From 24348cc6c6392f2f1139f9f442913b0580c10ad4 Mon Sep 17 00:00:00 2001
From: Anton Livaja <anton@livaja.me>
Date: Thu, 28 Nov 2024 18:30:19 -0500
Subject: [PATCH] add new docs and refactor

---
 quorum-key-management/src/SUMMARY.md          | 28 ++++++++----
 ...-location-reusable-hardware-procurement.md | 41 +++++++++++++++++
 ...fixed-location-reusable-laptop-ceremony.md | 45 +++++++++++++++++++
 quorum-key-management/src/glossary.md         |  3 ++
 quorum-key-management/src/locations.md        |  6 +--
 .../src/one-time-use-airgapos.md              | 13 +-----
 .../src/one-time-use-laptop-coin-ceremony.md  |  1 +
 .../src/portable-reusable-laptop-ceremony.md  |  1 +
 .../src/repeat-use-airgapos.md                | 18 +-------
 .../src/verifying-signatures.md               | 29 ++++++++++++
 10 files changed, 146 insertions(+), 39 deletions(-)
 create mode 100644 quorum-key-management/src/fixed-location-reusable-hardware-procurement.md
 create mode 100644 quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md
 create mode 100644 quorum-key-management/src/one-time-use-laptop-coin-ceremony.md
 create mode 100644 quorum-key-management/src/portable-reusable-laptop-ceremony.md
 create mode 100644 quorum-key-management/src/verifying-signatures.md

diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md
index ac73379..9281ab9 100644
--- a/quorum-key-management/src/SUMMARY.md
+++ b/quorum-key-management/src/SUMMARY.md
@@ -7,18 +7,23 @@
     * [Glossary](glossary.md)
 
 * [Preparations]()
+    * [Verifying Signatures](verifying-signatures.md)
     * [Tamper Evidence Methods](tamper-evidence-methods.md)
     * [Chain of Custody Methods](hardware-procurement-and-chain-of-custody.md)
+    * [Selecting Locations](locations.md)
 
-    * [Repeat Use]()
-        * [Flash PureBoot to Librem](flash-pureboot-firmware.md)
-        * [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md)
-        * [Change Smart Card PINs](setting-smart-card-pins.md)
-        * [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
-        * [AirgapOS Setup](repeat-use-airgapos.md)
-        * [`autorun.sh` Setup](autorun-sh-setup.md)
-        * [Secure Boot Sequence](secure-boot-sequence.md)
-        * [Selecting Locations](locations.md)
+    * [Fixed Location Reusable Laptop]()
+        * [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
+        * [PureBoot]()
+            * [Flash PureBoot to Librem](flash-pureboot-firmware.md)
+            * [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md)
+            * [Change Smart Card PINs](setting-smart-card-pins.md)
+            * [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
+            * [PureBoot Boot Sequence](secure-boot-sequence.md)
+
+        * [AirgapOS Setup]()
+            * [AirgapOS Setup](repeat-use-airgapos.md)
+            * [`autorun.sh` Setup](autorun-sh-setup.md)
 
     * [One Time Use]()
         * [Procure Hardware](one-time-use-hardware-procurement.md)
@@ -41,6 +46,11 @@
         * [Online Artifact Storage](public-ceremony-artifact-storage.md)
         * [Physical Artifact Storage](physical-artifact-storage.md)
 
+* [Coin Ceremonies]()
+    * [One Time Use Laptop Ceremony](one-time-use-laptop-coin-ceremony.md)
+    * [Portable Reusable Laptop Ceremony](portable-reusable-laptop-ceremony.md)
+    * [Fixed Location Reusable Laptop Ceremony](fixed-location-reusable-laptop-ceremony.md)
+
 * [Lifecycle Management]()
     * [Destroying Hardware](hardware-destruction.md)
     * [Storage Device Management](storage-device-management.md)
\ No newline at end of file
diff --git a/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md b/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md
new file mode 100644
index 0000000..59176ff
--- /dev/null
+++ b/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md
@@ -0,0 +1,41 @@
+# Procure Hardware
+
+1. Select a librem 14 laptop from https://puri.sm, and ensure:
+    
+    * Memory: 8GB
+
+    * Storage: 250GB
+
+    * Power Adapter Plug: US
+
+    * Wireless: No wireless
+
+    * Firmware: PureBoot Bundle Anti-Interdiction (PureBoot Bundle Plus + Anti-interdiction services)
+
+    * Operating System: PureOS
+
+    * Warranty: 1 Year
+
+    * Privacy Screen: Privacy Screen for Librem 14
+
+    * USB Flash Drive: No USB Flash Drive
+
+2. Purism will reach out via email and establish secure communications using PGP, so ensure that the individual who is in charge of procurement has a PGP key that's been set up securely. Purism will:
+
+    * Modify the laptop as per order specifications, in this case removing radio cards.
+
+    * Seal the screws on the bottom of the laptop using glitter of chosen color
+
+    * Take photographs of the inside of the laptop, then of the outside after it's sealed
+
+    * The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images
+
+    * The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape 
+        
+        * TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism
+
+    * The laptop will be sealed in a box using tamper proofing tape
+
+3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact.
+
+4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](tamper-evidence-methods.md) should be applied to the laptop before it's stored.
\ No newline at end of file
diff --git a/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md
new file mode 100644
index 0000000..a36b3c8
--- /dev/null
+++ b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md
@@ -0,0 +1,45 @@
+# Fixed Location Reusable Laptop Ceremony
+
+1. Select at least two authorized operators who will be participating in the ceremony
+
+2. Print photographs of tamper proofing of the laptop which will be used for the ceremony 
+
+3. Make an entry into the access log, specifying the:
+
+    * Individuals involved
+
+    * Approximate time of entry
+
+4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
+
+5. Access the laptop safe, and move the laptop, its hardware token, and polaroid to the Tamper Proofing Workstation
+
+    * Compare the polaroid and digital photographs for any differences
+
+    * Then compare the photographs to the actual object
+
+    * If there are any issues detected, initiate incident response 
+
+6. Initiate the [Secure Boot Sequence](secure-boot-sequence.md)
+
+7. Use one of the [Coin Playbooks]() to perform actions for a given coin
+
+    * TODO...
+
+8. Once the ceremony is completed, use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to reseal and photograph the laptop
+
+    * Use a new SD card for taking photographs of the sealed laptop
+
+9. Remove the SD card from the camera and use chain of custody principles to ensure the integrity of the data 
+
+10. Place the sealed laptop and signed polaroids, as well as the hardware token back in the safe
+
+11. Exit the SCIF and lock it
+
+12. Update the log with the exit time
+
+13. Upload the photos to a git repository, ensuring the commit is signed using PGP
+
+    * TODO: add more details around how the storage of images should work
+
+    * TODO: ensure there is a pgp doc that can be linked to (for setup and use)
\ No newline at end of file
diff --git a/quorum-key-management/src/glossary.md b/quorum-key-management/src/glossary.md
index f89d085..1c0e530 100644
--- a/quorum-key-management/src/glossary.md
+++ b/quorum-key-management/src/glossary.md
@@ -60,6 +60,9 @@ which is set at the time of initial sharding, expressed as M of N, or in other
 words M shards of the total N shards in existence are required to reveal the
 secret.
 
+## Secure Compartmentalized Information Facility (SCIF)
+
+
 ## Workstation
 
 Highly secure computer which is used for sensitive operations, typically in the
diff --git a/quorum-key-management/src/locations.md b/quorum-key-management/src/locations.md
index 77dc795..4c982ef 100644
--- a/quorum-key-management/src/locations.md
+++ b/quorum-key-management/src/locations.md
@@ -1,7 +1,7 @@
 # Location
 
 Locations refer to physical points in space which are used for storing
-cryptographic material  or performing actions related to the DRK lifecycle and
+cryptographic material or performing actions using the cryptographic material and
 adhere to a set of criteria which focus on achieving a high level of security -
 specifically with respect to:
 
@@ -66,7 +66,7 @@ standard NATO SDIP-27 Level A
     locations simultaneously
 
 * SHOULD be facilities owned by different organizations to reduce the risk of
-collusion unless the organization who owns the DRK has their own facility such
-as a SCIF (Secure Compartmentalized Information Facility)
+collusion unless the organization who owns the QKM system has their own facility such
+as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif).
 
 * SHOULD have seismic detectors
diff --git a/quorum-key-management/src/one-time-use-airgapos.md b/quorum-key-management/src/one-time-use-airgapos.md
index 3265c03..8956d54 100644
--- a/quorum-key-management/src/one-time-use-airgapos.md
+++ b/quorum-key-management/src/one-time-use-airgapos.md
@@ -6,18 +6,9 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
 
 ## Setup Steps
 
-* Clone the latest AirgapOS version:
-
-    * `git clone git@distrust.co:public/airgap.git`
-
-* Build the image:
-
-    * `cd airgap && make`
-
-* Verify `sha256sum` of airgap matches hashes in `/dist`
-
-* Verify signatures on the hashes in `/dist`. The maintainer pgp keys can be found on the [Distrust contact page](https://distrust.co/contact.html) page.
+* Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
 
+* Verify the software according to [this](verifying-signatures.md) guide
 
 * Flash `airgap.iso` to an SD Card:
 
diff --git a/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md b/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md
new file mode 100644
index 0000000..46fedad
--- /dev/null
+++ b/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md
@@ -0,0 +1 @@
+# One Time Use Laptop Ceremony
diff --git a/quorum-key-management/src/portable-reusable-laptop-ceremony.md b/quorum-key-management/src/portable-reusable-laptop-ceremony.md
new file mode 100644
index 0000000..0a4cf4b
--- /dev/null
+++ b/quorum-key-management/src/portable-reusable-laptop-ceremony.md
@@ -0,0 +1 @@
+# Portable Reusable Laptop Ceremony
diff --git a/quorum-key-management/src/repeat-use-airgapos.md b/quorum-key-management/src/repeat-use-airgapos.md
index 223fd29..c0e465f 100644
--- a/quorum-key-management/src/repeat-use-airgapos.md
+++ b/quorum-key-management/src/repeat-use-airgapos.md
@@ -4,23 +4,9 @@ This section can be completed on any machine.
 AirgapOS has `keyfork` built into it for cryptographic operations such as key
 derivation.
 
-1. Clone the `AirgapOS` repository locally or download it as a zip
+1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
 
-    To clone use the following command in the terminal:
-    ```
-    cd ~
-    git clone git@distrust.co:public/airgap.git
-    ```
-
-    To download as a ZIP from https://git.distrust.co/public/airgap:
-    ![Downloading AirgapOS as ZIP](img/download-airgap-os.png)
-
-2. Navigate into the `airgap` repository locally, and build the iso image.
-    ```
-    cd ~/airgap
-    make reproduce
-    ```
-The resulting iso will be located in `airgap/out/`
+2. Verify the software according to [this](verifying-signatures.md) guide
 
 3. Place signed .iso on a storage device
 
diff --git a/quorum-key-management/src/verifying-signatures.md b/quorum-key-management/src/verifying-signatures.md
new file mode 100644
index 0000000..e185f08
--- /dev/null
+++ b/quorum-key-management/src/verifying-signatures.md
@@ -0,0 +1,29 @@
+# Verifying Signatures
+
+When building and downloading software it is essential to verify signatures to ensure its integrity. 
+
+Verification of software depends on two primary aspects:
+
+* Ensuring that the hash of a binary matches some point of reference, for example the same binary previously built by a trusted team member, or a hash hosted alongside the software in the download location.
+
+* Ensuring that signatures alongside hashes are from trusted asymmetric keys (e.g PGP keys)
+
+In order to achieve this, one must establish that specific keys are "well known" and can be trusted - that is, that they belong to a given individual. To achieve this, the best method is to exchange keys in person, but a combination of the following methods gives even higher confidence thresholds:
+
+* Verifying the key in person
+
+* Finding a reference to a public key on the individual's personal website
+
+* Finding a reference to a public key on the individual's social media platforms
+
+* Finding a keyoxide profile for a given public key
+
+* Finding a reference to a public key on a company website
+
+* Looking up popular key servers to see if a given individual is associated with it
+
+Each point of reference allows us to build confidence that the key is indeed owned by an individual.
+
+One other consideration is how the key is protected. If possible, find out how the individual manages their key. If the key is stored on a local machine, the trust level for that key should be low. If the individual always manages their keys in airgapped environments, and on HSMs, then a higher level of trust can be ascribed - although ultimately in most cases it's impossible to verify that the individual followed a given policy around key management.
+
+One favorable method for ensuring that a key never got exposed is using built in cryptographic attestation that a key never left a TPM, such as the one offered by YubiKey. While this type of key setup has the downside of not being able to back it up, one could use a master key to sign such a key, authorizing it for use, while giving the flexibility to rotate if the hardware token is damaged or lost.
\ No newline at end of file