psf / psf-tuf-runbook Goto Github PK

nitrohsm-provision should prompt for security officer pin after starting.

this led to leaking of a single character, and later the full SO pin for one HSM during our ceremony on 2020-10-30, requiring a diceware break.

Due to COVID-19, the key generation and signing ceremonies will take place virtually, conducted by @ewdurbin and @woodruffw. To increase faith in the rigor and honesty of the ceremony, the following should be done:

• The ceremony should be done contiguously. Conductors should expect to not leave their seats until the ceremony is complete.
• Conductors should leave their cameras on.
• The ceremony should be recorded, and an unedited copy of the recording should be published after the fact.
• Members of the PSF body (including signing body members) should be invited to spectate the ceremony, in real time.

A runbook for pre-ceremony items should be written. The pre-ceremony should be performed either the night before or immediately before the actual ceremony.

This ceremony needs to include:

• Ensuring that all purchased items are present.
• Ensuring that all pre-existing items are present. Expected pre-existing items:
  • An external monitor, HDMI cable, and keyboard for interacting with the Raspberry Pi
  • A Sharpie or other permanent market for notating tamper-evident bags
  • Ensuring that a non-isolated computer is present for videoconferencing between the ceremony parties (namely @woodruffw and @ewdurbin)

The Raspberry Pi should be flashed with an image that's been pre-loaded with OpenSC and our provisioning binaries, to minimize build problems.

Checklist:

• Actually build the image
• Checksum individual binaries within the image
• Checksum the image itself
• Publish all checksums to this repository

Instead of terminating immediately, yubihsm-provision and nitrohsm-provision should loop until the user provides the correct authentication key/SO pin/user pin.

This will avoid the need to generate additional backup keys and PINs during the pre-ceremony, and makes the ceremony process a bit less stressful.

The pre-ceremony needs three separate diceware processes:

1. A process to generate the "authentication key" password for each YubiHSM.
2. A process to generate the Security Officer PIN for each Nitrokey HSM.
3. A process to generate the User PIN for each Nitrokey HSM.

The following tasks need to be accomplished before we can attempt the generation and signing ceremonies:

Purchases:

• Tamper-evident bags (one per HSM and flash storage, both pre and post ceremony = 24 total)
• Stick-on labels (one per tamper evident bag = 24 total)
• Trusted offline machines (one per signing body member = 6 total)
  • Current guidance: Raspberry Pi model 4s