forked from public/airgap
1
0
Fork 0
A live buildroot based Linux distribution designed for managing secrets offline.
Go to file
Lance Vick 7dfb2882a6
Remove broken/blocking coreboot/heads build support
2022-12-30 16:57:44 -08:00
audits Updated cure53 audit with corrected authors list 2021-11-04 15:23:16 -07:00
config overhaul release process for easier attestation 2022-12-24 15:56:16 -08:00
release release 1.0.0rc2 2022-12-26 01:23:13 -08:00
scripts big refactor bumping deps and fixing broken determinism patterns 2022-12-23 21:15:00 -08:00
src/toolchain big refactor bumping deps and fixing broken determinism patterns 2022-12-23 21:15:00 -08:00
.dockerignore Create .dockerignore, symlinked from .gitignore 2021-06-20 18:39:14 -04:00
.gitattributes add lfs tracking for airgap iso files 2022-12-25 02:09:15 -08:00
.gitignore add lfs tracking for airgap iso files 2022-12-25 02:09:15 -08:00
LICENSE.md add MIT license 2021-02-25 12:24:46 -08:00
Makefile Remove broken/blocking coreboot/heads build support 2022-12-30 16:57:44 -08:00
README.md Remove broken/blocking coreboot/heads build support 2022-12-30 16:57:44 -08:00

README.md

AirgapOS

https://github.com/distrust-foundation/airgap

About

A live buildroot based Liux distribution designed for managing secrets offline.

Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.

Uses

  • Generate GPG keychain
  • Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
  • Signing cryptocurrency transactions
  • Generate/backup BIP39 universal cryptocurrency wallet seed
  • Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger

Features

  • Determinsitic iso generation for multi-party code->binary verification
  • Small footprint (< 100MB)
  • Immutable and Diskless: runs from initramfs
  • Network support and most drivers removed to minimize exfiltration vectors

Requirements

Software

  • docker 18+

Hardware

  • Recommended: PC running coreboot-heads
    • Allows for signed builds, and verification of signed sd card payloads
    • Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
  • Supported remote attestation key (Librem Key, Nitrokey, etc)
  • Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
  • Blank flash drive
  • Blank SD card

Build

Build a new release

```
make VERSION=1.0.0rc1 release
```

Reproduce an existing release

```
make VERSION=1.0.0rc1 attest
```

Sign an existing release

```
make VERSION=1.0.0rc1 sign
```

Setup

  1. Insert external Remote attestation key and signing key when prompted
  2. Reboot and verify successful remote attestation
  3. Boot to shell: Options -> Recovery Shell
  4. Mount SD card
  5. Insert chosen GPG Smartcard device
  6. Sign target iso gpg --armor --detach-sign airgap*.iso
  7. Reboot

Usage

  1. Insert remote attestation device
  2. Power on, and verify successful remote attestation
  3. Boot to airgap via: Options -> Boot Options -> USB Boot

Development

Build develop image

make

Boot image in qemu

make vm

Enter shell in build environment

make shell