public
/
docs
5
0
Fork 0
Code Issues 17 Pull Requests 1 Packages Projects Releases Wiki Activity

fix links and improve document flow

This commit is contained in:
Anton Livaja 2025-01-08 12:04:25 -05:00
parent 17b37d0d5e
commit d1df818288
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
8 changed files with 32 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
quorum-key-management/src/component-documents/git-repository-initialization.md
View File

@ -17,7 +17,7 @@ Git is used because it permits cryptographic singing of commits using PGP, as we
* The merges should be done via CLI signed commits
* Require that all commits are signed using well known PGP keys which are from the organization's [keychain repository](TODO)
* Require that all commits are signed using well known PGP keys
1. Optionally set up a chron job that periodically pulls the data from the repository as a backup.
// ANCHOR_END: procedure

26
quorum-key-management/src/component-documents/one-time-use-airgapos.md
View File

@ -9,37 +9,25 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
// ANCHOR: steps
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
2. Verify the software according to [this](./component-documents/verifying-signatures.md) guide
1. Verify the software according to [this](../../../../component-documents/verifying-signatures.md) guide
3. Flash `airgap.iso` to an SD Card:
1. Flash `airgap.iso` to an SD Card:
* `dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress conv=fsync`
4. Use the `sdtool` to lock the SD Card:
### Use the `sdtool` to lock the SD Card:
* TODO: update this to use stagex binary
{{ #include ../sdtool-instructions.md:steps }}
* `git clone git@github.com:BertoldVdb/sdtool.git`
1. Label the SD card "AirgapOS - <version>"
* `cd sdtool`
* `make`
* `./sdtool /dev/mmcblk permlock`
* Test that the card can't be written to:
* `dd if=out/airgap.iso of=/dev/sdb bs=1M status=progress conv=fsync`
5. Label the SD card "AirgapOS - <version>"
6. Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
1. Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
* `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum`
* `sha256sum out/airgap.iso`
7. Commit the hash of airgap to a git repo, ensuring the commit is signed
1. Commit the hash of airgap to a git repo, ensuring the commit is signed
// ANCHOR_END: steps

8
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-air-gapped-bundle.md
View File

@ -2,13 +2,11 @@
* Tamper proof together the following objects:
* [Air-gapped machine](#computer-procurement)
* [Air-gapped machine](./provision-computer.md)
* [AirgapOS SD card](#airgapos)
* [AirgapOS SD card](./provision-airgapos.md)
* [Keychain SD card](#trusted-keys)
* [Shardfile SD card](#shardfile)
* [Shardfile SD card](../operator/root-entropy-generation.md)
### Procedure

2
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-computer.md
View File

@ -4,7 +4,7 @@ For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computer
Sealable plastic bag is required for this procedure:
{{ #include ../../../../hardware-models.md:sealable-plastic-bags }}
{{ #include ../../../../component-documents/hardware-models.md:sealable-plastic-bags }}
### Models

18
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-facility.md
View File

@ -6,4 +6,20 @@
1. Procure an enclosure for locking equipment. A simple lockbox or a safe can be used. It should be at least large enough to fit several laptops, with some extra room.
1. Designate the location as the facility for conducting ceremonies and update documentation and policies to reflect this
1. Designate the location as the facility for conducting ceremonies and update documentation and policies to reflect this
## Maintenance
* The facility should always be well stocked with freshly formatted SD cards
* There should be at least 20 microSD and 20 SD cards available for use
* Both microSD and regular SD cards should be available
* They should be formatted to `fat32` format
* Usage of these SD cards:
* Transferring transaction data from online to air-gapped machine
* Storing tamper proofing evidence produced at the end of the ceremony

1
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-keychain-repository.md
View File

@ -1 +0,0 @@
# Keychain Repository

18
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md
View File

@ -4,23 +4,7 @@ SD cards don't require special chain of custody, but ideally should be purchased
### SD Card Models
{{ #include ../../../../hardware-models.md:sd-models }}
### Notes
* The facility should always be well stocked with freshly formatted SD cards
* There should be at least 20 microSD and 20 SD cards available for use
* Both microSD and regular SD cards should be available
* They should be formatted to `fat32` format
* Usage of these SD cards:
* Transferring transaction data from online to air-gapped machine
* Storing tamper proofing evidence produced at the end of the ceremony
{{ #include ../../../../component-documents/hardware-models.md:sd-models }}
### Procedure: formatting SD Card to `fat32`

2
quorum-key-management/src/generated-documents/level-2/hardware.md
View File

@ -18,6 +18,8 @@
* Nova Custom (Untested)
* Computers which are compatible which can be verified via [this guide](https://git.distrust.co/public/airgap#hardware-compatibility)
// ANCHOR_END: computer-models
/* ANCHOR_END: all */