@ConoRZ if you decide to follow qubes certified laptop specifications with your x230 and pick up a librem or insurgio key (same thing), I’ll gladly help you (or anyone) get ME_Cleaner, along heads, and librem key setup properly.
But other than that, whatever AEM is, doesn’t sound secure or unspoofable, whereas a librem key you keep on your body forever, unless you were Honey_trapped, I doubt could be spoofed or faked. But until you get librem key, I can’t help you.
Edit: I am alreadly recieving PMs about about heads/coreboot/skulls, first I only know heads for x230 and librem / nitro-key (they are same) please see to get started: Lenovo X230 - Heads - Wiki
Second, there’s often no reason to PM me because I believe this takes away the opportunity for the community to learn and grow together from public questions and communal troubleshooting. So just including your question by @'in me in threads such as this one is enough to get my attention.
Third, I’m not a heads developer or anything, I just know how to get it installed on x230 and was able to decipher it’s poorly written and / or non-existent documentation.
You will stand out of the crowd. The person asking you to boot your computer sees Windows and Mac all day long. Then you come along with Heads/Qubes … you are different and will hence get more attention.
They literally copied down the serial number as something like: xen-virtual-bios or something like that.
Now in situations like this, I simply start the HVM and make if full screen before showing the computer. It then looks like any other Windows PC.
@deeplow: I have no idea why, but discourse decided to remove an entire paragraph from my previous post. The paragraph accidentally started with a space, maybe that’s what caused it?.
You will stand out of the crowd. The person asking you to boot your computer sees Windows and Mac all day long. Then you come along with Heads/Qubes … you are different and will hence get more attention.
From my own experience: I once spend 20 minutes arguing with a corporate security person trying to explain that what I have is not a Windows PC and I don’t have a “command prompt” where they can type in the command to retrieve the serial number as instructed. Realizing that this person had no idea what on earth I was talking about I booted into my Windows HVM and let them do as they were instructed.
They literally copied down the serial number as something like: xen-virtual-bios or something like that.
Now in situations like this, I simply start the HVM and make if full screen before showing the computer. It then looks like any other Windows PC.
after a pm discussion with @anon93834559 do the heads option with libremkey / nitrokey… they should be the same
im choosing the nitrokey because im an european so it would be cheaper for me
just only got one questionto be sure:
the Nitrokey Pro 2 == libremkey right?
so i dont need the nitrokey storage 2?
there would be no way to build an own “libremkey”?
I use a Nitrokey Pro (not storage) with heads x230 using TOTP. I have not used the heads HOTP config but am fairly certain you don’t need the storage version for that.
I read it after I’d got a YubiKey 4 (only used with TOTP), but your question prompted me to find that again. If anyone has other alternatives or experiences, I’m also curious.
Thanks for your answer, I already got a yubikey but the thing is, there would be no way to get a tamper protection, probably I have to buy also a nitrokey but I’ll do this next month
I buyed this month a pixel 4a so there would be no money left for a nitrokey
But would be happy when pixel would be arrived, I’ll install graphene os there instantly
“I buyed this month a pixel 4a so there would be no money left for a nitrokey
But would be happy when pixel would be arrived, I’ll install graphene os there instantly”
Pixel 4A with 5G is somewhat fragile, screen easily cracks. I had installed an Otterbox screen protector and bumper cushion as well. Cracked screen phone still works.
Graphene Install works exactly as described. No Problems. I do wonder if this is the altered OS that the FBI used on the expensive Secure phone they sold to -Drug Dealers-, and later used to take them down.
correct, the Librem Key is re-branded Nitrokey Pro 2. see:
once you have a Nitrokey Pro 2, you’ll need to flash your x230 with Heads. if you have having difficulty with building & flashing Heads, you can use Skulls to make the process easier:
The way heads uses the Yubikey or the Nitro/LibremKey is as a PGP smart card to sign your binaries.
The attestation works using TOTP and a authenticator app you run on your smart phone. I am using andOTP on my Pixel 4a running Graphene OS.
In addition to that you can also enable HOTP using a Nitro/LibremKey. I have the Nitrokey Storage 2. If you do that and attestation is successful you get a little green led flashing … otherwise it’ll flash red. However this is an additional feature and you can absolutely have tamper protection with TOTP and the authenticator app alone.
@ConoRZ Not sure exactly which yubikey you have or what kind of tamper “protection” you expect. I mentioned that I use the Yubikey 4 because it is not listed on Prerequisites for Heads | Heads - Wiki but works fine for me with Heads (TOTP only).
because i thought this “tamper” protection is anything special which is communicating with bios / tpm chip etc.
like with a custom tpm
yep, also because of the red / green blinking led i thought this would be inpossible with a yubikey
i also want to use HOTP, so i have to buy a nitrokey, but i think ill do today the heads flash with TOTP and would upgrade later to HOTP
thanks for this stuff, this helped me a lot to understand it!
but what i would understand as tamper protection i cant tell it you, because nitrokey was calling this: Tamper-resistant smart card
and to the person with skull:
thanks, i guess ill look this in the next hour up, because ill start in the next hour to flash heads
ok little update:
i was wanted to do skulls / heads but the thing is:
1.) im in my work and didnt noticed that i have to take a screw driver with me xD
2.) idk how i could connect my raspberry pi to my laptop because i guess i didnt got pins for it and 2. i need this “clip” to connect it to the chip
to get this in my work wouldnt be that problem because i could ask a person if the person would be able to bring this to my work
… now i have to figure out how to organise the clip…
One other thing to consider before going further is whether or not you want to do any EC firmware modifications (e.g. disable the EC’s authentic battery validation check). If you wish to do any EC firmware modifications its best to do them before installing Heads. More info available at https://github.com/hamishcoleman/thinkpad-ec
i got the pi 3b+ i guess, would have to look up when im home again
but im also not sure if i got jumper cables, but i guess i would fail on find a clip
would i get any benefits if i flash ec?
and am i allowed to write you a pm and update the posts after it?
EDIT: got jumper cables but im missing the clip, i guess ducktabe to hold pins would be too unsecure
You should update the EC in any case.
Flashing with that mod allows you to fit a proper x220 keyboard in place
of the chiclet, and have it mostly working, and also use 3rd party batteries.
anyhow… idk if i want to try flash with clip, if i would buy a clip i would receive it in 2 weeks… thats the thing im troubling now
but anyhow, im troubling also now with dd (cant find the code option) because its soo slowly flashing, im unsure if my slot got problems or if its my sd card… i mean my sd card is pretty old now
also format it was pretty slow
