From fcc3bae04fe1017cf1f9943d2a2a2a6d1e09f4e6 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Tue, 17 Dec 2024 17:10:10 -0500 Subject: [PATCH] many updates --- ...-location-reusable-hardware-procurement.md | 2 - ...fixed-location-reusable-laptop-ceremony.md | 2 +- .../coins/pyth-spl/sign-transaction.md | 42 ++------- .../provisioner/procure-hardware.md | 94 +++++++++++++++++-- quorum-key-management/src/hardware-models.md | 15 +++ ...rdware-procurement-and-chain-of-custody.md | 7 +- quorum-key-management/src/intro.md | 2 +- .../src/one-time-use-airgapos.md | 4 +- 8 files changed, 114 insertions(+), 54 deletions(-) create mode 100644 quorum-key-management/src/hardware-models.md diff --git a/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md b/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md index 59176ff..192eedc 100644 --- a/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md +++ b/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md @@ -16,8 +16,6 @@ * Warranty: 1 Year - * Privacy Screen: Privacy Screen for Librem 14 - * USB Flash Drive: No USB Flash Drive 2. Purism will reach out via email and establish secure communications using PGP, so ensure that the individual who is in charge of procurement has a PGP key that's been set up securely. Purism will: diff --git a/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md index a9612ec..4431052 100644 --- a/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md +++ b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md @@ -24,7 +24,7 @@ The primary tamper proofing methods for the fixed location device are: 2. Print photographs of tamper proofing of the laptop which will be used for the ceremony - * Both photos of vacuum sealed bar with filler and glitter on the bottom screws of laptop are required + * Both photos of vacuum sealed bag with filler and glitter on the bottom screws of laptop are required - [ ] TODO how is hardware token stored (for pureboot/heads) diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md index e684ab0..1a979b3 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md @@ -4,49 +4,21 @@ ## Requirements -* 2 primary operators will be operating the offline machine and online machine +* Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key) - * Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key) -* Photographic tamper proofing evidence +* Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object. - * Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object. + * The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys - * The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys + * TODO: where do we refer to permitted PGP keys - * TODO: where do we refer to permitted PGP keys +* Each operator should hash the `keychain` repository -* Ensure location has [tamper proofing tools](../../../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) + * `sha256sum keychain/` - * Vacuum sealer + * Write it down on a piece of paper as it will be used during the ceremony - * Vacuum roll - - * Colored beads - -* PureBoot smart card (TODO) - -* 5 SD cards (2 fresh, formatted as ext4, and 3 cards with prepared data) - - * 1 SD card for transferring transaction data from online to air-gapped machine - - * 1 SD card for storing tamper proofing evidence produced at the end of the ceremony - - * 1 SD card which has the shardfile, labelled "Shardile" - - * This should be write-locked and stored in tamper proofing along with air-gapped machine - - * 1 SD card with "trusted keys" for proposers and approvers, both signed by each operator using their operator key (TODO) - - * This should be write-locked and stored in tamper proofing along with air-gapped machine - - * 1 SD card with AirgapOS - - * This should be write-locked and stored in tamper proofing along with air-gapped machine - -* Digital camera (TODO selection) - -* [Online machine](../../../../../../online-machine-provisioning.md) used for fetching transaction data ## Procedure diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md index 664eb64..88924fc 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md @@ -1,26 +1,36 @@ # Provisioner - Procure Hardware -The provisioner is responsible for procuring equipment. Their main focus is: +The provisioner is responsible for: + +* Procuring equipment + +* Setting up the Location + +* Maintaining stock of supplies in the [Location]() * Minimizing hardware supply chain security risks * Ensuring availability of necessary equipment +## Directives + +* MUST maintain chain of custody for all hardware until after it's properly tamper-proofed + +- [ ] do we need to tamper proof usb equipment? + * no because we verify hashes of data on the ceremony machines + ## Laptops -### Air-Gapped Machine -1. Procure a [Purism Librem 14](../../../../hardware.md#air-gapped-computer) -2. Provision AirgapOS using [this guide](../../../../one-time-use-airgapos.md) +* [Purism Librem 14](../../../../hardware.md#air-gapped-computer) -3. Apply [vacuum sealing + filler tamper proofing](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) to the laptop and the SD card +* ChromeBook or a computer capable of running QubesOS according to [this guide](../../../../online-machine-provisioning.md) -4. Store the sealed package in a secure location +## Provisioning AirgapOS -### Online Machine +Provision AirgapOS using [this guide](../../../../one-time-use-airgapos.md) -Procure either a ChromeBook or a computer capable of running QubesOS according to [this guide](../../../../online-machine-provisioning.md) ## Tamper Proofing Equipment @@ -44,6 +54,10 @@ This guide contains specific equipment models: [guide](../../../../tamper-eviden * [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248) +* microSD to SD adapter + + * TODO find specific products + * SD Card USB Adapter * SD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-sd-reader @@ -52,3 +66,67 @@ This guide contains specific equipment models: [guide](../../../../tamper-eviden * Workflow station hub (may prove helpful with workflows): https://www.kingston.com/en/memory-card-readers/workflow-station-hub +* PureBoot smart card (TODO) + +* [Online machine](../../../../../../online-machine-provisioning.md) used for fetching transaction data + +## Preparing SD Cards + +### Freshly Formatted Cards + +* The location should always be well stocked with freshly formatted SD cards + + * There should be at least 20 microSD and 20 SD cards available for use + + * It is the provisioner's responsibility to keep track of the number of ceremonies and replenish stock as needed + + * Both microSD and regular SD cards should be available + + * They should be formatted to `ext4` format + + - [ ] consider renaming location ot vault/facility + +- [ ] TODO find a way to format many cards at once + +* Usage of these SD cards: + + * Transferring transaction data from online to air-gapped machine + + * Storing tamper proofing evidence produced at the end of the ceremony + +### Shardfile + +There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony. + +* Label: "Shardfile" + +* This should be write-locked and stored in tamper proofing along with air-gapped machine + +### Trusted Keys + +* Label: Trusted Keys + +* 1 SD card with "trusted keys" for proposers and approvers, both signed by each operator using their operator key + +* This should be write-locked and stored in tamper proofing along with air-gapped machine + +### AirgapOS + +* Label: "AirgapOS " + +* This should be write-locked and stored in tamper proofing along with air-gapped machine + +## Preparing The Location + +### Locker / Safe + +* establish a means of locking up equipment + +### Air-gapped bundle + +* tamper proof together: Apply [vacuum sealing + filler tamper proofing](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) to the laptop and the AirgapOS SD card + * air-gapped machine + * airgapos sd card + + + diff --git a/quorum-key-management/src/hardware-models.md b/quorum-key-management/src/hardware-models.md new file mode 100644 index 0000000..0904673 --- /dev/null +++ b/quorum-key-management/src/hardware-models.md @@ -0,0 +1,15 @@ +/* ANCHOR: all */ +# Hardware Models + +## Computers +// ANCHOR: models + +* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99 + * [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D) + +* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99 + +* Purism Librem 14 +// ANCHOR_END: models + +/* ANCHOR_END: all */ \ No newline at end of file diff --git a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md index ad534a9..dbfba39 100644 --- a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md +++ b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md @@ -36,9 +36,4 @@ Each laptop model is laid out slightly differently so use an online reference an ## Tested Hardware (AirgapOS Compatibility) -* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99 - * [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D) - -* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99 - -To ensure that hardware is compatible, it can be tested by bringing an SD card with AirgapOS loaded on it, and testing booting to a floor model in the store. \ No newline at end of file +{{ #include hardware-models.md:models }} diff --git a/quorum-key-management/src/intro.md b/quorum-key-management/src/intro.md index 5393ef4..3ba80fb 100644 --- a/quorum-key-management/src/intro.md +++ b/quorum-key-management/src/intro.md @@ -1,6 +1,6 @@ # Introduction -Quorum Vaulting System (QVM) is an open source system of playbooks and +Quorum Vaulting System (QVS) is an open source system of playbooks and tooling which facilitates the creation and maintenance of highly resilient [quorum](glossary.md#quorum)-based key management systems based on a strict [threat model](threat-model.md) which can be used for a variety of different diff --git a/quorum-key-management/src/one-time-use-airgapos.md b/quorum-key-management/src/one-time-use-airgapos.md index 1c1353a..4358ab3 100644 --- a/quorum-key-management/src/one-time-use-airgapos.md +++ b/quorum-key-management/src/one-time-use-airgapos.md @@ -30,10 +30,12 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using * `dd if=out/airgap.iso of=/dev/sdb bs=1M conv=sync status=progress` +* Label the SD card "AirgapOS - " + * Verify that the hash of `airgap.iso` matches what's flashed on the SD card: * `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum` * `sha256sum out/airgap.iso` -* Commit the hash of airgap to a git repo, ensuring the commit is signed \ No newline at end of file +* Commit the hash of airgap to a git repo, ensuring the commit is signed