update provisioner doc
This commit is contained in:
parent
80a4005e19
commit
3fac96822c
|
@ -12,6 +12,14 @@ The provisioner is responsible for procuring equipment. Their main focus is:
|
||||||
|
|
||||||
[Guide](../../../../hardware.md#air-gapped-computer)
|
[Guide](../../../../hardware.md#air-gapped-computer)
|
||||||
|
|
||||||
|
1. Procure hardware using the [hardware procurement and chain of custody guide](../../../../hardware-procurement-and-chain-of-custody.md)
|
||||||
|
|
||||||
|
2. Provision AirgapOS using [this guide](../../../../one-time-use-airgapos.md)
|
||||||
|
|
||||||
|
3. Apply [vacuum sealing + filler tamper proofing](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) to the laptop and the SD card
|
||||||
|
|
||||||
|
4. Store the sealed package in a secure location
|
||||||
|
|
||||||
### Online Machine
|
### Online Machine
|
||||||
|
|
||||||
[Guide](../../../../online-machine-provisioning.md)
|
[Guide](../../../../online-machine-provisioning.md)
|
||||||
|
|
|
@ -37,6 +37,7 @@ Each laptop model is laid out slightly differently so use an online reference an
|
||||||
## Tested Hardware (AirgapOS Compatibility)
|
## Tested Hardware (AirgapOS Compatibility)
|
||||||
|
|
||||||
* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
|
* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
|
||||||
|
* [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D)
|
||||||
|
|
||||||
* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99
|
* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99
|
||||||
|
|
||||||
|
|
|
@ -16,6 +16,8 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
|
||||||
|
|
||||||
* Use the `sdtool` to lock the SD Card:
|
* Use the `sdtool` to lock the SD Card:
|
||||||
|
|
||||||
|
* TODO: update this to use stagex binary
|
||||||
|
|
||||||
* `git clone git@github.com:BertoldVdb/sdtool.git`
|
* `git clone git@github.com:BertoldVdb/sdtool.git`
|
||||||
|
|
||||||
* `cd sdtool`
|
* `cd sdtool`
|
||||||
|
@ -31,4 +33,7 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
|
||||||
* Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
|
* Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
|
||||||
|
|
||||||
* `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum`
|
* `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum`
|
||||||
|
|
||||||
* `sha256sum out/airgap.iso`
|
* `sha256sum out/airgap.iso`
|
||||||
|
|
||||||
|
* Commit the hash of airgap to a git repo, ensuring the commit is signed
|
|
@ -1,12 +1,13 @@
|
||||||
# AirgapOS Setup
|
# AirgapOS Setup
|
||||||
|
|
||||||
This section can be completed on any machine.
|
This section can be completed on any machine.
|
||||||
|
|
||||||
AirgapOS has `keyfork` built into it for cryptographic operations such as key
|
AirgapOS has `keyfork` and `icepick` built into it for cryptographic operations such as key
|
||||||
derivation.
|
derivation and signing
|
||||||
|
|
||||||
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
|
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.Use the `make reproduce` command.
|
||||||
|
|
||||||
2. Verify the software according to [this](verifying-signatures.md) guide
|
2. Verify the software according to [this guide](verifying-signatures.md)
|
||||||
|
|
||||||
3. Place signed .iso on a storage device
|
3. Place signed .iso on a storage device
|
||||||
|
|
||||||
|
@ -29,6 +30,7 @@ derivation.
|
||||||
```
|
```
|
||||||
|
|
||||||
4. Copy `airgap.iso` and detached signature to a storage device
|
4. Copy `airgap.iso` and detached signature to a storage device
|
||||||
|
|
||||||
a. Select a new Storage Device which has no other files on it and plug it
|
a. Select a new Storage Device which has no other files on it and plug it
|
||||||
into the machine that has the `airgap.iso` file and the detached GPG signature.
|
into the machine that has the `airgap.iso` file and the detached GPG signature.
|
||||||
|
|
||||||
|
@ -38,6 +40,8 @@ derivation.
|
||||||
|
|
||||||
e. Copy both the `airgap.iso` and detached signature to the drive.
|
e. Copy both the `airgap.iso` and detached signature to the drive.
|
||||||
|
|
||||||
|
5. Lock the SD card using `sdtool`
|
||||||
|
|
||||||
5. Make sure to note the `sha256sum` hash of the `airgap.iso` and write it
|
5. Make sure to note the `sha256sum` hash of the `airgap.iso` and write it
|
||||||
down on a piece of paper.
|
down on a piece of paper.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue