update provisioner doc

2024-12-13 17:02:23 -05:00 · 2024-12-13 17:02:23 -05:00 · 3fac96822c
parent 80a4005e19
commit 3fac96822c
4 changed files with 24 additions and 6 deletions
--- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
+++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
@ -12,6 +12,14 @@ The provisioner is responsible for procuring equipment. Their main focus is:

 [Guide](../../../../hardware.md#air-gapped-computer)

+1. Procure hardware using the [hardware procurement and chain of custody guide](../../../../hardware-procurement-and-chain-of-custody.md)
+
+2. Provision AirgapOS using [this guide](../../../../one-time-use-airgapos.md)
+
+3. Apply [vacuum sealing + filler tamper proofing](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) to the laptop and the SD card
+
+4. Store the sealed package in a secure location
+
 ### Online Machine

 [Guide](../../../../online-machine-provisioning.md)
--- a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md
+++ b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md
@ -37,6 +37,7 @@ Each laptop model is laid out slightly differently so use an online reference an
 ## Tested Hardware (AirgapOS Compatibility)

 * HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
+    * [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D)

 * Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99

--- a/quorum-key-management/src/one-time-use-airgapos.md
+++ b/quorum-key-management/src/one-time-use-airgapos.md
@ -16,6 +16,8 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using

 * Use the `sdtool` to lock the SD Card:

+    * TODO: update this to use stagex binary
+
    * `git clone git@github.com:BertoldVdb/sdtool.git`

    * `cd sdtool`
@ -31,4 +33,7 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
 * Verify that the hash of `airgap.iso` matches what's flashed on the SD card:

    * `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum`
+
    * `sha256sum out/airgap.iso`
+
+* Commit the hash of airgap to a git repo, ensuring the commit is signed
--- a/quorum-key-management/src/repeat-use-airgapos.md
+++ b/quorum-key-management/src/repeat-use-airgapos.md
@ -1,12 +1,13 @@
 # AirgapOS Setup
+
 This section can be completed on any machine.

-AirgapOS has `keyfork` built into it for cryptographic operations such as key
-derivation.
+AirgapOS has `keyfork` and `icepick` built into it for cryptographic operations such as key
+derivation and signing

 1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.Use the `make reproduce` command.

-2. Verify the software according to [this](verifying-signatures.md) guide
+2. Verify the software according to [this guide](verifying-signatures.md)

 3. Place signed .iso on a storage device

@ -29,6 +30,7 @@ derivation.
    ```

 4. Copy `airgap.iso` and detached signature to a storage device
+
    a. Select a new Storage Device which has no other files on it and plug it
    into the machine that has the `airgap.iso` file and the detached GPG signature.

@ -38,6 +40,8 @@ derivation.

    e. Copy both the `airgap.iso` and detached signature to the drive.

+5. Lock the SD card using `sdtool`
+
 5. Make sure to note the `sha256sum` hash of the `airgap.iso` and write it
 down on a piece of paper.