From d1df81828861fd1b5d539a339191d27d21d3da76 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Wed, 8 Jan 2025 12:04:25 -0500 Subject: [PATCH] fix links and improve document flow --- .../git-repository-initialization.md | 2 +- .../one-time-use-airgapos.md | 26 +++++-------------- .../provision-air-gapped-bundle.md | 8 +++--- .../provisioner/provision-computer.md | 2 +- .../provisioner/provision-facility.md | 18 ++++++++++++- .../provision-keychain-repository.md | 1 - .../provisioner/provision-sd-card.md | 18 +------------ .../generated-documents/level-2/hardware.md | 2 ++ 8 files changed, 32 insertions(+), 45 deletions(-) delete mode 100644 quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-keychain-repository.md diff --git a/quorum-key-management/src/component-documents/git-repository-initialization.md b/quorum-key-management/src/component-documents/git-repository-initialization.md index d45c14f..b36ad03 100644 --- a/quorum-key-management/src/component-documents/git-repository-initialization.md +++ b/quorum-key-management/src/component-documents/git-repository-initialization.md @@ -17,7 +17,7 @@ Git is used because it permits cryptographic singing of commits using PGP, as we * The merges should be done via CLI signed commits - * Require that all commits are signed using well known PGP keys which are from the organization's [keychain repository](TODO) + * Require that all commits are signed using well known PGP keys 1. Optionally set up a chron job that periodically pulls the data from the repository as a backup. // ANCHOR_END: procedure diff --git a/quorum-key-management/src/component-documents/one-time-use-airgapos.md b/quorum-key-management/src/component-documents/one-time-use-airgapos.md index b196734..e126a2b 100644 --- a/quorum-key-management/src/component-documents/one-time-use-airgapos.md +++ b/quorum-key-management/src/component-documents/one-time-use-airgapos.md @@ -9,37 +9,25 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using // ANCHOR: steps 1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command. -2. Verify the software according to [this](./component-documents/verifying-signatures.md) guide +1. Verify the software according to [this](../../../../component-documents/verifying-signatures.md) guide -3. Flash `airgap.iso` to an SD Card: +1. Flash `airgap.iso` to an SD Card: * `dd if=out/airgap.iso of=/dev/ bs=4M status=progress conv=fsync` -4. Use the `sdtool` to lock the SD Card: +### Use the `sdtool` to lock the SD Card: - * TODO: update this to use stagex binary +{{ #include ../sdtool-instructions.md:steps }} - * `git clone git@github.com:BertoldVdb/sdtool.git` +1. Label the SD card "AirgapOS - " - * `cd sdtool` - - * `make` - - * `./sdtool /dev/mmcblk permlock` - - * Test that the card can't be written to: - - * `dd if=out/airgap.iso of=/dev/sdb bs=1M status=progress conv=fsync` - -5. Label the SD card "AirgapOS - " - -6. Verify that the hash of `airgap.iso` matches what's flashed on the SD card: +1. Verify that the hash of `airgap.iso` matches what's flashed on the SD card: * `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum` * `sha256sum out/airgap.iso` -7. Commit the hash of airgap to a git repo, ensuring the commit is signed +1. Commit the hash of airgap to a git repo, ensuring the commit is signed // ANCHOR_END: steps diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-air-gapped-bundle.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-air-gapped-bundle.md index f999c3c..60bfc26 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-air-gapped-bundle.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-air-gapped-bundle.md @@ -2,13 +2,11 @@ * Tamper proof together the following objects: - * [Air-gapped machine](#computer-procurement) + * [Air-gapped machine](./provision-computer.md) - * [AirgapOS SD card](#airgapos) + * [AirgapOS SD card](./provision-airgapos.md) - * [Keychain SD card](#trusted-keys) - - * [Shardfile SD card](#shardfile) + * [Shardfile SD card](../operator/root-entropy-generation.md) ### Procedure diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-computer.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-computer.md index 9627118..61a7970 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-computer.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-computer.md @@ -4,7 +4,7 @@ For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computer Sealable plastic bag is required for this procedure: -{{ #include ../../../../hardware-models.md:sealable-plastic-bags }} +{{ #include ../../../../component-documents/hardware-models.md:sealable-plastic-bags }} ### Models diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-facility.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-facility.md index 6f73923..097f15b 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-facility.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-facility.md @@ -6,4 +6,20 @@ 1. Procure an enclosure for locking equipment. A simple lockbox or a safe can be used. It should be at least large enough to fit several laptops, with some extra room. -1. Designate the location as the facility for conducting ceremonies and update documentation and policies to reflect this \ No newline at end of file +1. Designate the location as the facility for conducting ceremonies and update documentation and policies to reflect this + +## Maintenance + +* The facility should always be well stocked with freshly formatted SD cards + + * There should be at least 20 microSD and 20 SD cards available for use + + * Both microSD and regular SD cards should be available + + * They should be formatted to `fat32` format + +* Usage of these SD cards: + + * Transferring transaction data from online to air-gapped machine + + * Storing tamper proofing evidence produced at the end of the ceremony \ No newline at end of file diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-keychain-repository.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-keychain-repository.md deleted file mode 100644 index 3bdeaf2..0000000 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-keychain-repository.md +++ /dev/null @@ -1 +0,0 @@ -# Keychain Repository diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md index dd8dcfb..a5415ae 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md @@ -4,23 +4,7 @@ SD cards don't require special chain of custody, but ideally should be purchased ### SD Card Models -{{ #include ../../../../hardware-models.md:sd-models }} - -### Notes - -* The facility should always be well stocked with freshly formatted SD cards - - * There should be at least 20 microSD and 20 SD cards available for use - - * Both microSD and regular SD cards should be available - - * They should be formatted to `fat32` format - -* Usage of these SD cards: - - * Transferring transaction data from online to air-gapped machine - - * Storing tamper proofing evidence produced at the end of the ceremony +{{ #include ../../../../component-documents/hardware-models.md:sd-models }} ### Procedure: formatting SD Card to `fat32` diff --git a/quorum-key-management/src/generated-documents/level-2/hardware.md b/quorum-key-management/src/generated-documents/level-2/hardware.md index 3a8cd04..b62630c 100644 --- a/quorum-key-management/src/generated-documents/level-2/hardware.md +++ b/quorum-key-management/src/generated-documents/level-2/hardware.md @@ -18,6 +18,8 @@ * Nova Custom (Untested) +* Computers which are compatible which can be verified via [this guide](https://git.distrust.co/public/airgap#hardware-compatibility) + // ANCHOR_END: computer-models /* ANCHOR_END: all */ \ No newline at end of file