Add TODOs following PR discussions
This commit is contained in:
parent
5489afbbed
commit
5bae471906
|
@ -26,10 +26,14 @@
|
||||||
|
|
||||||
* Seal the screws on the bottom of the laptop using glitter of chosen color
|
* Seal the screws on the bottom of the laptop using glitter of chosen color
|
||||||
|
|
||||||
|
* TODO: Add detail around using glitter with larger pieces and layering several types, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-996
|
||||||
|
|
||||||
* Take photographs of the inside of the laptop, then of the outside after it's sealed
|
* Take photographs of the inside of the laptop, then of the outside after it's sealed
|
||||||
|
|
||||||
* The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images
|
* The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images
|
||||||
|
|
||||||
|
* TODO: Add information about verifying the authenticity of the Purism signing key, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-961
|
||||||
|
|
||||||
* The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape
|
* The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape
|
||||||
|
|
||||||
* TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism
|
* TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism
|
||||||
|
|
|
@ -34,6 +34,8 @@ The primary tamper proofing methods for the fixed location device are:
|
||||||
|
|
||||||
* Approximate time of entry
|
* Approximate time of entry
|
||||||
|
|
||||||
|
* TODO: Document how this access log is implemented.
|
||||||
|
|
||||||
4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
|
4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
|
||||||
|
|
||||||
* Ensure that no individual is bringing in any electronic devices. A hand-held or gate metal detector can be used for this.
|
* Ensure that no individual is bringing in any electronic devices. A hand-held or gate metal detector can be used for this.
|
||||||
|
|
|
@ -4,6 +4,8 @@
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
|
* TODO: Move this into the "provisioner" document, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1002
|
||||||
|
|
||||||
* 2 primary operators will be operating the offline machine and online machine
|
* 2 primary operators will be operating the offline machine and online machine
|
||||||
|
|
||||||
* Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key)
|
* Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key)
|
||||||
|
@ -68,7 +70,7 @@
|
||||||
|
|
||||||
0. Plug in SD card labelled "Trusted Keys"
|
0. Plug in SD card labelled "Trusted Keys"
|
||||||
|
|
||||||
* Load well known PGP keys of proposer and approver, and sign them using operator keys (NOT IMPLEMENTED)
|
* Load well known PGP keys of proposer and approver, and sign them using operator keys (TODO: NOT IMPLEMENTED)
|
||||||
|
|
||||||
* `gpg --import <keyfile_name>`
|
* `gpg --import <keyfile_name>`
|
||||||
|
|
||||||
|
@ -107,13 +109,13 @@
|
||||||
|
|
||||||
1. Plug in SD card with transaction payload
|
1. Plug in SD card with transaction payload
|
||||||
|
|
||||||
2. Wait for the screen to display the transaction information. (NOT IMPLEMENTED)
|
2. Wait for the screen to display the transaction information. (TODO: NOT IMPLEMENTED)
|
||||||
|
|
||||||
* In the background:
|
* In the background:
|
||||||
|
|
||||||
* The transaction is constructed
|
* The transaction is constructed
|
||||||
|
|
||||||
* Signatures of tx data are verified against well known keys which were loaded by operators into local GPG keychain and signed by operators (NOT IMPLEMENTED)
|
* Signatures of tx data are verified against well known keys which were loaded by operators into local GPG keychain and signed by operators (TODO: NOT IMPLEMENTED)
|
||||||
|
|
||||||
3. If any issues are detected with data you will be prompted and should initiate [incident response (todo)](todo)
|
3. If any issues are detected with data you will be prompted and should initiate [incident response (todo)](todo)
|
||||||
|
|
||||||
|
@ -135,6 +137,8 @@
|
||||||
|
|
||||||
* Shut down the air gapped machine
|
* Shut down the air gapped machine
|
||||||
|
|
||||||
|
* TODO: Add information about material disposal, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1004
|
||||||
|
|
||||||
#### Sealing
|
#### Sealing
|
||||||
|
|
||||||
{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
|
{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
|
||||||
|
|
|
@ -40,6 +40,8 @@ This guide contains specific equipment models: [guide](../../../../tamper-eviden
|
||||||
|
|
||||||
* SD cards
|
* SD cards
|
||||||
|
|
||||||
|
* TODO: Add clarification around formatting and labeling SD cards, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1004
|
||||||
|
|
||||||
* [Kingston Industrial 8GB SD Memory Card](https://www.kingston.com/en/memory-cards/industrial-grade-sd-uhs-i-u3?capacity=8gb)
|
* [Kingston Industrial 8GB SD Memory Card](https://www.kingston.com/en/memory-cards/industrial-grade-sd-uhs-i-u3?capacity=8gb)
|
||||||
|
|
||||||
* [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248)
|
* [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248)
|
||||||
|
|
|
@ -20,6 +20,8 @@ The following steps must all be completed under the continued supervision and wi
|
||||||
|
|
||||||
3. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which is ideally just a access controlled space. The bag MUST be a sealable see-through tamper evident bag.
|
3. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which is ideally just a access controlled space. The bag MUST be a sealable see-through tamper evident bag.
|
||||||
|
|
||||||
|
* TODO: Add sources for suitable tamper evidence bags, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-897
|
||||||
|
|
||||||
4. At the processing location, one of the individuals is responsible for observing while the other opens the back of the laptop and removes:
|
4. At the processing location, one of the individuals is responsible for observing while the other opens the back of the laptop and removes:
|
||||||
|
|
||||||
* Radio cards (wifi, bluetooth)
|
* Radio cards (wifi, bluetooth)
|
||||||
|
@ -32,6 +34,8 @@ The following steps must all be completed under the continued supervision and wi
|
||||||
|
|
||||||
Each laptop model is laid out slightly differently so use an online reference and/or read the names of the components which are found in the laptop to determine which parts to remove.
|
Each laptop model is laid out slightly differently so use an online reference and/or read the names of the components which are found in the laptop to determine which parts to remove.
|
||||||
|
|
||||||
|
* TODO: Add example online reference, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-898
|
||||||
|
|
||||||
5. Apply a [tamper proofing](./tamper-evidence-methods.md) method to the device depending on the [device designation](TODO)
|
5. Apply a [tamper proofing](./tamper-evidence-methods.md) method to the device depending on the [device designation](TODO)
|
||||||
|
|
||||||
## Tested Hardware (AirgapOS Compatibility)
|
## Tested Hardware (AirgapOS Compatibility)
|
||||||
|
|
Loading…
Reference in New Issue