Link Search Menu Expand Document
Heads - Wiki
Table of contents
  1. Generic OS Installation
  2. Installing Qubes 4.1
  3. Taking ownership of the states
  4. Taking ownership of the TPM
  5. Signing /boot content
  6. Setting a new boot default
  7. Until next dom0 upgrade, this is the normal boot process
  8. When updating dom0 from Qubes OS update widget
    1. Installing extra software

Generic OS Installation

  1. Insert OS installation media into one of the USB3 ports (blue on Thinkpads). For certain OSes , Heads boot process supports standard OS ISO bootable media (where the USB drive contains the ISO installation media alongside of its detached signature). For other OS, you will need to create USB installation media with using dd or unetbootin etc.).

For supported OSes, on a EXT3/EXT4 formatted partition on USB drive, you can put the ISO image along with a trusted detached signature in the root directory:

/Qubes-R4.0-x86_64.iso
/Qubes-R4.0-x86_64.iso.asc
/tails-amd64-3.7.iso
/tails-amd64-3.7.iso.sig
  • Some distros will require additional options to boot directly from ISO. See Boot config files for more information.
  • Boot from USB by Boot menu options, or by calling usb-scan from the recovery shell.
    • Select the install boot option for your distro of choice and work through the standard OS installation procedures (including setting up LUKS disk encryption if desired)
  • Reboot and your new boot option should be available through boot options: show boot options.

Each ISO file is verified for integrity and authenticity before booting so that you can be sure Live distros and installation media are not tampered with or corrupted, so this route is preferred when available. You can also sign the ISO with your own key from Heads recovery shell menu option :

gpg --output <iso_name>.sig --detach-sig <iso_name>

If you want to set a default option so that you don’t have to choose at every boot, you can do so from the menu by selecting ‘d’ on the confirmation screen. You will also be able to seal your Disk Unlock Key into the TPM, which would be unsealed only when provided with the good TPM disk encryption key passphrase and when firmware measurement and LUKS header are the same as when the Disk Unlock Key was sealed when booting from detached signed default boot option selection.

(*) Ubuntu/Debian Note: These systems don’t read /etc/crypttab in their initrd, so you need to adjust the crypttab in the OS and update-initramfs -u to have it attempt to use the injected key. Due to oddities in the cryptroot hooks, you also need keyscript to be in /etc/crypttab even as a no-op /bin/cat:

sda5_crypt UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /secret.key luks,keyscript=/bin/cat

(Credit to https://www.pavelkogan.com/2015/01/25/linux-mint-encryption/ for this trick).

Installing Qubes 4.1

Qubes OS and Tails can boot directly from ISO when provided with accompanying detached signatures (iso.asc or iso.sig), thanks to distribution signing keys being provided under Heads, permitting to validate both integrity and authenticity of the ISOs prior of booting into them.

Plug in the ext3/ext4 formatted USB stick containing Qubes R4.1 iso and iso.asc files into one of the USB port and boot it from USB mode:

1-Heads-Options 2-Heads-Boot-Options 3-Heads-USB-Boot-Option 4-Heads-USB-Boot-Options-ISOs 5-Heads-USB-Boot-ISO-verification-Selection-of-ISO-boot-option 6-Heads-USB-Boot-ISO-verification-Selection-of-ISO-boot-kexec

If that completes with no errors it will launch the Xen hypervisor, kernel and initrd provided from ISO and start the Qubes installer: 7-Q41-first-screen 8-Q41-Select-Installation-destination

Use default QubesOS partitioning scheme for QubesOS 4.x: 9-Q41-Destination-automatic-partitioning-with-encryption 10-Q41-Destination-automatic-partitioning-with-encryption-done

The Disk Recovery Key that you enter here will be used as the “recovery password” later. It should be a long value since you won’t have to enter it very often; only when upgrading the Heads firmware, when setting a new boot default and desiring to change TPM released disk encryption key (Disk Unlock Key), or if there is a need to recover the disk on an external machine. 11-Q41-Destination-automatic-partitioning-with-encryption-disk-reovery-passphrase-prompt 12-Q41-Destination-automatic-partitioning-with-encryption-disk-reovery-passphrase-confirmation 13-Q41-Destination-automatic-partitioning-addtitional-step-on-existing-install_reclaim 14-Q41-Destination-automatic-partitioning-addtitional-step-on-existing-install_reclaim_delete_all 15-Q41-Destination-automatic-partitioning-addtitional-step-on-existing-install_reclaim_delete_all-reclaim 16-Q41-user-creation 17-Q41-user-creation-passphrase 18-Q41-Begin-installation 19-Q41-package_installation 20-Q41-package_installation2 21-Q41_installation_complete-reboot_system First stage install is finished.

