README: update for burning to SD card and locking with sdtool #24

Open
anton wants to merge 2 commits from anton/sd-card-instructions into main
1 changed files with 35 additions and 0 deletions
Showing only changes of commit 5920ce2db1 - Show all commits

View File

@ -129,6 +129,41 @@ make vm
make shell
```
## Writing to SD Card ##
1. Flash `airgap.iso` to an SD Card:
* Use `lsblk` to find device name
* `dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress oflag=direct`
2. Use the `sdtool` to lock the SD Card:
a. Get deterministically built binary of `sdtool` from StageX:
* `docker pull stagex/sdtool:latest`
b. Extracting binary:
* Run docker container: `docker create -p 4000:80 --name sdtool stagex/sdtool`
* Copy image to tar: `docker export <container_id> -o sdtool.tar`
* Extract binary from tar: `mkdir -p sdtool-dir | tar -xvf sdtool.tar -C sdtool-dir | cp sdtool-dir/usr/bin/sdtool ./sdtool`
* You can verify the container hash:
* To get container hash: `docker inspect --format='{{json .RepoDigests}}' stagex/sdtool`
* Check the [signatures dir](https://codeberg.org/stagex/stagex/src/branch/main/signatures/stagex) in stagex project for latest signed hashes
c. Permanently lock the card:
* `./sdtool /dev/mmcblk permlock`
d. Test that the card can't be written to:
* `dd if=out/airgap.iso of=/dev/sdb bs=1M conv=sync status=progress`
3. Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
* `head -c $(stat -c '%s' out/airgap.iso) /dev/<your_device> | sha256sum`
* `sha256sum out/airgap.iso`
## Hardware Compatibility ##
### Tested Models