check the OTP, it is the only way to know that your firmware is actually Heads and it is genuine.
If your computer is taken away, Heads won't protect you.
I don't know if there are vulnerabilities on Heads, Heads is still young but relatively simple. I hope they didn't do gross mistakes like not measuring everything involved in the boot.
A weakness point of Heads is updating, if you update a file in /boot Heads will tell you but will also allow you to resign it and be done with it.
I expect Heads to update itself only from signed files.
Always encrypt your disk as that would require a key or your booted OS to access your data.
Never suspend your laptop.
It's worth noting that if you use an OS that's not Windows, you'll be immune to the vast majority of malwares already and probably to all the few malwares that bothered infecting the UEFI just because.
However, if your plan is to fool government agents at borders, it's better to leave your computer at home, push everything you need in an encrypted container somewhere on the Internet and buy a local computer and install new firmware on it (if you are paranoid).
There have been sporadic cases of mass malwares that additionally infected the UEFI ROM in misconfigured hardwares but that was just an optional step of the infection chain.
Any actor that intends to use the UEFI to specifically attack you can also attack you in other, simpler and more effective, ways.
In short, it seems to me that, unless you are a highly sensitive target and a highly trained individual, Heads is just a fun project to do and definitively not worth the effort for defending against UEFI malwares.
Don't try to beat malwares on the technical level, malwares are not a masterpiece of technology. They are pretty dumb, they are social-engineered artifact.
One day you receive a document from a lost love of your youth, you open it and you get infected. The malware won't even try to gain more privileges or install itself, it will read your browser's files (which belong to your user, so it can do that) steal your data and encrypt it.
Now they have your password, your identities, and the only cleartext copy of your data.
But at least Heads prevented them from installing a malicious UEFI DXE!
Margaret Bloom
- 1,163
- 8
- 12