Set up AirgapOS

Because without a Librem 14 there is no easy way to have a secure boot sequence, instead the AirgapOS .iso image is flashed to an SD card, locked using sdtool and then verified using any machine.

Setup Steps

  • Clone the latest AirgapOS version:

    • git clone git@distrust.co:public/airgap.git
  • Build the image:

    • cd airgap && make
  • Flash airgap.iso to an SD Card:

    • dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress oflag=direct
  • Use the sdtool to lock the SD Card:

    • git clone git@github.com:BertoldVdb/sdtool.git

    • cd sdtool

    • make

    • ./sdtool /dev/mmcblk permlock

    • Test that the card can't be written to:

      • dd if=out/airgap.iso of=/dev/sdb bs=1M conv=sync status=progress
  • Verify that the hash of airgap.iso matches what's flashed on the SD card:

    • head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum
    • sha256sum out/airgap.iso