You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: About/FAQ.md
+21-15Lines changed: 21 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -161,25 +161,31 @@ Unlike [Tails](https://tails.boum.org/), which aims to be a stateless OS that
161
161
leaves no trace on the computer of its presence, Heads is intended for the
162
162
case where you need to store data and state on the computer.
163
163
164
-
HOTP vs TOTP
164
+
USB Security dongles and firmware verification in Heads
165
165
----
166
166
167
-
HOTP (HMAC-based One-time Password algorithm) generates a password
168
-
using hash-based message authentication codes (HMAC) that can be used only for
169
-
the one authentication attempt. Uniqueness is based on a counter which is
170
-
incremented each authentication attempt.
167
+
Heads can verify firmware integrity using two methods:
171
168
172
-
TOTP (Time-based One-time Password algorithm) is an extension of HOTP but
173
-
replaces the counter with time. Because of latency, both network and human,
174
-
and unsynchronised clocks, the one-time password must validate over a range of
175
-
times between the authenticator and the user. Here, time is
176
-
downsampled into larger durations (e.g., 30 seconds) to allow for validity
177
-
between the parties.
169
+
### HOTP verification (with USB Security dongle)
170
+
**Heads generates HOTP codes** and sends them to your USB Security dongle. The dongle verifies these codes automatically. If verification succeeds, Heads boots normally. If it fails, the dongle's LED shows red and boot is halted.
178
171
179
-
Secuirty wise, HOTP is more susceptible to brute force attacks without
180
-
throttling or limiting the number of failed attempted while TOTP is susceptible
181
-
to phishing attacks and requires a user to enter the code within a given time
182
-
period.
172
+
**Requirements**: Compatible USB Security dongle (see [Prerequisites compatibility table](/Prerequisites#usb-security-dongles-aka-security-token-aka-smartcard))
173
+
174
+
**Advantages**: Automatic verification, no manual interaction needed, works without accurate time
175
+
176
+
### TPMTOTP verification (with smartphone)
177
+
**Heads generates TOTP codes** displayed on screen. You compare these with codes from your phone's authenticator app. If they match, your firmware is verified as safe.
178
+
179
+
**Requirements**:
180
+
- Smartphone with authenticator app
181
+
-**Accurate time synchronization**: Heads system clock must be set to UTC/GMT through Options menu. Phone time is typically synced automatically.
182
+
183
+
**Note**: Time synchronization is critical - if clocks don't match, codes will differ and verification fails.
184
+
185
+
### OpenPGP signing (all configurations)
186
+
All Heads configurations use your USB Security dongle's OpenPGP support to store your private key and sign `/boot` contents. This works with any OpenPGP-compatible dongle.
187
+
188
+
For technical details about HOTP verification, see the [Nitrokey HOTP verification project](https://github.com/Nitrokey/nitrokey-hotp-verification).
Copy file name to clipboardExpand all lines: About/Keys.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,6 +68,8 @@ password based on the current clock time, which the user can compare to the
68
68
value displayed on their phone. A new secret must be generated each time the
69
69
firmware is updated since this will change the PCRs.
70
70
71
+
**Note**: Heads generates TPMTOTP codes that appear on your screen. You compare these with codes from your phone's authenticator app to verify firmware integrity. This works independently of your USB Security dongle. **Critical requirement**: You must manually set the correct time in Heads through the Options menu (UTC/GMT timezone) - if the time doesn't match your phone, verification will fail.
72
+
71
73
If an attacker can control this shared secret (such as by directly sending PCR
72
74
values into the TPM), they can install malicious firmware in the SPI flash and
Copy file name to clipboardExpand all lines: Installing-and-Configuring/Prerequisites.md
+21-7Lines changed: 21 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -55,6 +55,14 @@ If *you have an external programmer* and *are techsavvy enough to bring their su
55
55
USB Security Dongles (aka security token aka smartcard)
56
56
---
57
57
58
+
**All USB Security dongles used with Heads must support OpenPGP** for storing your private key and signing `/boot` contents.
59
+
60
+
**HOTP verification is optional** but provides automatic firmware verification at boot. Without HOTP, you'll use TPMTOTP (manual verification with your phone). Most [board configurations](/Prerequisites#supported-devices) are available in both HOTP and non-HOTP variants, though some vendors only support HOTP-enabled configurations.
61
+
62
+
### USB Security dongle compatibility:
63
+
64
+
**Compatible dongles** must support the specialized HOTP verification protocol developed by Nitrokey. For technical details about this protocol, see the [Nitrokey HOTP verification project](https://github.com/Nitrokey/nitrokey-hotp-verification).
65
+
58
66
*NOTE* - Heads does **NOT** support FIDO2 or U2F authentication. Be careful when
-**OpenPGP only**: Can be used with non-HOTP board configurations (manual TPMTOTP verification)
87
+
-**Full support**: Can be used with both HOTP and non-HOTP board configurations
74
88
75
89
*NOTE* - If you prefer not to use USB security dongles or want simplified security procedures, see the [Purism Boot Modes](/PurismBootModes) documentation for information about Basic and Restricted boot modes that provide different security/usability trade-offs.
0 commit comments