:Merge branch 'determinisim-refactor' of github.com:distrust-foundation/AirgapOS into determinisim-refactor

This commit is contained in:
Anton Livaja 2023-01-02 23:47:35 -05:00
commit 6e09edfe5a
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
2 changed files with 35 additions and 38 deletions

View File

@ -2,7 +2,6 @@ NAME := airgap
IMAGE := local/$(NAME):latest IMAGE := local/$(NAME):latest
ARCH := x86_64 ARCH := x86_64
TARGET := $(ARCH) TARGET := $(ARCH)
DEVICES := librem_13v4 librem_15v4
USER := $(shell id -u):$(shell id -g) USER := $(shell id -u):$(shell id -g)
CPUS := $(shell docker run -it debian nproc) CPUS := $(shell docker run -it debian nproc)
GIT_REF := $(shell git log -1 --format=%H config) GIT_REF := $(shell git log -1 --format=%H config)
@ -53,20 +52,13 @@ mrproper:
docker image rm -f $(IMAGE) docker image rm -f $(IMAGE)
rm -rf $(CACHE_DIR) $(OUT_DIR) rm -rf $(CACHE_DIR) $(OUT_DIR)
.PHONY: build-fw
build-fw: $(CACHE_DIR)/toolchain.tar
$(call toolchain,$(USER),"build-fw")
mkdir -p $(RELEASE_DIR)
for device in $(DEVICES); do \
cp \
$(CACHE_DIR)/heads/build/$${device}/pureboot*.rom \
$(RELEASE_DIR)/$${device}.rom ; \
done
## Release Targets ## Release Targets
.PHONY: release .PHONY: release
release: | out/release.env out/airgap.iso out/manifest.txt release: | \
$(OUT_DIR)/release.env \
$(OUT_DIR)/airgap.iso \
$(OUT_DIR)/manifest.txt
mkdir -p $(RELEASE_DIR) mkdir -p $(RELEASE_DIR)
cp out/release.env $(RELEASE_DIR)/release.env cp out/release.env $(RELEASE_DIR)/release.env
cp out/airgap.iso $(RELEASE_DIR)/airgap.iso cp out/airgap.iso $(RELEASE_DIR)/airgap.iso
@ -200,7 +192,7 @@ $(OUT_DIR)/airgap.iso: \
cd buildroot; \ cd buildroot; \
make "airgap_$(TARGET)_defconfig"; \ make "airgap_$(TARGET)_defconfig"; \
unset FAKETIME; \ unset FAKETIME; \
make source; \ make source; \
make; \ make; \
") ")
mkdir -p $(OUT_DIR) mkdir -p $(OUT_DIR)
@ -271,7 +263,6 @@ define toolchain
--env FAKETIME=$(FAKETIME) \ --env FAKETIME=$(FAKETIME) \
--env BR2_EXTERNAL="/$(BR2_EXTERNAL)" \ --env BR2_EXTERNAL="/$(BR2_EXTERNAL)" \
--env HEADS_EXTERNAL="/$(HEADS_EXTERNAL)" \ --env HEADS_EXTERNAL="/$(HEADS_EXTERNAL)" \
--env DEVICES="$(DEVICES)" \
--env UID="$(shell id -u)" \ --env UID="$(shell id -u)" \
--env GID="$(shell id -g)" \ --env GID="$(shell id -g)" \
$(IMAGE) \ $(IMAGE) \

View File

@ -4,7 +4,7 @@
## About ## ## About ##
A live buildroot based distribution designed for managing secrets offline. A live buildroot based Liux distribution designed for managing secrets offline.
Built for those of us that want to be -really- sure our most important secrets Built for those of us that want to be -really- sure our most important secrets
are managed in a clean environment with an "air gap" between us and the are managed in a clean environment with an "air gap" between us and the
@ -18,19 +18,11 @@ internet with high integrity on the supply chain of the firmware and OS used.
* Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger * Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger
## Features ## ## Features ##
* Builds Coreboot-heads firmware for all supported devices for measured boot * Determinsitic iso generation for multi-party code->binary verification
* Determinsitic rom/iso generation for multi-party code->binary verification
* Small footprint (< 100MB) * Small footprint (< 100MB)
* Immutable and Diskless: runs from initramfs * Immutable and Diskless: runs from initramfs
* Network support and most drivers removed to minimize exfiltration vectors * Network support and most drivers removed to minimize exfiltration vectors
## Supported Devices ##
| Device | TPM Model | TPM Version | Remote Attestation |
|-------------|:--------------:|:-----------:|:-------------------:|
| Librem13v4 | Infineon 9465 | 1.2 | HOTP via Nitrokey |
| Librem15v4 | Infineon 9456 | 1.2 | HOTP via Nitrokey |
## Requirements ## ## Requirements ##
### Software ### ### Software ###
@ -39,14 +31,14 @@ internet with high integrity on the supply chain of the firmware and OS used.
### Hardware ### ### Hardware ###
* Supported PC already running coreboot-heads * Recommended: PC running coreboot-heads
* Ensure any Wifi/Disk/Bluetooth/Audio devices are removed * Allows for signed builds, and verification of signed sd card payloads
* Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
* Supported remote attestation key (Librem Key, Nitrokey, etc) * Supported remote attestation key (Librem Key, Nitrokey, etc)
* Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc) * Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
* Blank flash drive * Blank flash drive
* Blank SD card * Blank SD card
## Build ## ## Build ##
### Build a new release ### Build a new release
@ -67,19 +59,33 @@ internet with high integrity on the supply chain of the firmware and OS used.
make VERSION=1.0.0rc1 sign make VERSION=1.0.0rc1 sign
``` ```
## Install ## ## Setup ##
1. Place contents of release/$VERSION folder on SD card Assumes target is running Pureboot or Coreboot/heads
2. Boot machine to Heads -> Options -> Flash/Update BIOS
3. Flash firmware via "Flash the firmware with new ROM, erase settings"
4. Insert external Remote attestation key and signing key when prompted
6. Reboot and verify successful remote attestation
7. Boot to shell: Options -> Recovery Shell
8. Mount SD card
9. Insert chosen GPG Smartcard device
10. Sign target iso ```gpg --armor --detach-sign airgap*.iso```
11. Reboot
1. Boot to shell: ```Options -> Recovery Shell```
2. Mount SD card
```
mount-usb
mount -o remount,rw /media
```
3. Insert chosen GPG Smartcard device
4. Initialize smartcard
```
gpg --card-status
```
5. Sign target iso
```
cd /media
gpg --armor --detach-sign airgap.iso
```
6. Unmount
```
cd
umount /media
sync
```
7. Reboot
## Usage ## ## Usage ##