README: update for burning to SD card and locking with sdtool #24
			
				
			
		
		
		
	
							
								
								
									
										35
									
								
								README.md
								
								
								
								
							
							
						
						
									
										35
									
								
								README.md
								
								
								
								
							|  | @ -129,6 +129,41 @@ make vm | ||||||
| make shell | make shell | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | ## Writing to SD Card ## | ||||||
|  | 
 | ||||||
|  | 1. Flash `airgap.iso` to an SD Card: | ||||||
|  | 
 | ||||||
|  |    * Use `lsblk` to find device name    | ||||||
|  | 
 | ||||||
|  |    * `dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress conv=fsync` | ||||||
|  | 
 | ||||||
|  | 2. Use the `sdtool` to lock the SD Card: | ||||||
|  | 
 | ||||||
|  |    a. Get deterministically built binary of `sdtool` from StageX:  | ||||||
|  |       * `docker pull stagex/sdtool:latest` | ||||||
|  | 
 | ||||||
|  |    b. Extracting binary: | ||||||
|  |       * Run docker container: `docker create -p 4000:80 --name sdtool stagex/sdtool` | ||||||
|  |          * Copy image to tar: `docker export <container_id> -o sdtool.tar` | ||||||
|  |          * Extract binary from tar: `mkdir -p sdtool-dir | tar -xvf sdtool.tar -C sdtool-dir | cp sdtool-dir/usr/bin/sdtool ./sdtool` | ||||||
|  |          * You can verify the container hash: | ||||||
|  |             * To get container hash: `docker inspect --format='{{json .RepoDigests}}'  stagex/sdtool` | ||||||
|  |             * Check the [signatures dir](https://codeberg.org/stagex/stagex/src/branch/main/signatures/stagex) in stagex project for latest signed hashes | ||||||
|  | 
 | ||||||
|  |    c. Permanently lock the card:  | ||||||
|  |     | ||||||
|  |       * `./sdtool /dev/mmcblk permlock` | ||||||
|  | 
 | ||||||
|  |    d. Test that the card can't be written to: | ||||||
|  | 
 | ||||||
|  |       * `dd if=out/airgap.iso of=/dev/sdb bs=1M status=progress conv=fsync` | ||||||
|  | 
 | ||||||
|  | 3. Verify that the hash of `airgap.iso` matches what's flashed on the SD card: | ||||||
|  | 
 | ||||||
|  |     * `head -c $(stat -c '%s' out/airgap.iso) /dev/<your_device> | sha256sum` | ||||||
|  | 
 | ||||||
|  |     * `sha256sum out/airgap.iso` | ||||||
|  | 
 | ||||||
| ## Hardware Compatibility ## | ## Hardware Compatibility ## | ||||||
| 
 | 
 | ||||||
| ### Tested Models | ### Tested Models | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue