forked from public/airgap
1
0
Fork 0
A live buildroot based Linux distribution designed for managing secrets offline.
Go to file
Lance Vick 9036ccae48
refactor attest/release target deps
2022-12-24 18:07:53 -08:00
audits Updated cure53 audit with corrected authors list 2021-11-04 15:23:16 -07:00
config overhaul release process for easier attestation 2022-12-24 15:56:16 -08:00
release 1.0.0rc2 release 2022-12-24 15:56:29 -08:00
scripts big refactor bumping deps and fixing broken determinism patterns 2022-12-23 21:15:00 -08:00
src/toolchain big refactor bumping deps and fixing broken determinism patterns 2022-12-23 21:15:00 -08:00
.dockerignore Create .dockerignore, symlinked from .gitignore 2021-06-20 18:39:14 -04:00
.gitignore big refactor bumping deps and fixing broken determinism patterns 2022-12-23 21:15:00 -08:00
LICENSE.md add MIT license 2021-02-25 12:24:46 -08:00
Makefile refactor attest/release target deps 2022-12-24 18:07:53 -08:00
README.md README.md: Update project URL 2021-06-19 15:02:17 -04:00

README.md

AirgapOS

https://github.com/distrust-foundation/airgap

About

A live buildroot based distribution designed for managing secrets offline.

Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.

Uses

  • Generate GPG keychain
  • Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
  • Signing cryptocurrency transactions
  • Generate/backup BIP39 universal cryptocurrency wallet seed
  • Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger

Features

  • Builds Coreboot-heads firmware for all supported devices for measured boot
  • Determinsitic rom/iso generation for multi-party code->binary verification
  • Small footprint (< 100MB)
  • Immutable and Diskless: runs from initramfs
  • Network support and most drivers removed to minimize exfiltration vectors

Supported Devices

Device TPM Model TPM Version Remote Attestation
Librem13v4 Infineon 9465 1.2 HOTP via Nitrokey
Librem15v4 Infineon 9456 1.2 HOTP via Nitrokey

Requirements

Software

  • docker 18+

Hardware

  • Supported PC already running coreboot-heads
    • Ensure any Wifi/Disk/Bluetooth/Audio devices are removed
  • Supported remote attestation key (Librem Key, Nitrokey, etc)
  • Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
  • Blank flash drive
  • Blank SD card

Build

  1. Reproduce existing release, or build fresh if never released:

    make VERSION=1.0.0rc1
    
  2. Compares hashes of newly built iso/rom files with in-tree hashes.txt

    make VERSION=1.0.0rc1 verify
    

Install

  1. Place contents of release/$VERSION folder on SD card
  2. Boot machine to Heads -> Options -> Flash/Update BIOS
  3. Flash firmware via "Flash the firmware with new ROM, erase settings"
  4. Insert external Remote attestation key and signing key when prompted
  5. Reboot and verify successful remote attestation
  6. Boot to shell: Options -> Recovery Shell
  7. Mount SD card
  8. Insert chosen GPG Smartcard device
  9. Sign target iso gpg --armor --detach-sign airgap*.iso
  10. Reboot

Usage

  1. Insert remote attestation device
  2. Power on, and verify successful remote attestation
  3. Boot to airgap via: Options -> Boot Options -> USB Boot

Release

  1. Audit dependencies to ensure no relevant CVEs are open at the moment:

    make audit
    
  2. Verify and add detached signature to given release with:

    make VERSION=1.0.0rc1 verify sign
    
  3. Commit signatures.

Development

Build develop image

make

Boot image in qemu

make vm

Enter shell in build environment

make shell