:Merge branch 'determinisim-refactor' of github.com:distrust-foundation/AirgapOS into determinisim-refactor
This commit is contained in:
commit
6e09edfe5a
19
Makefile
19
Makefile
|
@ -2,7 +2,6 @@ NAME := airgap
|
||||||
IMAGE := local/$(NAME):latest
|
IMAGE := local/$(NAME):latest
|
||||||
ARCH := x86_64
|
ARCH := x86_64
|
||||||
TARGET := $(ARCH)
|
TARGET := $(ARCH)
|
||||||
DEVICES := librem_13v4 librem_15v4
|
|
||||||
USER := $(shell id -u):$(shell id -g)
|
USER := $(shell id -u):$(shell id -g)
|
||||||
CPUS := $(shell docker run -it debian nproc)
|
CPUS := $(shell docker run -it debian nproc)
|
||||||
GIT_REF := $(shell git log -1 --format=%H config)
|
GIT_REF := $(shell git log -1 --format=%H config)
|
||||||
|
@ -53,20 +52,13 @@ mrproper:
|
||||||
docker image rm -f $(IMAGE)
|
docker image rm -f $(IMAGE)
|
||||||
rm -rf $(CACHE_DIR) $(OUT_DIR)
|
rm -rf $(CACHE_DIR) $(OUT_DIR)
|
||||||
|
|
||||||
.PHONY: build-fw
|
|
||||||
build-fw: $(CACHE_DIR)/toolchain.tar
|
|
||||||
$(call toolchain,$(USER),"build-fw")
|
|
||||||
mkdir -p $(RELEASE_DIR)
|
|
||||||
for device in $(DEVICES); do \
|
|
||||||
cp \
|
|
||||||
$(CACHE_DIR)/heads/build/$${device}/pureboot*.rom \
|
|
||||||
$(RELEASE_DIR)/$${device}.rom ; \
|
|
||||||
done
|
|
||||||
|
|
||||||
## Release Targets
|
## Release Targets
|
||||||
|
|
||||||
.PHONY: release
|
.PHONY: release
|
||||||
release: | out/release.env out/airgap.iso out/manifest.txt
|
release: | \
|
||||||
|
$(OUT_DIR)/release.env \
|
||||||
|
$(OUT_DIR)/airgap.iso \
|
||||||
|
$(OUT_DIR)/manifest.txt
|
||||||
mkdir -p $(RELEASE_DIR)
|
mkdir -p $(RELEASE_DIR)
|
||||||
cp out/release.env $(RELEASE_DIR)/release.env
|
cp out/release.env $(RELEASE_DIR)/release.env
|
||||||
cp out/airgap.iso $(RELEASE_DIR)/airgap.iso
|
cp out/airgap.iso $(RELEASE_DIR)/airgap.iso
|
||||||
|
@ -200,7 +192,7 @@ $(OUT_DIR)/airgap.iso: \
|
||||||
cd buildroot; \
|
cd buildroot; \
|
||||||
make "airgap_$(TARGET)_defconfig"; \
|
make "airgap_$(TARGET)_defconfig"; \
|
||||||
unset FAKETIME; \
|
unset FAKETIME; \
|
||||||
make source; \
|
make source; \
|
||||||
make; \
|
make; \
|
||||||
")
|
")
|
||||||
mkdir -p $(OUT_DIR)
|
mkdir -p $(OUT_DIR)
|
||||||
|
@ -271,7 +263,6 @@ define toolchain
|
||||||
--env FAKETIME=$(FAKETIME) \
|
--env FAKETIME=$(FAKETIME) \
|
||||||
--env BR2_EXTERNAL="/$(BR2_EXTERNAL)" \
|
--env BR2_EXTERNAL="/$(BR2_EXTERNAL)" \
|
||||||
--env HEADS_EXTERNAL="/$(HEADS_EXTERNAL)" \
|
--env HEADS_EXTERNAL="/$(HEADS_EXTERNAL)" \
|
||||||
--env DEVICES="$(DEVICES)" \
|
|
||||||
--env UID="$(shell id -u)" \
|
--env UID="$(shell id -u)" \
|
||||||
--env GID="$(shell id -g)" \
|
--env GID="$(shell id -g)" \
|
||||||
$(IMAGE) \
|
$(IMAGE) \
|
||||||
|
|
54
README.md
54
README.md
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
## About ##
|
## About ##
|
||||||
|
|
||||||
A live buildroot based distribution designed for managing secrets offline.
|
A live buildroot based Liux distribution designed for managing secrets offline.
