public
/
docs
5
0
Fork 0
Code Issues 14 Pull Requests 1 Packages Projects Releases Wiki Activity

update airgapos provisioning doc

This commit is contained in:
Anton Livaja 2025-01-28 00:59:04 -05:00
parent e7e65c35c0
commit 34f8b75dd9
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
4 changed files with 60 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
quorum-key-management/src/component-documents/one-time-use-airgapos.md
View File

@ -1,34 +0,0 @@
/* ANCHOR: all */
# Set up AirgapOS
Because without a Librem 14 there is no easy way to have a secure boot sequence,
instead the AirgapOS `.iso` image is flashed to an SD card, locked using
`sdtool` and then verified using any machine.
## Setup Steps
// ANCHOR: steps
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
1. Verify the software according to [this](../../../../component-documents/verifying-signatures.md) guide
1. Flash `airgap.iso` to an SD Card:
* `dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress conv=fsync`
### Use the `sdtool` to lock the SD Card:
{{ #include ../sdtool-instructions.md:steps }}
1. Label the SD card "AirgapOS [version]"
1. Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
* `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum`
* `sha256sum out/airgap.iso`
1. Commit the hash of airgap to a git repo, ensuring the commit is signed
// ANCHOR_END: steps
/* ANCHOR_END: all */

10
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md
View File

@ -20,12 +20,12 @@
1. Navigate to the ceremony repository for the ceremony being executed 1. Navigate to the ceremony repository for the ceremony being executed
1. Create a directory called `payloads/` on the SD card 1. Find the SD cards device name using `lsblk`
1. Copy all transaction workflow payloads from the appropriate dated directory found in `ceremonies/payloads/<date>` into the `payloads/` directory on the SD card 1. Write the ceremony repo data to the SD card:
1. Copy the `shardfile.asc` from the ceremony repository onto the SD card `cp ceremonies/ /media/<device_name>`
1. Copy the `keyring.asc` from the ceremony repository onto the SD card 1. Unplug the SD card
1. Copy any other `blockchain_metadata/` as required, for example `nonce_address.txt` for SOL transactions 1. Turn off the computer

4
quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md
View File

@ -14,8 +14,10 @@
{{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps}} {{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps}}
1. Remove packaging from each SD card, and place them into High Visibility Storage
1. Select 5 SD cards to be tamper proofed from High Visibility Storage 1. Select 5 SD cards to be tamper proofed from High Visibility Storage
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }} {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}
1. Label the tamper proofed package "SD Booster Pack [date]" 1. Label the tamper proofed package "SD Card Pack [date]"

57
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md
View File

@ -6,15 +6,62 @@
* Tamper proofing evidence (photographs) * Tamper proofing evidence (photographs)
* Fresh SD card(s) * [SD Card Pack(s)](../procurer/procure-sd-card-pack.md)
* Bring however many SD cards should be provisioned * High Visibility Storage
* 2 Computers
* 1 computer should be able to boot AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
## Procedure ## Procedure
{{ #include ../../../../component-documents/sd-formatting.md:steps }} 1. Turn on one of the computers - this one will be used for writing the SD cards
- remove steps 5 through 8
{{ #include ../../../../component-documents/one-time-use-airgapos.md:steps }} 1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.
1. Use the `make reproduce` command
1. Unseal the SD Card Pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
1. Label each SD card that will be used "AirgapOS [date]"
1. Place all the SD cards into High Visibility Storage
1. Retrieve a labelled SD card from High Visibility Storage, and plug it into the computer where AirgapOS will be built
1. Look for your SD card in the output of the `lsblk` command. It will typically be listed as `/dev/sdX`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
1. Flash `airgap.iso` to an SD Card:
* `dd if=out/airgap.iso of=/dev/<device_name> bs=4M status=progress conv=fsync`
1. Reset the computer, and boot the SD card
1. Once booted, the card needs to be locked using `sdtool` which is available in `AirgapOS`:
* Find out the block device name using `lsblk`
* Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num>
1. `./sdtool /dev/<device_name> permlock`
1. Once burned, unplug the SD card
1. Plug the SD card into a different computer from the one that was used to write the SD card
1. Boot the computer
1. Open a terminal
1. Create a test file:
* `echo "test" > test.txt`
1. Verify the card can't be written to:
* `dd if=./test.txt of=/dev/<device_name> bs=1M conv=sync status=progress`
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }} {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}