Heads doesn't seem to make sense to me

The purpose of HEADS is

  • measure the firmware before allowing to boot an OS
  • measure the OS and compare the signature with a GPG key stored in a GPG storage like a Nitrokey
  • allow to boot a trusted OS

But the key part here is the Nitrokey.

I need to have a situation where something that belongs to me (laptop) could be manipulatee, but something else that belongs to me (key) is trusted.

Okay there also is the knowledge factor, I need to enter the PIN to change the stored GPG keys and trust a new boot.

But wouldnt it be better to have a “Nitrokey Fingerprint reader” that unlocks the keys when my fingerprint was detected?

Then we would have

  • something that you have (key)
  • something that you know (additional Pin)
  • something that you are (fingerprint)

On Linux especially external USB fingerprint readers are pretty rare. In combination with usbguard they could be quite useful though, for sure when used as second factor. (Otherwise you would always fear that someone steals the fingerprint reader and makes it spit out it’s secrets)

It can be convenient but I’m not sure if it adds security.

PINs can be changed and biometrics not. Especially fingerprints you leave everywhere.

Heads security is based on signing a trusted device with a token you carry all times with you.

The signature is tested on the device and the attestation strings sent to the tpm cannot be modified or the secrets do not get unlocked.

USB devices get enumerated and also might get detected in a different sequence. So a fingerprint reader might also cause troubles in the PCR registers during boot.

You could add fingerprint reader for the OS lateron.

2 Likes

There’s a reason smartphones rely on a PIN after cold boot by default. So, I agree it would be more convenience than security.

But Nitrokey may be interested to look into creating a token variant, if there is a safe sensor with maintained open-source libraries. Not primarily for heads, because the alphanumeric-PIN is only needed when you change /boot files, but the convenience with secret authentication - where you need the PIN much more frequently. With that reasoning your thread title “doesn’t make sense to me”.

2 Likes