README.md

@@ -129,6 +129,41 @@ make vm
 make shell
 ```
 
+## Writing to SD Card ##
+
+1. Flash `airgap.iso` to an SD Card:
+
+   * Use `lsblk` to find device name   
+
+   * `dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress oflag=direct`
+
+2. Use the `sdtool` to lock the SD Card:
+
+   a. Get deterministically built binary of `sdtool` from StageX: 
+      * `docker pull stagex/sdtool:latest`
+
+   b. Extracting binary:
+      * Run docker container: `docker create -p 4000:80 --name sdtool stagex/sdtool`
+         * Copy image to tar: `docker export <container_id> -o sdtool.tar`
+         * Extract binary from tar: `mkdir -p sdtool-dir | tar -xvf sdtool.tar -C sdtool-dir | cp sdtool-dir/usr/bin/sdtool ./sdtool`
+         * You can verify the container hash:
+            * To get container hash: `docker inspect --format='{{json .RepoDigests}}'  stagex/sdtool`
+            * Check the [signatures dir](https://codeberg.org/stagex/stagex/src/branch/main/signatures/stagex) in stagex project for latest signed hashes
+
+   c. Permanently lock the card: 
+   
+      * `./sdtool /dev/mmcblk permlock`
+
+   d. Test that the card can't be written to:
+
+      * `dd if=out/airgap.iso of=/dev/sdb bs=1M conv=sync status=progress`
+
+3. Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
+
+    * `head -c $(stat -c '%s' out/airgap.iso) /dev/<your_device> | sha256sum`
+
+    * `sha256sum out/airgap.iso`
+
 ## Hardware Compatibility ##
 
 ### Tested Models