public
/
docs
5
0
Fork 0
Code Issues 21 Pull Requests 2 Packages Projects Releases Wiki Activity

update provisioner doc

This commit is contained in:
Anton Livaja 2024-12-13 17:02:23 -05:00
parent 80a4005e19
commit 3fac96822c
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
4 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
View File

@ -12,6 +12,14 @@ The provisioner is responsible for procuring equipment. Their main focus is:
[Guide](../../../../hardware.md#air-gapped-computer) [Guide](../../../../hardware.md#air-gapped-computer)
1. Procure hardware using the [hardware procurement and chain of custody guide](../../../../hardware-procurement-and-chain-of-custody.md)
2. Provision AirgapOS using [this guide](../../../../one-time-use-airgapos.md)
3. Apply [vacuum sealing + filler tamper proofing](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) to the laptop and the SD card
4. Store the sealed package in a secure location
### Online Machine ### Online Machine
[Guide](../../../../online-machine-provisioning.md) [Guide](../../../../online-machine-provisioning.md)

5
quorum-key-management/src/hardware-procurement-and-chain-of-custody.md
View File

@ -4,11 +4,11 @@
Materials and devices which are used in the context of a high assurance system need to be monitored carefully from the moment they are purchased to ensure there are no single points of failure. Going back to the assumption that participants in the system are subject to [MICE](./glossary.md#MICE) and as such may pose a threat to the system, special care has to be taken that multiple individuals are involved in the whole lifecycle of provisioning a piece of equipment. Materials and devices which are used in the context of a high assurance system need to be monitored carefully from the moment they are purchased to ensure there are no single points of failure. Going back to the assumption that participants in the system are subject to [MICE](./glossary.md#MICE) and as such may pose a threat to the system, special care has to be taken that multiple individuals are involved in the whole lifecycle of provisioning a piece of equipment.
All steps of the provisioning process need to be completed under the supervision of at least 2 individuals, but benefit from having even more individuals present to increase the number of witnesses and allow individuals to take washroom breaks, purchase food and take breaks. All steps of the provisioning process need to be completed under the supervision of at least 2 individuals, but benefit from having even more individuals present to increase the number of witnesses and allow individuals to take washroom breaks, purchase food and take breaks.
The following steps must all be completed under the continued supervision and with the involvement of all parties present. It is instrumental that there is not a single moment where the device is left unsupervised, or under the supervision of only 1 individual. The following steps must all be completed under the continued supervision and with the involvement of all parties present. It is instrumental that there is not a single moment where the device is left unsupervised, or under the supervision of only 1 individual.
## Provisioning Hardware ## Provisioning Hardware
1. Selecting a Purchase Location 1. Selecting a Purchase Location
@ -37,6 +37,7 @@ Each laptop model is laid out slightly differently so use an online reference an
## Tested Hardware (AirgapOS Compatibility) ## Tested Hardware (AirgapOS Compatibility)
* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99 * HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
* [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D)
* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99 * Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99

5
quorum-key-management/src/one-time-use-airgapos.md
View File

@ -16,6 +16,8 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
* Use the `sdtool` to lock the SD Card: * Use the `sdtool` to lock the SD Card:
* TODO: update this to use stagex binary
* `git clone git@github.com:BertoldVdb/sdtool.git` * `git clone git@github.com:BertoldVdb/sdtool.git`
* `cd sdtool` * `cd sdtool`
@ -31,4 +33,7 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
* Verify that the hash of `airgap.iso` matches what's flashed on the SD card: * Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
* `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum` * `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum`
* `sha256sum out/airgap.iso` * `sha256sum out/airgap.iso`
* Commit the hash of airgap to a git repo, ensuring the commit is signed

12
quorum-key-management/src/repeat-use-airgapos.md
View File

@ -1,12 +1,13 @@
# AirgapOS Setup # AirgapOS Setup
This section can be completed on any machine. This section can be completed on any machine.
AirgapOS has `keyfork` built into it for cryptographic operations such as key AirgapOS has `keyfork` and `icepick` built into it for cryptographic operations such as key
derivation. derivation and signing
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command. 1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.Use the `make reproduce` command.
2. Verify the software according to [this](verifying-signatures.md) guide 2. Verify the software according to [this guide](verifying-signatures.md)
3. Place signed .iso on a storage device 3. Place signed .iso on a storage device
@ -29,6 +30,7 @@ derivation.
``` ```
4. Copy `airgap.iso` and detached signature to a storage device 4. Copy `airgap.iso` and detached signature to a storage device
a. Select a new Storage Device which has no other files on it and plug it a. Select a new Storage Device which has no other files on it and plug it
into the machine that has the `airgap.iso` file and the detached GPG signature. into the machine that has the `airgap.iso` file and the detached GPG signature.
@ -38,6 +40,8 @@ derivation.
e. Copy both the `airgap.iso` and detached signature to the drive. e. Copy both the `airgap.iso` and detached signature to the drive.
5. Lock the SD card using `sdtool`
5. Make sure to note the `sha256sum` hash of the `airgap.iso` and write it 5. Make sure to note the `sha256sum` hash of the `airgap.iso` and write it
down on a piece of paper. down on a piece of paper.