airgap/README.md

# AirgapOS #

<https://git.distrust.co/public/airgap>

## About ##

A full-source-bootstrapped, deterministic, minimal, immutable, and offline,
workstation linux distribution designed for creating and managing secrets
offline.

Built for those of us that want to be -really- sure our most important secrets
are managed in a clean environment with an "air gap" between us and the
internet with high integrity on the supply chain of the firmware and OS used.

## Uses ##
 * Generate PGP keychain
 * Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
 * Signing cryptocurrency transactions
 * Generate/backup BIP39 universal cryptocurrency wallet seed
 * Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger

## Features ##
 * Deterministic iso generation for multi-party code->binary verification
 * Small footprint (< 100MB)
 * Immutable and Diskless: runs from initramfs
 * Network support and most drivers removed to minimize exfiltration vectors

## Requirements ##

### Software ###

* docker 26+

### Hardware ###

* x86_64 PC or laptop
    * linuxboot/heads firmware supported and recommended for multi-use machine
      * Allows for signed builds, and verification of signed sd card payloads
    * Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
* Blank flash drive
* Blank SD card

## Build ##

### Update git submodules

```
git submodule update --init --recursive
```

### Build a new release

```
make release
```

### Reproduce an existing release

```
make attest
```

### Sign an existing release

```
make sign
```

## Provisioning ##

1. Write airgap.iso to CD-ROM or SD Card
  a. `dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progress`
  b. `cdrecord out/airgap.iso`

2. Verify media still produces expected hash
  ```
  sha256sum out/airgap.iso
  head -c $(stat -c '%s' airgap.iso) /dev/sda | sha256sum
  ```

## Setup ##

Assumes target is running Pureboot or Coreboot/heads

1. Boot to shell: ```Options -> Recovery Shell```
2. Mount SD card
	```
	mount-usb
	mount -o remount,rw /media
	```
3. Insert chosen GPG Smartcard device
4. Initialize smartcard
	```
	gpg --card-status
	```
5. Sign target iso
	```
	cd /media
	gpg --armor --detach-sign airgap.iso
	```
6. Unmount
	```
	cd
	umount /media
	sync
	```
7. Reboot

## Usage ##

1. Insert remote attestation device
2. Power on, and verify successful remote attestation
3. Boot to airgap via: Options -> Boot Options -> USB Boot

## Development ##

### Build develop image
```
make
```

### Boot image in qemu
```
make vm
```

### Enter shell in build environment
```
make shell
```
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`# AirgapOS #`
rename to airgap 2020-06-15 18:04:50 +00:00
docs: first pass of stagex doc fixes 2024-06-27 07:35:06 +00:00			`<https://git.distrust.co/public/airgap>`
rename to airgap 2020-06-15 18:04:50 +00:00
			`## About ##`

docs: first pass of stagex doc fixes 2024-06-27 07:35:06 +00:00			`A full-source-bootstrapped, deterministic, minimal, immutable, and offline,`
			`workstation linux distribution designed for creating and managing secrets`
			`offline.`
rename to airgap 2020-06-15 18:04:50 +00:00
			`Built for those of us that want to be -really- sure our most important secrets`
			`are managed in a clean environment with an "air gap" between us and the`
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`internet with high integrity on the supply chain of the firmware and OS used.`
rename to airgap 2020-06-15 18:04:50 +00:00
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`## Uses ##`
docs: first pass of stagex doc fixes 2024-06-27 07:35:06 +00:00			`* Generate PGP keychain`
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`* Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey`
			`* Signing cryptocurrency transactions`
			`* Generate/backup BIP39 universal cryptocurrency wallet seed`
			`* Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger`
rename to airgap 2020-06-15 18:04:50 +00:00
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`## Features ##`
fix: typo 2024-03-28 23:55:28 +00:00			`* Deterministic iso generation for multi-party code->binary verification`
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`* Small footprint (< 100MB)`
			`* Immutable and Diskless: runs from initramfs`
			`* Network support and most drivers removed to minimize exfiltration vectors`

rename to airgap 2020-06-15 18:04:50 +00:00			`## Requirements ##`

			`### Software ###`

docs: first pass of stagex doc fixes 2024-06-27 07:35:06 +00:00			`* docker 26+`
rename to airgap 2020-06-15 18:04:50 +00:00
			`### Hardware ###`

docs: first pass of stagex doc fixes 2024-06-27 07:35:06 +00:00			`* x86_64 PC or laptop`
			`* linuxboot/heads firmware supported and recommended for multi-use machine`
			`* Allows for signed builds, and verification of signed sd card payloads`
			`* Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed`
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`* Blank flash drive`
			`* Blank SD card`

rename to airgap 2020-06-15 18:04:50 +00:00			`## Build ##`

chore: clean up build section 2024-03-28 15:38:56 +00:00			`### Update git submodules`

			```
			`git submodule update --init --recursive`
			```

working release/attest/sign flow 2022-12-26 09:22:00 +00:00			`### Build a new release`
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00
chore: clean up build section 2024-03-28 15:38:56 +00:00			```
			`make release`
			```
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00
working release/attest/sign flow 2022-12-26 09:22:00 +00:00			`### Reproduce an existing release`
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00
chore: clean up build section 2024-03-28 15:38:56 +00:00			```
			`make attest`
			```
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00
working release/attest/sign flow 2022-12-26 09:22:00 +00:00			`### Sign an existing release`

chore: clean up build section 2024-03-28 15:38:56 +00:00			```
			`make sign`
			```
rename to airgap 2020-06-15 18:04:50 +00:00
cache/determinism fixes and doc updates 2024-08-03 22:52:30 +00:00			`## Provisioning ##`

			`1. Write airgap.iso to CD-ROM or SD Card`
			a. `dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progress`
			b. `cdrecord out/airgap.iso`

			`2. Verify media still produces expected hash`
			```
			`sha256sum out/airgap.iso`
			`head -c $(stat -c '%s' airgap.iso) /dev/sda \| sha256sum`
			```

Remove broken/blocking coreboot/heads build support 2022-12-31 00:57:44 +00:00			`## Setup ##`
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00
update readme with vanilla heads/pureboot setup steps 2023-01-03 00:47:09 +00:00			`Assumes target is running Pureboot or Coreboot/heads`

			1. Boot to shell: ```Options -> Recovery Shell```
			`2. Mount SD card`
			```
			`mount-usb`
			`mount -o remount,rw /media`
			```
			`3. Insert chosen GPG Smartcard device`
			`4. Initialize smartcard`
			```
			`gpg --card-status`
			```
			`5. Sign target iso`
			```
			`cd /media`
			`gpg --armor --detach-sign airgap.iso`
			```
			`6. Unmount`
			```
			`cd`
			`umount /media`
			`sync`
			```
Remove broken/blocking coreboot/heads build support 2022-12-31 00:57:44 +00:00			`7. Reboot`
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00
			`## Usage ##`

			`1. Insert remote attestation device`
			`2. Power on, and verify successful remote attestation`
			`3. Boot to airgap via: Options -> Boot Options -> USB Boot`

rename to airgap 2020-06-15 18:04:50 +00:00			`## Development ##`

overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`### Build develop image`
			```
			`make`
			```
rename to airgap 2020-06-15 18:04:50 +00:00
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00			`### Boot image in qemu`
rename to airgap 2020-06-15 18:04:50 +00:00			```
			`make vm`
			```
overhaul docs to respect current state of affairs 2020-07-19 09:25:06 +00:00
			`### Enter shell in build environment`
			```
			`make shell`
			```