VxSuite TDP - v4
  • System Overview
    • Election Package
      • VxSuite Election Definition
      • Ballot Definition CDF
    • Hand Marked Ballots
    • Machine Marked Ballots
    • Cast Vote Records
    • VxScan Polls Reports
    • VxAdmin Results Exports
      • Tally Reports
      • Ballot Count Reports
      • CSV Exports
      • Write-In Adjudication Report
      • CDF ERR Export
    • Software Overview
    • User Roles
    • VxAdmin Function
    • VxCentralScan Function
    • VxAdmin & VxCentralScan Hardware
    • VxScan Function
    • VxScan Hardware
    • VxMark Function
    • VxMark Hardware
    • Ballot Interpretation
    • Diagnostics
    • Signed Hash Validation
  • System Performance & Specifications
    • Supported Voting Variations & Languages
    • System Limits
      • Maximum Tabulation Rate
    • Paper Ballot Specifications
    • Reliably Detectable Marks
    • Safety, Security, Privacy, and Continuity of Operation
    • Processing Capabilities
  • System Security, Auditing & Logging
    • System Security Architecture
      • Access Control
      • Artifact Authentication
        • Hashing of Continuously Exported Cast Vote Records
        • Preserving Voter Privacy
      • System Integrity
      • Networking
      • Password and Credential Policies
      • Defense-in-Depth and Least Privilege
      • Cryptography
    • Physical Security
    • Procedural and Operational Security
    • Audit Procedure
    • Logging
    • Vulnerability Management
    • Risk Assessment
    • Hardware Criticality and Supplier Analysis
  • Software Installation
    • Trusted Build
      • Build Machine Configuration
        • Installing Debian 12 on VxBuild
      • Online Phase
      • Offline Phase
      • Final Configuration
        • Secure Boot Signing
      • Hash/Checksum Verification of Dependencies
      • Virt Manager - Network Access & Troubleshooting
    • Imaging Machines
      • Preparing USB Drives for Imaging
      • Imaging
      • Basic Configuration Wizard
      • Verifying the Image Installed on a Machine
      • Software Installation Record Creation
  • System Operations & Training Manual
  • System Inspection & Logic and Accuracy Testing
  • System Maintenance Manual
  • Usability & Accessibility
  • Audio Visual & Display Screen Settings
  • Quality Assurance Manual
  • Warranty Model
  • Public Documents
    • Ballot QR Code Data Format
Powered by GitBook
On this page
  • Transferring an Unsigned Image from SLI to VotingWorks
  • Secure Boot Signing
  • Transferring a Signed Image from VotingWorks to SLI
Export as PDF
  1. Software Installation
  2. Trusted Build
  3. Final Configuration

Secure Boot Signing

To finalize an image for production use, it's necessary to sign the image with the VotingWorks Secure Boot keys so that the image can be used on a Secure-Boot-enabled machine. This process requires the use of sensitive keys and a passphrase that should only ever be known to and used by VotingWorks. Since the Trusted Build process is performed by a third-party vendor (SLI), a process to securely sign the image without compromising the keys or passphrase is needed. This document describes that process.

Transferring an Unsigned Image from SLI to VotingWorks

Once SLI has created a Trusted Build image, the image and its VM definition (an XML file) must be securely provided to VotingWorks. To transfer the image and definition, SLI will upload to a shared S3 bucket only accessible to SLI and VotingWorks. This access is controlled via IAM permission policies.

NOTE: For documentation purposes, we will use a Trusted Build image named vxadmin. Replace that with the appropriate image name, as necessary.

Once SLI has configured their S3 access and created a Trusted Build image, they will need to upload the image and its configuration file. Additionally, hashes of each file will be generated so that SLI and VotingWorks can confirm files were not modified during the upload or download phases.

On the SLI build machine:

sudo su -
/home/vx/code/vxsuite-build-system/scripts/sb-unsigned-upload.sh vxadmin

Once the SLI upload has completed, VotingWorks will download and verify the hash values of all files. On the VotingWorks secure build machine, while SLI observes:

sudo /home/vx/code/vxsuite-build-system/scripts/sb-unsigned-download.sh vxadmin

Once the VotingWorks download has completed and been verified, and the VM has been successfully defined, VotingWorks can proceed with its Secure Boot signing process, while SLI observes.

Secure Boot Signing

VotingWorks will boot the VM, change the vendor password, attach a virtual device containing our Secure Boot signing keys, and select the option to "Lock the System Down" from the vendor menu. When prompted, VotingWorks will enter the passphrase for the Secure Boot signing keys.

When the process completes, the lock-down script displays the system hash. This hash will be provided to SLI/EAC for official verification of the image.

Note: The vxmark VM currently requires a slightly modified process. For vxmark, VotingWorks will boot the VM, change the vendor password, then shut the VM down. After verifying it is not in a running state, VotingWorks will boot the VM again and complete the rest of the process as previously described.

Transferring a Signed Image from VotingWorks to SLI

Now that the image has been securely signed, VotingWorks will upload the signed image for SLI to later download. While SLI observes, VotingWorks will run the following command on the VotingWorks secure build machine:

sudo /home/vx/code/vxsuite-build-system/scripts/sb-signed-upload.sh vxadmin

Once this step has completed, SLI can download the files at their convenience. On the SLI build machine:

sudo su -
/home/vx/code/vxsuite-build-system/scripts/sb-signed-download.sh vxadmin

Once SLI has completed the download, and hashes have been validated, the compressed image and signature can be provided to EAC for official use. At any point after submission to EAC, election officials and VotingWorks can verify the image hash as described under Verifying the Image Installed on a Machine.

PreviousFinal ConfigurationNextHash/Checksum Verification of Dependencies

Last updated 4 months ago