conferences | speakers | series

Heads OEM device ownership/reownership : A tamper evident approach to remote integrity attestation

home

Heads OEM device ownership/reownership : A tamper evident approach to remote integrity attestation
FOSDEM 2020

Insurgo had engaged itself in the adventure of facilitating security accessibility and received NlNet funding to do exactly that. Now it wants to get developers involved and expand funding.

The goal of this is to bridge the gap between reasonably secure OS (QubesOS) and slightly more secure hardware (Heads) to help privacy-focused users and those that are vulnerable. But we need to prepare for the future now!

Insurgo has challenged the status quo that has been prevalent since 2015 and has made it possible for OEMs to preinstall QubesOS, thanks to the Heads Open Source Firmware (OSF) and his own PrivacyBeast QubesOS certified branch, not yet merged upstream, due to the lack of time and resources of a single man effort needing additional collaboration.

The integrity of the firmware and boot files is already remotely sealed and can be attested over smartphone (TPMTOTP) and from the bundled Librem Keys/Nitrokey Pro 2 (HOTP), prior to shipping. Thanks to HOTP-enabled USB security dongles bounded to shipped products, the user can visually validate that the hardware they've received is in OEM attested state, prior to complete reownership which is regenerating all required secrets from a trustable recovery environment (Heads OSF) thanks to a re-ownership wizard that guides the user until completion.

This is just the beginning of the adventure and the road ahead requires your help. Insurgo wants to propel this movement forward.

Today's secure hardware (REAL open source initialized hardware, eg. the RYF KGPE-D16, replicant supported phones, Sandy bridge/Ivy bridge based boards, eg. x230) struggle to stay current with upstream code and compliance requirements. LineageOS dropped support of the i9300. Coreboot dropped support of the KGPE-D16 platform. And the list will expand if no measures are taken to support maintainership of privacy focused projects that are taken for granted until support is finally dropped. This is a real problem requiring real solutions.

New efforts to support future, REAL Open Source Hardware (newly Respect Your Freedom [RYF] certified hardware, eg. Talos II from RaptorEngineering, future Power10 based hardware) are neither currently under active development nor currently supported by QubesOS. This needs to change. Now.

There is an opportunity for transition. This requires leadership, developers and funding. This is why we've created the Insurgo Initiative on the OpenCollective platform.

This is where transparent funding will be available to the public for open source R&D. Please consider participating through code contributions!

Insurgo is making today's most trustworthy hardware available (TRUELY Neutered+Deactivated Intel ME, no FSP, no binary blobs whatsoever but EC firmware in the Root of Trust) to the masses through remote attestation over Heads OSF.

NlNet is helping Heads to be compatible on the T530, T430, T420 and X220, which are widely available, binary blob-free hardware platforms, thanks to a partnership with 9elements under NlNet grant. NlNet funds is also permitting development of remote administration of QubesOS over tor hidden services when needed, thanks to an ongoing partnership with both the Qubes OS Project & Whonix.

But what about other work needed to ease accessibility of tomorrow's secure hardware and technologies?

Insurgo decided to give back to Open Source Firmware (OSF) related communities and will publicly announce novel approach to support required open source projects. In premiere, we plan to give back 25% of Insurgo's net profit on sales to the Insurgo Initiative, hosted on OpenCollective.

Those funds will be available to Open Source projects in the form of bounties, to be paid out upon proof of work of agreed contributions.

The idea here is that open source tickets (issues) can be used as bounties and if knowledgeable people knew funds were available for needed work, they'd be more incentivized to address them. Developers could then be rewarded for their efforts and paid for completing tasks similiar to how Open Source Funds (OpenTech, NlNet, etc) provides funds for larger projects.

The Insurgo Initiative will be self funded and potentially expanded through international partnerships, while the goal stays the same: supporting a future where security is more accessible to the public.

Here are some projects needing additional funding and more developer awareness, right now. Big funds and grant application are great. But the funding process has issues. Not every developer wants to go through the application process, which requires management skills and requires a process that is not just about coding. There are awesome developers out there whose help would be greatly needed.

How do we appropriately match developers with pertinent issues? We can fix this with the right mission and funding. Insurgo's mission is for accessible security.

Bounty tags are being added to projects that lack the funding and to help address the current problems they face for completion:

The main problem we seem to face with many projects can be seen over and over again: a lack of maintainership.

No one can carry on a project for too long without becoming overwhelmed/drained by it. We need to fairly distribute this work and make sure contributions are incentivized and fairly paid.

In this talk, I will go quickly over past work. The current situation. And where Insurgo wants to go.

Welcome aboard!

Speakers: Thierry Laurion