Anti evil maid? coreboot? heads?

When I read the forums here, I often see the words anti evil maid, coreboot, and heads, but even after searching on Google, I can’t really figure out what they mean.
Could you please explain it in a way that even someone who is not familiar with computers can understand?

If you open ChatGPT and type: “explain meaning of the words anti evil maid, coreboot, and heads for a newbie” - you will get a nice short summary. :+1:


Here is an article explaining anti evil maid in detail: Anti Evil Maid | The Invisible Things
Antil evil maid is basically used to prevent someone, who has physical access to your computer, from compromising the integrity of the data on your computer. Anti evil maid does this by using another device to verify the integrity of dom0 (the core of Qubes).
You can also read more about anti evil maid here: Anti evil maid (AEM) | Qubes OS

Coreboot is a free, open source, and secure BIOS firmware to replace the often proprietary firmware that is generally seen as less secure.


HEADS isnt self-explanatory and you would have to add “HEADS BIOS” not to get results about encephalus. AEM and coreboot are easily searchable. What is important about these is that there are deeper parts to a computer than the OS (operating system). These deeper parts also have security issues.


Hi @regi, let me try:

AEM: uses the Intel ME and your TPM chip to verify that the files your computer used to boot haven’t changed. This is done by printing a specific message on screen you have to look for every time you boot.

Coreboot: is an Open-Source implementation of a BIOS that works for many computers. This is attractive because it’s code can be audited and it greatly reduces the amount of so-called “blobs” (proprietary binaries that cannot be audited).

Heads: is a so-called payload for Coreboot. It is booting into a tiny Linux kernel and is using your TPM chip to verify that the files your computer uses to boot have not been modified in addition to checking itself too. This is done by having you personally sign each and every change with private key that only you posses and that is secured in an external USB device (like Nitrokey, YubiKey or any other GPG compatible HSM). As a result you can be sure no tempering with your boot files goes unnoticed.

The core differences:

  • AEM depends on Intel ME and will work on almost all modern Intel-based computers
  • Coreboot supports a smallish subset of modern computers. In addition to the FOSS advantage this also allows you in most cases to disable the Intel ME and in some rare cases to even remove most of it.
  • Heads supports an ever smaller subset of modern computers but could be considered the gold standard in temper detection without relying on Intel ME

Intel ME is a proprietary solution that runs “below” your CPU and is invisible to it. Therefore no instruction detection system or virus scanner can see what it is doing. This combined with the fact that it’s proprietary complex code makes it a possible attack surface. Most people don’t need to worry about it, because such an exploit would be much too valuable to use on a random person. However targeted persons should consider this issue and make an informed decision which residual risk is acceptable to them.

I kept this intentionally high-level and left out some interesting but secondary facts. The aim was not to provide a complete or 100% correct summary but a conversational overview that gives the basic idea to an uninitiated person. Now, fire away and dismantle this post :wink:


AEM depends on Intel ME and will work on almost all modern Intel-based computers

AEM only supports TPM 1.2, which leaves out a lot of newer and
not-so-new machines.

Most people don’t need to worry about it, because such an exploit would be much too valuable to use on a random person.

The bar is getting lower

As a result you can be sure no tempering with your boot files goes unnoticed.

Depends on what you mean by ‘boot files’. / isn’t RO with Heads, so
an attacker who escapes Xen can persist by modifying
any services that run during dom0 boot.

Here’s a ChatGPT4 answer

Sure, let’s break down these terms:

1. Anti Evil Maid (AEM)

Anti Evil Maid is a security feature designed to protect a computer from “evil maid” attacks. An “evil maid” attack involves an attacker who has physical access to a target computer (imagine a malicious hotel maid, hence the name). The attacker could tamper with the device to, for example, install malware or compromise the system in other ways.

  • Purpose: AEM aims to ensure that the system hasn’t been tampered with by verifying the integrity of the boot process.
  • How it Works: It typically uses Trusted Platform Module (TPM) technology to securely store cryptographic keys and to check the integrity of the boot process, ensuring that no unauthorized changes have been made to the system’s firmware or boot loader.

2. Coreboot

Coreboot is an open-source project that replaces the proprietary BIOS (Basic Input/Output System) or UEFI (Unified Extensible Firmware Interface) firmware found in most computers.

  • Purpose: Coreboot aims to initialize the hardware in a system (like processor, memory, hard drives, etc.) in a speedy and secure manner, and then pass control to a payload, such as a bootloader or an OS kernel.
  • Features:
    • Fast Boot Times: It’s designed to perform only the minimum number of tasks necessary to load and run the next stage of the boot process.
    • Flexibility: It can be paired with various payloads, like SeaBIOS, TianoCore (a UEFI implementation), or a Linux kernel, depending on the user’s need.
    • Security: It can be configured to provide a secure boot environment, ensuring that only signed, trusted firmware and software can be executed during the boot process.

3. Heads

Heads is a firmware framework (an open-source project) that combines the capabilities of Coreboot with security features, providing a secure, somewhat tamper-proof platform.

  • Purpose: Heads aims to ensure the integrity and privacy of a system through hardware and firmware security features.
  • Features:
    • Secure Boot: Heads uses cryptographic signatures to verify the integrity of the firmware and the boot process, ensuring that only trusted, signed code is executed.
    • User Control: Heads puts the user in control of their system’s security, allowing them to manage keys and decide which firmware and software are trusted.
    • Anti Evil Maid (AEM) Mechanism: Heads implements an AEM mechanism, using TPM to ensure that the firmware hasn’t been tampered with between boots.
  • How it Works: Heads will measure (hash and store) the firmware and boot configuration into the TPM. On subsequent boots, it will measure the firmware and configuration again and check it against the stored values, alerting the user if there are any discrepancies, which might indicate tampering.

In summary:

  • Anti Evil Maid is a mechanism to protect against physical tampering attacks.
  • Coreboot is an open-source alternative to proprietary BIOS/UEFI firmware, focusing on speed and flexibility.
  • Heads is a firmware framework that combines Coreboot’s capabilities with additional security features, including an AEM mechanism.

These technologies are often used in the context of securing the boot process of a computer, ensuring that the firmware and boot software have not been tampered with, and that the system boots into a known, secure state.


I am curious about this but from a different perspective…lets suppose you have a desktop that you built so it’s been “trusted” ever since first boot. Let’s also say it’s impossible for a physical attack, it’s in a locked room with an ethernet cable - nobody but you will physically interact with it.

In this scenario, the worst case would be…a 0-day exploit that jumps from an AppVM to Dom0 and overwrites /boot files for persistence - is that accurate? And I’m not asking about what is “theoretically” possible, I know it probably is, but more like statistically speaking?

Like Heads to me seems like the setup you want more for a laptop, since you could leave that in a hotel room, or if you travel internationally and you are suspicious of customs agents, etc.

For a relatively regular person who probably doesn’t have to worry about law enforcement or some bad actor breaking into your home to install BIOS or /boot sector malware…a neutered Intel ME, coreboot, and Qubes is a huge upgrade over Windows or even regular Linux distros I imagine?