Merge pull request #71 from jtmoree-github-com/docs-refresh2

docs refresh without OS pages

Author: tlaurion

About/Keys.md

@@ -147,7 +147,7 @@ The owner of the machine generates a GPG key pair as part of installing Heads.
   Ideally the private key does not live on the machine, but instead is in a
   Yubikey or other USB Security dongle.
 
-TODO: Can this be used in the disk decryption process?
+The security dongle may be used in the disk decryption process. Some of the [Linux distros](https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#decrypt-luks-encrypted-drives-with-librem-key) have incorporated this using /etc/crypttab with a keyscript option.
 
 An attacker who controls this private key can replace executables in `/boot` and
  if they also control the disk encryption key they can tamper with files in a

Installing-and-Configuring/BootOptions.md

@@ -0,0 +1,123 @@
+---
+layout: default
+title: Configuring Boot Options
+permalink: /BootOptions/
+parent: Installing and configuring
+nav_order: 85
+---
+
+<!-- markdownlint-disable MD033 -->
+<details open markdown="block">
+  <summary>
+    Table of contents
+  </summary>
+  {: .text-delta }
+1. TOC
+{:toc}
+</details>
+<!-- markdownlint-enable MD033 -->
+
+
+Boot config files
+===
+
+A user has the option to make persistent modifications to the non-Qubes boot
+ process by creating one or more of the following files:
+
+| file | description |
+| ---- | ---- |
+| kexec_menu.txt | contains multiple options for parameters to the kexec command|
+| kexec_hashes.txt | a sha256sum file from within the respective boot directory |
+| kexec_iso_add.txt | a sh variable to override the standard ISO kernel argument additions |
+| kexec_iso_remove.txt | a sh variable to override the standard ISO kernel argument removals |
+| kexec_default.$N.txt | specifies the default kexec parameters corresponding to the Nth menu option |
+| kexec_default_hashes.txt | a sha256sum file for the default entry kexec file parameters |
+| kexec_rollback.txt | a sha256sum of the TPM counter contents in the tmp directory |
+| kexec_key_devices.txt | contains a list of "device uuid" combos for all LUKS devices to unlock |
+| kexec_key_lvm.txt | contains the name of an LVM group to activate on boot |
+
+These can be placed in any of the following locations:
+
+| location | description |
+| ---- | ---- |
+| /boot/ | used during internal HD boot |
+| /media/ | used during standard USB boot |
+| /media/kexec_iso/$ISO_FILENAME/ | used during USB boot from a particular ISO file |
+
+These files are only used if there is an appropriate signature for them in `kexec.sig` covering all `kexec*.txt` in that location. This can be generated from the user interface from the `Update checksums and sign all files` in /boot menu option, or manually from the recovery shell by running `kexec-sign-config -p /boot/`, etc. These files are only copied by `kexec-check-config` to `/tmp/kexec/` if there is a valid signature. From there the boot routines reference only the configs in `/tmp/kexec`.
+
+Dynamic vs Persistent Boot Options
+====
+
+There are two ways for heads to boot Operating systems from /boot.
+
+* Dynamic (no kexec_menu.txt)
+* Persistent
+
+`kexec_menu.txt` is generated from GUI menu option `Default boot` while /boot contents detached signed digest is verified as valid.  If there is no persistent `kexec_menu.txt` the boot directory will be searched for grub/syslinux-like configurations and it will be generated dynamically (for any of the HD/USB/USB-ISO locations). Creating a persistent `kexec_menu.txt` can be useful to limit the options displayed or to make persistent alterations to xen or kernel params.
+
+
+Persistent Boot Options
+----
+
+To customize the boot options and ignore the default OS boot configurations you may create a
+`kexec_menu.txt` which has a simple layout of a single line per boot option:
+
+```text
+description 1|elf|kernel /vmlinuz... |initrd /initramfs... |append ...
+description 2|multiboot|kernel ... |module ... |module ...
+description 3|xen|kernel /xen... |module /vmlinuz... | module /initramfs...
+```
+
+Here is a sample `kexec_menu.txt` derived from grub.cfg:
+
+<!-- markdownlint-disable MD013 -->
+
+```text
+Ubuntu|elf|kernel /vmlinuz-4.8.0-58-generic|initrd /initrd.img-4.8.0-58-generic|append root=/dev/mapper/ubuntu--vg-root ro quiet splash crashkernel=384M-:128M crashkernel=384M-:128M
+Memory test (memtest86+, serial console 115200)|elf|kernel /memtest86+.bin|append console=ttyS0,115200n8
+Qubes, with Xen hypervisor|multiboot|kernel /xen-4.6.5.gz placeholder |module /vmlinuz-4.4.67-13.pvops.qubes.x86_64 placeholder root=/dev/mapper/luks-UUID ro rd.qubes.hide_all_usb|module /initramfs-4.4.67-13.pvops.qubes.x86_64.img
+```
+
+<!-- markdownlint-enable MD013 -->
+
+### Securing Persistent Boot Options
+
+By default, no file hash checks are made for default boot since this was done during configuration.  A non-default boot will fail when the file hashes don't match the expected values.  
+
+### require hash checks
+
+If a user wishes to require that file hashes be checked for a succesful
+ non-recovery boot, they may set the `CONFIG_BOOT_REQ_HASH=y` in their
+ respective Heads config file (/etc/config.user).
+
+### default boot
+
+As as convenience mechanism, a user may select a boot option to always be used
+ in the future, assuming that the boot parameters and file hashes have not
+ changed.  This can be done by running `kexec-save-default` manually or directly
+ from the boot menu.  This works for any boot location (HD/USB/USB ISO) but does
+ modify the respective `/boot/` or `/media/` filesystems.  
+ 
+ In the case of dynamicly derived boot options from `grub.cfg` (i.e. no persistent kexec_menu.txt) an entry index is cached so that the boot will fail when there is a change to the underlying grub parameters.  This will require the user to resign/revalidate the settings.  This is useful to detect changes to the primary kernel/initramfs (for example in the Qubes case when the primary entry  is first).
+
+### multiboot
+
+Note that currently, any multiboot entry is interpreted as a Xen-variant and
+ `kexec-boot` overrides the arguments to the multiboot kernel with custom
+ arguments.  A user can manually specify `multiboot` entries to override the
+ default behavior by creating a custom `kexec_menu.txt`.
+
+### rollback counter
+
+If a user wishes to require that a TPM counter be set for rollback prevention,
+ they may set the `CONFIG_BOOT_REQ_ROLLBACK=y` in their respective Heads config
+ file.  When this is true, standard boot will only succeed in these two cases:
+
+ * Booting from an verified ISO
+ * Booting from a mount point that has a valid `kexec_rollback.txt` in its
+ parameter directory
+
+The simplest way to achieve this is to set a default boot option as this updates
+ the rollback counter by default.
+

Installing-and-Configuring/Prerequisites.md

@@ -0,0 +1,85 @@
+---
+layout: default
+title: Prerequisites for Heads
+permalink: /Prerequisites
+nav_order: 1
+parent: Installing and configuring
+---
+
+Prerequisites for Heads
+===
+
+Required equipment
+---
+
+To install Heads on a physical device, you will need:
+
+* Supported motherboard or laptop ([see below](#supported-devices))
+* A heads compatible USB security dongle ([see below](#USB Security Dongles))
+* A heads compatible storage device for your public GPG key (USB flash drive)
+
+If your device requires external flashing ([see below](#supported-devices)),
+ you will also need:
+
+* [SPI Programmer](https://trmm.net/SPI_flash): ch341a programmer or raspberry
+ pi or bus pirate (ch341a is recommended for new users and can be found almost
+ [anywhere](https://www.amazon.com/s?k=ch341a+programmer).
+* Wires and a clip SOIC8 to connect your programmer of choice to the board’s
+ SPI flash chip(s).
+  * The [Pomona 5250](https://www.pomonaelectronics.com/products/test-clips/soic-clip-8-pin)
+   is suggested as it is high quality and easier to make contact with the pins.
+* A second computer to flash from (Try to use a recommended operating system:
+  Qubes or Debian 9 or Fedora 30)
+
+Supported devices
+---
+
+Please see the current [heads source](https://github.com/osresearch/heads/tree/master/boards) for supported devices.
+
+|Device| Board name|Firmware base|Requires external flashing| ME should be cleaned|Notes|
+|--|--|--|:--:|:--:|--|
+|Asus KGPE-D16|`kgpe-d16`|coreboot|X|||
+|Dell R630|`r630`|linuxboot||X||
+|Intel S2600wf|`s2600wf`|linuxboot||X||
+|Lenovo Thinkpad T420|`t420`|coreboot|X|X||
+|Lenovo Thinkpad T430|`t430-flash`|coreboot|X|X|initial flashed image|
+|Lenovo Thinkpad T430|`t430`|coreboot|X|X||
+|Lenovo Thinkpad X220|`x220`|coreboot|X|X||
+|Lenovo Thinkpad X230|`x230-flash`|coreboot|X|X|initial flashed image|
+|Lenovo Thinkpad X230|`x230-hotp-verification`|coreboot|X|X|with hotp verification|
+|Lenovo Thinkpad X230|`x230`|coreboot|X|X||
+|Open Compute Project Leopard node|`leopard`|linuxboot|||
+|Open Compute Project TiogaPass node|`tioga`|linuxboot||||
+|Open Compute Project Winterfell node|`winterfell`|linuxboot||||
+|Purism Librem 13 v2|`librem_13v2`|coreboot||||
+|Purism Librem 13 v4|`librem_13v4`|coreboot||||
+|Purism Librem 15 v3|`librem_15v3`|coreboot||||
+|Purism Librem 15 v4|`librem_15v4`|coreboot||||
+|Purism Librem Mini|`librem_mini`|coreboot||||
+
+Emulated devices
+---
+
+For further information, see [Emulating Heads](/Emulating-Heads/)
+
+|Device| Board name|  Firmware base|
+|--|--|--|--|
+|QEMU development image|`qemu-coreboot-fbwhiptail`|coreboot|
+|QEMU development image|`qemu-coreboot`|coreboot|
+|QEMU development image|`qemu-linuxboot`|linuxboot|
+
+USB Security Dongles (aka security token aka smartcard)
+---
+
+*NOTE* - Heads does **NOT** support FIDO2 or U2F authentication.  Be careful when
+ purchasing to buy a compatible key.
+
+ *NOTE* - HOTP is currently only supported with Librem devices and the ThinkPad
+  x230 rom with HOTP support
+
+|Manufacture|Model line|TOTP|HOTP|
+|--|--|:--:|:--:|
+|Yubico|[YubiKey 5 Series](https://www.yubico.com/products/yubikey-5-overview/)|X||
+|Nitrokey|[Nitrokey Pro 2](https://www.nitrokey.com/#comparison)|X|X|
+|Nitrokey|[Nitrokey Storage 2](https://www.nitrokey.com/#comparison)|X|X|
+|Purism|[Librem Key](https://puri.sm/products/librem-key/)|X|X|

Installing-and-Configuring/RecoveryShell.md

@@ -0,0 +1,92 @@
+---
+layout: default
+title: Heads Recovery Shell
+permalink: /RecoveryShell/
+nav_order: 90
+has_children: false
+has_toc: false
+parent: Installing and configuring
+---
+
+Heads Recovery Shell
+====
+
+The recovery shell is a command line environment where heads and *nix utilities may be accessed (see [modules](https://github.com/osresearch/heads/tree/master/modules)) This document is a work in progress.
+
+Overview
+---
+
+The recovery shell is running a Linux kernel and shell based on busybox.  The environment comes from the initrd image flashed into the BIOS with the Linux kernel.  i.e.  Heads
+
+The shell can be used to troubleshoot Heads.  The security dongle paired with Heads may be needed to effectively use this environment.
+
+
+Access
+----
+
+The recovery shell may be accessed using two different methods.
+
+1.  at power-on repeatedly press 'r' before the GUI loads
+2.  select the recovery shell menu in the Heads GUI
+
+These two different methods of access will result in some different settings.
+
+
+Limitations
+----
+
+The recovery shell wipes secrets--normally used for security checks--that were [computed](/Keys/#tpm-pcrs) from the BIOS, kernel modules loaded, etc.  This will limit sealing/unsealing functions (Disk Unlock Key creation, TOTP/HOTP sealing) from the recovery shell environment. To seal/unseal secrets, the same measurements needs to be calculated, which would be different depending of the kernel modules loaded and if going in/out of the recovery shell, which invalidates per design the TPM measurements to not release secrets.
+
+To seal/unseal secrets, use the GUI environment.
+
+
+Boot Process
+----
+
+To troubleshoot you should understand the processes used to configure and boot Heads after flashing it into the BIOS.
+
+### configuration
+
+* First Boot Checks
+* set default boot and flash BIOS (again)
+* Reset the TPM
+* sign files in /boot
+* reset htop/totp
+
+### boot
+
+* mount default boot
+* check signatures
+* check hotp
+* menus and user interaction
+* boot kernel
+
+
+Troubleshoot the boot process
+----
+
+### manual boot
+
+If you want or need to manually boot a Linux system you must specify a kernel, initrd, and root file system.  Use the kexec-boot utility.  In this example 'foo' is a description that normally comes from other parts of Heads configurations.  It can be anything.  The root filesystem must be the correct one used in the target Linux installation.  
+
+This example may work for you by changing only the root= setting.  Normally, there are symlinks in the boot partition using these file names.  Of course you need to adjust if your target system uses a different convention for specifying these files.
+
+    kexec-boot -b /boot -e ‘foo|elf|kernel /vmlinuz|initrd /initrd.img|append root=/dev/whatever’
+
+
+### sign files
+
+Content in /boot is hashed and recorded in a file.  The hashes are signed using the security dongle paired with Heads.  These hashes are verified on boot using the public key corresponding to the security dongle.
+
+    mount /dev/sdaX /boot
+    kexec-sign-config -p /boot
+
+### hotp and totp
+
+Will not work in recovery shell due to missing secrets. See [Limitations](#limitations).
+
+
+Upgrading Heads
+----
+
+The Heads [upgrade process](/Updating) may be performed from the recovery shell.

Installing-and-Configuring/Upgrading.md

@@ -24,14 +24,19 @@ encryption key.  Be sure you have your TPM owner's password and your
 disk encryption recovery key or passphrase available since, by design,
 the disk key is not accessible to the recovery shell.
 
+If you flash the same firmware and you keep settings, your TOTP will be valid, HOTP also, and Disk Unlock Key passphrase will still boot your system. In doubt, you can consequently reflash your firmware.
+
+The Disk Recovery Key is the key used at OS installation for the encrypted root partition (passphrase placed in LUKS keyslot 0).
+
+
 Recovery shell
 ---
 
 ![Recovery shell]({{ site.baseurl }}/images/Recovery_shell.jpg)
 
 If the flash protection bits are set correctly it is not possible to
 rewrite the firmware from the normal OS.  You'll need to reboot
-to the Heads recovery shell (hit `r` after the TPM TOTP prompt).
+to the Heads [recovery shell](/RecoveryShell/).  Repeatedly press 'r' on boot or choose 'Recovery Shell' in the heads GUI.
 
 Internal Flashing
 ---
@@ -156,11 +161,3 @@ sealtotp.sh
 
 This needs the TPM owner password to be able to define the NVRAM space.
 (todo: [issue #151](https://github.com/osresearch/heads/issues/151)).
-
-Resealing the disk encryption keys
----
-
-When you get to the standard boot menu and after you verify the TOTP, select 'm'
- to go to the full boot menu.  Select the option you want (usually the first),
- make it the default by hitting 'd' and also say 'y' when asked to reseal the
- disk keys.

Installing-and-Configuring/configuring-keys.md

@@ -40,8 +40,8 @@ Select "Add a GPG key to the running BIOS" to enter the GPG Management menu.  If
 
 ![GPG Management menu]({{ site.baseurl }}/images/gpg_management.jpg)
 
-Insert your USB security dongle and USB drive into the device, then chose
- "Generate GPG keys manually on a USB security token".
+Insert your USB security dongle and USB drive into the device, then choose
+ "Generate GPG keys manually on a USB security token[dongle]".
 
 When at the GPG prompt, go into "Admin" mode and generate a new key inside the
  USB security dongle: