From 17b37d0d5e6aabbea11fb7bd13ab571254084d12 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Wed, 8 Jan 2025 11:34:42 -0500 Subject: [PATCH] update bootstrapping doc --- quorum-key-management/src/SUMMARY.md | 3 +- .../hardware-models.md | 0 .../provisioner/pgp-key-bootstrapping.md | 38 +++++++++++-------- 3 files changed, 25 insertions(+), 16 deletions(-) rename quorum-key-management/src/{ => component-documents}/hardware-models.md (100%) diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md index 5e9cadb..acb0808 100644 --- a/quorum-key-management/src/SUMMARY.md +++ b/quorum-key-management/src/SUMMARY.md @@ -41,4 +41,5 @@ * [Procurement & Chain of Custody](./component-documents/hardware-procurement-and-chain-of-custody.md) * [Online Artifact Storage](./component-documents/public-ceremony-artifact-storage.md) * [Physical Artifact Storage](./component-documents/physical-artifact-storage.md) - * [`autorun.sh` Setup](./component-documents/autorun-sh-setup.md) \ No newline at end of file + * [`autorun.sh` Setup](./component-documents/autorun-sh-setup.md) + * [Hardware Models](./component-documents/hardware-models.md) \ No newline at end of file diff --git a/quorum-key-management/src/hardware-models.md b/quorum-key-management/src/component-documents/hardware-models.md similarity index 100% rename from quorum-key-management/src/hardware-models.md rename to quorum-key-management/src/component-documents/hardware-models.md diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md index b3efd0c..65ec27b 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md @@ -2,29 +2,31 @@ ## Requirements -The initial set up requires the provisioner and operator to do all of these in a continuous session ensuring dual custody. Ensure that all participants are familiar with the sub-processes (TODO list sub-processes) so that the ceremony can be completed in one working day. +The initial set up requires the provisioner and operator to do all of these in a continuous session ensuring dual custody. Ensure that all participants are familiar with the sub-processes so that the ceremony can be completed in one working day. -* 3 individuals in order to have the flexibility for washroom breaks, fetching food and drinks etc. +* 3 individuals in order to have the flexibility for washroom breaks, fetching food and drinks etc. * AirgapOS SD Card: [Provisioning Guide](./provision-airgapos.md) * Tamper Proofing Equipment: [Provisioning Guide](./provision-tamper-proofing-equipment.md) -* Smart Cards (whatever number of PGP keys are being provisioned): [Smart Cards](TODO link to hardware) +* Smart Cards (whatever number of PGP keys are being provisioned): [Smart Cards](../../../../component-documents/hardware-models.md#smart-cards) * SD Cards: [Provisioning Guide](./provision-sd-card.md) +* Designated facility + ## Procedure -1. Set up AirgapOS (can be done ahead of time) - - [ ] add guide +### Procure Hardware -1. Procure hardware - * Dual custody +{{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps }} -1. Enter the designated location with an operator and individual keys are being generated for and all required equipment +### Ceremony -1. Lock access to the location - there should be no inflow or outflow of people during the ceremony +1. Enter the designated facility with an operator and individual keys are being generated for and all required equipment + +1. Lock access to the facility - there should be no inflow or outflow of people during the ceremony if avoidable. During a long ceremony as this one this may be unavoidable. 1. Gut the laptop before using it: radio cards, speakers, microphones, storage drive @@ -32,14 +34,20 @@ The initial set up requires the provisioner and operator to do all of these in a 1. Check AirgapOS hashes when it's booted +### Generating PGP Keys and Seeding Cards + {{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}} +### Tamper Proofed Bundle + +The following objects should be in the bundle: + +* AirgapOS SD Cards + +* Airgapped computer + +{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} + 1. Create tamper proofed bundle (airgapos, laptop) 1. Submit evidence to ceremonies repo - -#### Creation of Initial Air-Gapped Bundle -- [ ] TODO there is a reference to air gapped bundle in provisioner: procure-equipment... doc - -{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} -