Disconnect your USB Security dongle (and any external keyboard/mouses) prior of going further. Otherwise Qubes might detect those as USB Keyboards (HID devices) and will prevent sys-usb from being created properly: 22-Heads_Options_to_boot_options 23-Heads_Boot_options_to_unsafe_boot 24-Heads_unsafe_boot 25-Heads_unsafe_boot_confirmation 26-Heads_unsafe_boot_confirmation_select_dynamic_option 27-Q41_disk_recovery_key_passphrase-prompt 28-Q41_second_stage_install_main 29-Q41_options_selection_done 30-Q41_options_selection_done_finish

You should now have Qubes 4.1 installed!

Taking ownership of the states

Taking ownership of the TPM

Heads keeps TPM and HOTP rollback counters under /boot. Since we just installed, those doesn’t exist and we need to create them. First things first, we need to acknowledge current firmware state for the newly installed OS.

Heads-Options_After-Install Heads-TPM_TOTP_HOTP Heads-TPM_reset_option Heads-TPM_reset_option_confirmation Heads-TPM_reset_seals_TOTP_And_HOTP That’s it. You now have TOTP scanned over your preferred TOTP smartphone app, or have entered manually the challenge secret under your favorite external TOTP app on another computer because you do not own a smartphone.

Signing /boot content

Now that firmware state is sealed under TPM and remotely attested through TOTP/HOTP, now is the time to sign /boot content until your next dom0 upgrade, which will most probably update Xen, initrd and kernel binaries, as well as grub configuration. This will be prompted automatically when selecting default boot option, since we have no digests nor detached signature of /boot content as of now.

Heads_default_boot_after_sealing Heads_warns_about_no_hashes Heads_warns_about_no_default_after_signing

Setting a new boot default

If you choose to add the Disk Unlock Key to the TPM, you’ll need to specify which LUKS volume. A default Qubes install will work if you leave the ‘Encrypted LVM group?’ response blank and enter /dev/sda2 when asked about ‘Encrypted devices?’. For more details see the TPM Disk Unlock Keys section below. You’ll then be asked to enter the Disk Recovery Key as well as the new boot passphrase you’ll use to unseal that key.

Heads_prompts_to_set_default_boot_option Heads_prompts_to_set_default_boot_option_confirmation Heads_prompts_to_set_default_boot_option_setting_disk_unlock_key

Until next dom0 upgrade, this is the normal boot process

Heads_HOTP_dongle_flashes_green Heads_HOTP_Success_main_screen Heads_default_boot_DiskUnlock_key_prompt_until_next_dom0_upgrade

When updating dom0 from Qubes OS update widget

You need to reboot directly after applying dom0 upgrades:

!!! Boot entry has changed - please set a new default

Applying dom0 (or OS updates) that changed the boot related binaries and config files (updating the kernel, Xen, or the initramfs, etc) will modify /boot content. If someone has tampered with your /boot partition, this can also happen, so if you’re not sure of the situation, don’t proceed and investigate. The onlyway to make sure you are the origin of the changes is to reboot and sign /boot content right after the upgrade. On Qubes OS, that should only happen when upgrading dom0. For Other OSes, that can happen in any unattended upgrades, which requires you to inspect system upgrade logs or be aware of updates propositions: if a kernel update is involved, you sure need to reboot and sign now.

Choose the first option again (‘1’), then make it the new default (‘d’), confirm that you’re modifying the boot partition (‘y’), and that you don’t need to reseal the disk key (‘n’). You’ll be asked to insert your USB Security dongle and enter the GPG User PIN to sign the new configs and the system will reboot and allow you to proceed as normal.

Installing extra software 

sudo qubes-dom0-update

powertop is useful for debugging power drain issues. In dom0 run:

sudo qubes-dom0-update powertop

You might want to make the middle button into a scroll wheel. Add this to /etc/X11/xorg.conf.d/20-thinkpad-scrollwheel.conf

Section "InputClass"
  Identifier  "Trackpoint Wheel Emulation"
  MatchProduct  "TPPS/2 IBM TrackPoint|DualPoint Stick|Synaptics Inc. Composite TouchPad / TrackPoint|ThinkPad USB Keyboard with TrackPoint|USB Trackpoint pointing device|Composite TouchPad / TrackPoint"
  MatchDevicePath  "/dev/input/event*"
  Option    "EmulateWheel"    "true"
  Option    "EmulateWheelButton"  "2"
  Option    "Emulate3Buttons"  "false"
  Option    "XAxisMapping"    "6 7"
  Option    "YAxisMapping"    "4 5"
EndSection

You’ll probably want to enable fan control, as described on ThinkWiki.

Disabling the ethernet might make sense to save power