|
||||||
|
|
||||||
Built for those of us that want to be -really- sure our most important secrets
|
Built for those of us that want to be -really- sure our most important secrets
|
||||||
are managed in a clean environment with an "air gap" between us and the
|
are managed in a clean environment with an "air gap" between us and the
|
||||||
|
@ -18,19 +18,11 @@ internet with high integrity on the supply chain of the firmware and OS used.
|
||||||
* Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger
|
* Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger
|
||||||
|
|
||||||
## Features ##
|
## Features ##
|
||||||
* Builds Coreboot-heads firmware for all supported devices for measured boot
|
* Determinsitic iso generation for multi-party code->binary verification
|
||||||
* Determinsitic rom/iso generation for multi-party code->binary verification
|
|
||||||
* Small footprint (< 100MB)
|
* Small footprint (< 100MB)
|
||||||
* Immutable and Diskless: runs from initramfs
|
* Immutable and Diskless: runs from initramfs
|
||||||
* Network support and most drivers removed to minimize exfiltration vectors
|
* Network support and most drivers removed to minimize exfiltration vectors
|
||||||
|
|
||||||
## Supported Devices ##
|
|
||||||
|
|
||||||
| Device | TPM Model | TPM Version | Remote Attestation |
|
|
||||||
|-------------|:--------------:|:-----------:|:-------------------:|
|
|
||||||
| Librem13v4 | Infineon 9465 | 1.2 | HOTP via Nitrokey |
|
|
||||||
| Librem15v4 | Infineon 9456 | 1.2 | HOTP via Nitrokey |
|
|
||||||
|
|
||||||
## Requirements ##
|
## Requirements ##
|
||||||
|
|
||||||
### Software ###
|
### Software ###
|
||||||
|
@ -39,14 +31,14 @@ internet with high integrity on the supply chain of the firmware and OS used.
|
||||||
|
|
||||||
### Hardware ###
|
### Hardware ###
|
||||||
|
|
||||||
* Supported PC already running coreboot-heads
|
* Recommended: PC running coreboot-heads
|
||||||
* Ensure any Wifi/Disk/Bluetooth/Audio devices are removed
|
* Allows for signed builds, and verification of signed sd card payloads
|
||||||
|
* Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
|
||||||
* Supported remote attestation key (Librem Key, Nitrokey, etc)
|
* Supported remote attestation key (Librem Key, Nitrokey, etc)
|
||||||
* Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
|
* Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
|
||||||
* Blank flash drive
|
* Blank flash drive
|
||||||
* Blank SD card
|
* Blank SD card
|
||||||
|
|
||||||
|
|
||||||
## Build ##
|
## Build ##
|
||||||
|
|
||||||
### Build a new release
|
### Build a new release
|
||||||
|
@ -67,19 +59,33 @@ internet with high integrity on the supply chain of the firmware and OS used.
|
||||||
make VERSION=1.0.0rc1 sign
|
make VERSION=1.0.0rc1 sign
|
||||||
```
|
```
|
||||||
|
|
||||||
## Install ##
|
## Setup ##
|
||||||
|
|
||||||
1. Place contents of release/$VERSION folder on SD card
|
Assumes target is running Pureboot or Coreboot/heads
|
||||||
2. Boot machine to Heads -> Options -> Flash/Update BIOS
|
|
||||||
3. Flash firmware via "Flash the firmware with new ROM, erase settings"
|
|
||||||
4. Insert external Remote attestation key and signing key when prompted
|
|
||||||
6. Reboot and verify successful remote attestation
|
|
||||||
7. Boot to shell: Options -> Recovery Shell
|
|
||||||
8. Mount SD card
|
|
||||||
9. Insert chosen GPG Smartcard device
|
|
||||||
10. Sign target iso ```gpg --armor --detach-sign airgap*.iso```
|
|
||||||
11. Reboot
|
|
||||||
|
|
||||||
|
1. Boot to shell: ```Options -> Recovery Shell```
|
||||||
|
2. Mount SD card
|
||||||
|
```
|
||||||
|
mount-usb
|
||||||
|
mount -o remount,rw /media
|
||||||
|
```
|
||||||
|
3. Insert chosen GPG Smartcard device
|
||||||
|
4. Initialize smartcard
|
||||||
|
```
|
||||||
|
gpg --card-status
|
||||||
|
```
|
||||||
|
5. Sign target iso
|
||||||
|
```
|
||||||
|
cd /media
|
||||||
|
gpg --armor --detach-sign airgap.iso
|
||||||
|
```
|
||||||
|
6. Unmount
|
||||||
|
```
|
||||||
|
cd
|
||||||
|
umount /media
|
||||||
|
sync
|
||||||
|
```
|
||||||
|
7. Reboot
|
||||||
|
|
||||||
## Usage ##
|
## Usage ##
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue