Nlnet past funded work placeholder for Authenticated Heads project (2022-2024)

[tlaurion]

This is a placeholder for NLnet funded Authenticated Heads Project (2022-ongoing) to be able to refer here in its website (they can't change references per platform limitation) under website to be changed reference at https://nlnet.nl/project/AuthenticatedHeads/

Aka "Heads-OpenPGP"

---

A big thanks for NlNet to have trusted me managing the project through NGI Assure fund, once again, and to all direct and indirect participants

---

• Travel expenses linked to FOSDEM 2023 conference - Heads - Status Update -> @tlaurion
• QEMU targets to ease development/testing of Heads and debugging/tracing of what happens under the hood
• TPM2 support under Heads -> @tlaurion (Big thanks to @JonathonHall-Purism for all the help!!!! Would not have happened without your collaboration.)
• Authenticated Heads : in memory key generation, copy to USB Security dongle and preparation of USB Thumb drive to store keys securely, ask for SUB Security dongle/backup for signing/auth -> @tlaurion
• Support platform locking (PR0) through SMI finalizing chipset - bring support to ivy/sandy/haswell platforms (Pre-Skylake: thanks @hardenedvault for initial PR!) -> @tlaurion
• Reduce firmware footprint -> @tlaurion
• Have flashrom support partial region Write Protection (Big thanks to @3mdeb @Dasharo - More specifically to @SergiiDmytruk @Pokisiekk @macpijan @krystian-hebel for the development and @pietrushnic for his trust
  • Have the coreboot bootblock set as read-only on the SPI flash
  • Have the flashrom deal properly with the write-protected bootblock region
• Alternate build system investigation to better support reproducible builds (outcome: Nix based docker image builder) -> big thanks to @mmlb!!!! -> @tlaurion

---

Deliverables

• FOSDEM 2023 conference - Heads - Status Update
  • Conference presenting all the work that was to be accomplished/already accomplished: below
• QEMU/KVM Heads testing boards, including support for TPM 1.2/2 (swtpm) and USB Security tokens
  • Pior unpaid work needed : Dual I/O for QEmu and serial interaction
  • QEMU testing with OS, TPM, USB token #1188
  • qemu-coreboot-tpm boards: usage optimizations #1273
• TPM2 support under heads
  • Create whiptail (server oriented) and FBwhiptail (desktop/laptop) TPM2 board configurations
    • TPM2/TPM1 support (testing and bug fixes needed through qemu-(fb)whiptail-tpm[1,2](-hotp) testing boards! #1292
• Authenticated Heads : in memory key generation, copy to USB Security dongle and preparation uf USB Thumb drive to store keys securely
  • track files in /boot in kexec_tree.txt #1262
  • Add secure thumb drive creation premisses #1446
  • GPG User Authentication: In-memory gpg keygen + keytocard and GPG key material backup enabling (plus a lot of code cleanup and UX improvements) #1515
  • GPG Authentication exists! #1520
• Support platform locking (PR0) through SMI finalizing chipset - bring support to ivy/sandy/haswell platforms - Pre-Skylake
  • Ivy/sandy/haswell platform locking (SMI finalizing chipset : io386 refresh for maximized boards) #1373
• Reduce firmware footprint
  • Pass all modules from O2/O3 (optimized for speed) to Os (optimize for space) #1121
  • Staging branch for merging 5.10 kernel changes, gnupg2.4 and flashrom 1.3 (testing needed) #1398
  • Bump remaining 4.14 boards kernel to 5.10.5 (and coreboot to 4.19) #1381
  • flashrom: bump flashrom to upstream 1.3 and fix flash.sh progress_bar #1423
  • Saper gnupg 2.4.0 update (reduces size some more) #1422
  • Staging branch for merging 5.10 kernel changes, gnupg2.4 and flashrom 1.3 (testing needed) #1398
• Have flashrom support partial region Write Protection
  • Have the coreboot bootblock set as read-only on the SPI flash
    • Add list of chips for which we intend to have WP Dasharo/flashrom#5
    • tested flag: https://review.coreboot.org/c/flashrom/+/68179/1
    • flashrom upstream
    • https://review.coreboot.org/q/topic:more_wp
    • flashrom/flashrom@master...3mdeb:flashrom:wp-for-more-chips
    • Updates during flash write protection tests Dasharo/docs#267
    • Detect WP and skip the area on users request Dasharo/flashrom#6
    • Wp testing Dasharo/flashrom#8
    • [$400 Bounty] Add write-protect support (half-working patch included) flashrom/flashrom#185 (comment)
    • Discussions on adding WP to flashrom
      • https://mail.coreboot.org/hyperkitty/list/flashrom@flashrom.org/thread/5JIQCK7FGNV33DAZBK2M5BQV5WZA
      • https:/mail.coreboot.org/hyperkitty/list/flashrom@flashrom.org/thread/R4FMJE5DQLMZX2UV4N3MHIM5R3UPX
    • https://www.flashrom.org/Example_of_partial_write-protection
  • Have the flashrom deal properly with the write-protected bootblock region
    • Add instructions on write-protecting bootblock Dasharo/flashrom#7
    • Discussion on adding flashrom documentation for WP
      • https://mail.coreboot.org/hyperkitty/list/flashrom@flashrom.org/thread/5JIQCK7FGNV33DAZBK2M5BQV5WZA
      • https://mail.coreboot.org/hyperkitty/list/flashrom@flashrom.org/thread/R4FMJE5DQLMZX2UV4N3MHIM5R3UP
    • https://www.flashrom.org/Firmware_updates_vs._SPI_write-protection
• Alternate build system investigation to better support reproducible builds (outcome: Nix based docker image builder)
  • https://github.com/tlaurion/heads/blob/ecbfdbc57b23ef0b884b394e1ad97491b8d2f8b6/README.md#building-heads
  • Move to nix buildstack (and nix develop produced docker image used under CircleCI) #1661

---

Pending

• Other tasks are still under grant work, to be edited when done

[tlaurion]

NlNet "Assure" hard deadline was August 31 2024, which came unknowingly and abruptly for me attempting to do a Request for Payment yesterday.

Other work done will land when I have time to do it, but won't be considered funded. Sigh.