mortenVChristiansen
/
k_card
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Record AppVM template and UI baseline

This commit is contained in:
Morten V. Christiansen 2026-04-24 05:52:44 +02:00
parent d9e9e95b5f
commit 8888601f69
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Setup.md
View File

@ -44,7 +44,7 @@ Update this file whenever environment status or verified behavior changes.
## Target Qubes Topology ## Target Qubes Topology
- Base template for all AppVMs: Debian template. - Base template for all AppVMs: `debian-13-xfce`.
- Allowed network paths: - Allowed network paths:
- `k_client` -> `k_proxy` over TLS - `k_client` -> `k_proxy` over TLS
- `k_proxy` -> `k_server` over TLS - `k_proxy` -> `k_server` over TLS
@ -68,6 +68,11 @@ Functional roles:
- Provides a dummy protected resource for early integration testing (monotonic increasing number/counter). - Provides a dummy protected resource for early integration testing (monotonic increasing number/counter).
- May hold user/session state logic needed for authorization decisions. - May hold user/session state logic needed for authorization decisions.
UI baseline for each AppVM (start-menu visible apps):
- Firefox
- XFCE Terminal
- File Manager
## Target Request Flow ## Target Request Flow
1. `k_client` sends HTTPS request to `k_proxy`. 1. `k_client` sends HTTPS request to `k_proxy`.
@ -125,6 +130,7 @@ Implication:
Session note (2026-04-24): Session note (2026-04-24):
- Markdown tracking was reviewed and normalized around `Setup.md` + `Workplan.md` as the active, continuously updated execution record. - Markdown tracking was reviewed and normalized around `Setup.md` + `Workplan.md` as the active, continuously updated execution record.
- AppVM template decision recorded: use `debian-13-xfce` for `k_client`, `k_proxy`, and `k_server`.
## Known FIDO2 Transport Boundary ## Known FIDO2 Transport Boundary

4
Workplan.md
View File

@ -8,7 +8,7 @@ This is the execution plan for making ChromeCard FIDO2 development and validatio
- Treat `/home/user/chromecard/CR_SDK_CK-main` as read-only. - Treat `/home/user/chromecard/CR_SDK_CK-main` as read-only.
- Keep helper scripts such as `fido2_probe.py` and `webauthn_local_demo.py` at `/home/user/chromecard`. - Keep helper scripts such as `fido2_probe.py` and `webauthn_local_demo.py` at `/home/user/chromecard`.
- Target deployment model is Qubes OS with 3 Debian-based AppVMs: `k_client`, `k_proxy`, `k_server`. - Target deployment model is Qubes OS with 3 AppVMs based on `debian-13-xfce`: `k_client`, `k_proxy`, `k_server`.
- Current authenticator link is card->`k_proxy` (USB), but architecture must allow migration to wireless phone-mediated validation. - Current authenticator link is card->`k_proxy` (USB), but architecture must allow migration to wireless phone-mediated validation.
## Goals ## Goals
@ -26,7 +26,7 @@ This is the execution plan for making ChromeCard FIDO2 development and validatio
## Phase 0: Qubes VM Baseline (Blocking) ## Phase 0: Qubes VM Baseline (Blocking)
1. Provision/verify AppVMs. 1. Provision/verify AppVMs.
- Ensure `k_client`, `k_proxy`, `k_server` exist and are based on the Debian template. - Ensure `k_client`, `k_proxy`, `k_server` exist and are based on `debian-13-xfce`.
2. Assign functional responsibilities. 2. Assign functional responsibilities.
- `k_client`: browser client + enrollment process. - `k_client`: browser client + enrollment process.