cache/determinism fixes and doc updates

Makefile

@@ -8,8 +8,9 @@ export
 
 ## Use env vars from latest release when reproducing
 ifdef REPRODUCE
-    include dist/release.env
-    export
+include dist/release.env
+NO_CACHE := --no-cache
+export
 endif
 
 .DEFAULT_GOAL :=
@@ -24,12 +25,13 @@ default: \
 out/airgap.iso: Containerfile $(shell git ls-files rootfs)
 	docker build \
 		--progress=plain \
-		--output type=local,dest=out \
+		--output type=local,rewrite-timestamp=true,dest=out \
 		--build-arg VERSION="$(VERSION)" \
 		--build-arg GIT_REF="$(GIT_REF)" \
 		--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
 		--build-arg GIT_KEY="$(GIT_KEY)" \
 		--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
+		$(NO_CACHE) \
 		-f Containerfile \
 		.
 

README.md

@@ -66,6 +66,18 @@ make attest
 make sign
 ```
 
+## Provisioning ##
+
+1. Write airgap.iso to CD-ROM or SD Card
+  a. `dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progress`
+  b. `cdrecord out/airgap.iso`
+
+2. Verify media still produces expected hash
+  ```
+  sha256sum out/airgap.iso
+  head -c $(stat -c '%s' airgap.iso) /dev/sda | sha256sum
+  ```
+
 ## Setup ##
 
 Assumes target is running Pureboot or Coreboot/heads