Table of contents
Prerequisites for Heads
Required equipment
To install Heads on a physical device, you will need:
- Supported motherboard or laptop (see below)
- A heads compatible USB security dongle (see below)
- A heads compatible storage device for your public GPG key (USB flash drive)
If your device requires external flashing (see below), you will also need:
- SPI Programmer: green pcb ch341a programmer or raspberry pi or bus pirate (green ch341a is recommended for new users and can be found almost anywhere with preassembled clip as a kit.
- Wires and a clip SOIC8 to connect your programmer of choice to the board’s SPI flash chip(s).
- The Pomona 5250 is suggested as it is high quality and easier to make contact with the pins.
- A second computer to flash from (Try to use a recommended operating system: Qubes or Debian 9 or Fedora 30)
Supported devices
Please see the current heads source for up-to-date supported board configurations.
Note repeatedly untested boards from willing to test board owners were moved to unmaintained_boards directory and aren’t built by CircleCI anymore
If you have an external programmer and are techsavvy enough to bring their support back yourself, read the Community page and reach out. I will gladly assist in your quest :)
USB Security Dongles (aka security token aka smartcard)
All USB Security dongles used with Heads must support OpenPGP for storing your private key and signing /boot contents.
HOTP verification is optional but provides automatic firmware verification at boot. Without HOTP, you’ll use TPMTOTP (manual verification with your phone). Most board configurations are available in both HOTP and non-HOTP variants, though some vendors only support HOTP-enabled configurations.
USB Security dongle compatibility:
Compatible dongles must support the specialized HOTP verification protocol developed by Nitrokey. For technical details about this protocol, see the Nitrokey HOTP verification project.
NOTE - Heads does NOT support FIDO2 or U2F authentication. Be careful when purchasing to buy a compatible key.
NOTE - HOTP remote attestation is supported from Librem/NovaCustom/Nitropad platforms by default, Otherwise HOTP is explicitely supported by board configurations having hotp in their board names.
NOTE - The NitroKey 3 comes in three sizes: USB A, A-mini and C. Nk3a mini (USB A-mini) is the one most shipped with novacustom and nitropads.
- ThinkPads have USB A ports, not C. After that, it’s users preferences for the form factor desired.
Supported USB Security dongles:
| Manufacturer | Model | OpenPGP | HOTP verification | Compatible |
|---|---|---|---|---|
| Yubico | YubiKey 5 Series | ✅ | ❌ | OpenPGP only |
| Nitrokey | Nitrokey Pro 2 | ✅ | ✅ | Full support |
| Nitrokey | Nitrokey Storage 2 | ✅ | ✅ | Full support |
| Nitrokey | Nitrokey 3 | ✅ | ✅ | Full support |
| Purism | Librem Key | ✅ | ✅ | Full support |
Notes:
- OpenPGP only: Can be used with non-HOTP board configurations (manual TPMTOTP verification)
- Full support: Can be used with both HOTP and non-HOTP board configurations
NOTE - If you prefer not to use USB security dongles or want simplified security procedures, see the Purism Boot Modes documentation for information about Basic and Restricted boot modes that provide different security/usability trade-offs.
Board Architecture Overview
Note: All current Heads boards use a modern architecture where the Intel Management Engine (ME) is deactivated and the Intel Flash Descriptor (IFD) is unlocked. On older Intel platforms (up to Ivy Bridge/3rd gen), the ME can be neutered (most modules removed), while on newer platforms (Skylake and later), the ME is deactivated using HAP bits or other methods. The historical distinction between “Legacy” and “Maximized” boards is no longer relevant as of 2024, since all supported boards now use the approach that was previously called “maximized.”
For users upgrading from very old firmware (pre-2024), see the Historical Legacy Migration page.
Emulated devices
For further information, see Emulating Heads