What makes Heads so great when combined with QubesOS?

How does using Heads empower Qubes? Heads is cpreboot, isn’t it?


Heads is basically a BIOS replacement, it’s a stripped down Linux-Kernel with some elements of coreboot.
It’s a form of Anti-Evil-Maid. It signs the whole /boot partition and warns you when it detects tampering (It only warns, not prevents). There are TOTP and HOTP (the one with the USB) ROMs available. The LUKS-Key gets sealed into the TPM and can unlock the Qubes partition.


This article is worth reading if you want to know more about Heads.


Mostly because of false marketing of companies like Purism.

Heads cannot provide real protection against any sort of attacker with a programmer. You are better off buying a modern Dell Latitude/Precision or Lenovo Thinkpad, which actually have Intel Boot Guard or AMD Platform Secure Boot.

1 Like