From 7dfb2882a62d9e33ccafef8eaf670801775a9178 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Fri, 30 Dec 2022 16:57:44 -0800 Subject: [PATCH 1/2] Remove broken/blocking coreboot/heads build support --- Makefile | 19 +++++-------------- README.md | 38 +++++++++++++------------------------- 2 files changed, 18 insertions(+), 39 deletions(-) diff --git a/Makefile b/Makefile index b533687..0291a2f 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,6 @@ NAME := airgap IMAGE := local/$(NAME):latest ARCH := x86_64 TARGET := $(ARCH) -DEVICES := librem_13v4 librem_15v4 USER := $(shell id -u):$(shell id -g) CPUS := $(shell docker run -it debian nproc) GIT_REF := $(shell git log -1 --format=%H config) @@ -53,20 +52,13 @@ mrproper: docker image rm -f $(IMAGE) rm -rf $(CACHE_DIR) $(OUT_DIR) -.PHONY: build-fw -build-fw: $(CACHE_DIR)/toolchain.tar - $(call toolchain,$(USER),"build-fw") - mkdir -p $(RELEASE_DIR) - for device in $(DEVICES); do \ - cp \ - $(CACHE_DIR)/heads/build/$${device}/pureboot*.rom \ - $(RELEASE_DIR)/$${device}.rom ; \ - done - ## Release Targets .PHONY: release -release: | out/release.env out/airgap.iso out/manifest.txt +release: | \ + $(OUT_DIR)/release.env \ + $(OUT_DIR)/airgap.iso \ + $(OUT_DIR)/manifest.txt mkdir -p $(RELEASE_DIR) cp out/release.env $(RELEASE_DIR)/release.env cp out/airgap.iso $(RELEASE_DIR)/airgap.iso @@ -200,7 +192,7 @@ $(OUT_DIR)/airgap.iso: \ cd buildroot; \ make "airgap_$(TARGET)_defconfig"; \ unset FAKETIME; \ - make source; \ + make source; \ make; \ ") mkdir -p $(OUT_DIR) @@ -271,7 +263,6 @@ define toolchain --env FAKETIME=$(FAKETIME) \ --env BR2_EXTERNAL="/$(BR2_EXTERNAL)" \ --env HEADS_EXTERNAL="/$(HEADS_EXTERNAL)" \ - --env DEVICES="$(DEVICES)" \ --env UID="$(shell id -u)" \ --env GID="$(shell id -g)" \ $(IMAGE) \ diff --git a/README.md b/README.md index a60c2f4..0f327e4 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ## About ## -A live buildroot based distribution designed for managing secrets offline. +A live buildroot based Liux distribution designed for managing secrets offline. Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the @@ -18,19 +18,11 @@ internet with high integrity on the supply chain of the firmware and OS used. * Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger ## Features ## - * Builds Coreboot-heads firmware for all supported devices for measured boot - * Determinsitic rom/iso generation for multi-party code->binary verification + * Determinsitic iso generation for multi-party code->binary verification * Small footprint (< 100MB) * Immutable and Diskless: runs from initramfs * Network support and most drivers removed to minimize exfiltration vectors -## Supported Devices ## - - | Device | TPM Model | TPM Version | Remote Attestation | - |-------------|:--------------:|:-----------:|:-------------------:| - | Librem13v4 | Infineon 9465 | 1.2 | HOTP via Nitrokey | - | Librem15v4 | Infineon 9456 | 1.2 | HOTP via Nitrokey | - ## Requirements ## ### Software ### @@ -39,14 +31,14 @@ internet with high integrity on the supply chain of the firmware and OS used. ### Hardware ### -* Supported PC already running coreboot-heads - * Ensure any Wifi/Disk/Bluetooth/Audio devices are removed +* Recommended: PC running coreboot-heads + * Allows for signed builds, and verification of signed sd card payloads + * Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed * Supported remote attestation key (Librem Key, Nitrokey, etc) * Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc) * Blank flash drive * Blank SD card - ## Build ## ### Build a new release @@ -67,19 +59,15 @@ internet with high integrity on the supply chain of the firmware and OS used. make VERSION=1.0.0rc1 sign ``` -## Install ## - -1. Place contents of release/$VERSION folder on SD card -2. Boot machine to Heads -> Options -> Flash/Update BIOS -3. Flash firmware via "Flash the firmware with new ROM, erase settings" -4. Insert external Remote attestation key and signing key when prompted -6. Reboot and verify successful remote attestation -7. Boot to shell: Options -> Recovery Shell -8. Mount SD card -9. Insert chosen GPG Smartcard device -10. Sign target iso ```gpg --armor --detach-sign airgap*.iso``` -11. Reboot +## Setup ## +1. Insert external Remote attestation key and signing key when prompted +2. Reboot and verify successful remote attestation +3. Boot to shell: Options -> Recovery Shell +4. Mount SD card +5. Insert chosen GPG Smartcard device +6. Sign target iso ```gpg --armor --detach-sign airgap*.iso``` +7. Reboot ## Usage ## From b2000a3f89d473bd5d85bdad802be1f4c2746528 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 2 Jan 2023 16:47:09 -0800 Subject: [PATCH 2/2] update readme with vanilla heads/pureboot setup steps --- README.md | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0f327e4..a24bb4b 100644 --- a/README.md +++ b/README.md @@ -61,12 +61,30 @@ internet with high integrity on the supply chain of the firmware and OS used. ## Setup ## -1. Insert external Remote attestation key and signing key when prompted -2. Reboot and verify successful remote attestation -3. Boot to shell: Options -> Recovery Shell -4. Mount SD card -5. Insert chosen GPG Smartcard device -6. Sign target iso ```gpg --armor --detach-sign airgap*.iso``` +Assumes target is running Pureboot or Coreboot/heads + +1. Boot to shell: ```Options -> Recovery Shell``` +2. Mount SD card + ``` + mount-usb + mount -o remount,rw /media + ``` +3. Insert chosen GPG Smartcard device +4. Initialize smartcard + ``` + gpg --card-status + ``` +5. Sign target iso + ``` + cd /media + gpg --armor --detach-sign airgap.iso + ``` +6. Unmount + ``` + cd + umount /media + sync + ``` 7. Reboot ## Usage ##