added hardware page with BIOS update details

docs/admin/hardware.rst

@@ -0,0 +1,65 @@
+
+Recommended hardware
+====================
+
+.. include:: ../includes/top-warning.rst
+
+Qubes OS hardware requirements
+------------------------------
+
+In order to install and use SecureDrop Workstation, you will need a Qubes-Compatible computer with the following speifications:
+
+- 64-bit Intel or AMD processor with virtualization support
+- a minimum of 16GB RAM (32GB recommended for production use)
+- sufficient disk space for the Qubes OS base install and SecureDrop Workstation VMs (a 128GB or greater SSD is recommended)
+
+More information on hardware compatibility can be found on the `Qubes OS System Requirements <https://www.qubes-os.org/doc/system-requirements/>`_ page, and information on specific systems can be found via the `hardware compatibility list <https://www.qubes-os.org/hcl/>`_.
+
+In order to print submissions, a supported non-networked printer is required. Supported models currently include:
+
+- TBD
+- Also TBD
+
+More printer options will be added in future releases.
+
+Lenovo ThinkPad T480
+--------------------
+The ThinkPad T480 is a viable option for SecureDrop Workstation, and also has the advantage of being used heavily by the SecureDrop development team. If you plan to use it, you should follow the instructions below to ensure that the BIOS is up to date before proceeding with the installation:
+
+.. _t480_bios:
+
+Upgrading the T480 BIOS
+~~~~~~~~~~~~~~~~~~~~~~~
+
+The instructions below assume the use of a Linux-based computer for the creation of a BIOS upgrade USB. To upgrade the T480 BIOS:
+
+- Locate the model number of the T480 - it can often be found on a sticker on the underside of the laptop, or via the ``Main`` tab in Thinkpad Setup (accessed by pressing **Enter** on startup).
+- Visit `<https://support.lenovo.com>`_ in the Linux-based computer. Type the model number found above into the search bar, then press **Enter**.
+- In the T480 Product Home page, select **Drivers And Software** and choose **BIOS/UEFI**.
+- Expand the **BIOS Update** listing and download the **BIOS Update (Bootable CD)** file.
+- Verify the checksum of the downloaded ISO file using the following command, comparing it against the checksum in the file listing above:
+
+  .. code-block:: sh
+   
+    sha256sum /path/to/downloaded.iso
+
+- Create a USB-bootable version of the ISO using the command:
+
+  .. code-block:: sh
+
+    geteltorito <path/to/CDISO> > usb-bios.iso
+
+- Plug in a USB and check its device name with the ``lsblk`` command - use the root device name below, not a partition (eg. ``/dev/sdc`` instead of ``/dev/sdc1``).
+
+- Write the BIOS update ISO to the USB using the following command:
+
+  .. code-block:: sh
+
+    ``sudo dd if=usb-bios.iso of=/dev/sda bs=1M && sync``
+
+  Once complete, remove the USB.
+
+- Plug the USB into the T480 and boot it, pressing **F12** on startup. Select the USB's listing in the boot menu.
+
+- Follow the on-screen instructions to update the BIOS, including any mandatory reboots.
+

docs/admin/install.rst

@@ -7,7 +7,7 @@ Prerequisites
 -------------
 In order to install SecureDrop Workstation and configure it to use an existing SecureDrop instance, you will need the following:
 
-- A Qubes-compatible computer with at least 16GB of RAM (32 GB is recommended). SecureDrop Workstation has mainly been tested against Lenovo 6th-gen T480 and X1 models - the T480 is recommended, but see Qubes' `Hardware Compatibility List <https://www.qubes-os.org/hcl/>`_ for more options.
+- A Qubes-compatible computer with at least 16GB of RAM (32 GB is recommended). SecureDrop Workstation has mainly been tested against Lenovo 6th-gen T480 and X1 models - see Qubes' `Hardware Compatibility List <https://www.qubes-os.org/hcl/>`_ and the SecureDrop Workstation :doc:`hardware` page for more options .
 - Qubes installation medium - this guide assumes the use of a USB 3.0 stick. Qubes may also be installed via optical media, which may make more sense depending on your `security concerns <https://www.qubes-os.org/doc/install-security/>`_.
 - The SecureDrop instance's Admin Workstation and Secure Viewing Station (SVS) USBs, and the full GPG fingerprint of the submission key.
 - A working computer (Linux is recommended and assumed in this guide) to use for verification and creation of the Qubes installation medium.
@@ -18,9 +18,9 @@ A basic knowledge of the Qubes OS is helpful.
 
 Apply BIOS updates and check settings
 -------------------------------------
-Before beginning the Qubes installation, make sure that your Qubes-compatible computer's BIOS is updated to the latest available version. Instructions on how to do so will vary by manufacturer or model and can usually be found on their respective support sites, for example `https://pcsupport.lenovo.com/ <https://pcsupport.lenovo.com/>`_ in the case of Lenovo.
+Before beginning the Qubes installation, make sure that your Qubes-compatible computer's BIOS is updated to the latest available version. If you're using the recommended ThinkPad T480, see the :ref:`t480_bios` section in this documentation. The process will be different for other makes and models, and can usually be found on their respective support sites.
 
-Once the BIOS is up-to-date, boot into the BIOS setup utility and update its settings. Note that not all BIOS versions will support the items listed  but if available we recommend the following changes: 
+Once the BIOS is up-to-date, boot into the BIOS setup utility and update its settings. Note that not all BIOS versions will support the items listed, but if available we recommend the following changes: 
 
 - Ensure the internal clock is correct.
 - Set a password to access the BIOS (and record the password in your password manager).
@@ -165,15 +165,14 @@ With the key and configuration available in ``dom0``, you're ready to set up Sec
   .. code-block:: sh
 
     gpg --keyserver hkps://keys.openpgp.org --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
-    gpg --armor --export 22245C81E3BAEB4138B36061310F561200F4AD77 | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
+    gpg --armor --export 22245C81E3BAEB4138B36061310F561200F4AD77 > securedrop-release-key.pub
+    sudo rpmkeys --import securedrop-release-key.pub
 
 - In the ``work`` terminal, open a text editor with escalated privileges (for example, with the command ``sudo gedit``) and create a file ``/etc/yum.repos.d/securedrop-temp.repo`` with the following contents:
 
   .. code-block:: none
 
     [securedrop-workstation-temporary]
-    gpgcheck=1
-    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
     enabled=1
     baseurl=https://yum.securedrop.org/workstation/dom0/f25
     name=SecureDrop Workstation Qubes initial install bootstrap
@@ -186,14 +185,31 @@ With the key and configuration available in ``dom0``, you're ready to set up Sec
 
 Note the release version number in the filename, you'll need it below.
 
-- In the ``dom0`` terminal, run the following command to transfer the RPM package to dom0 and install SecureDrop Workstation:
+- Verify the package with the following command:
+
+  .. code-block:: sh
+
+    rpm -Kv securedrop-workstation-dom0-config-<versionNumber>-1.fc25.noarch.rpm
+
+  where ``<versionNumber>`` is the release version nmber you noted above. The command output should match the following text:
+
+  .. code-block:: none
+
+    securedrop-workstation-dom0-config-<versionNumber>-1.fc25.noarch.rpm:
+      Header V4 RSA/SHA256 Signature, key ID 00f4ad77: OK
+      Header SHA1 digest: OK
+      V4 RSA/SHA256 Signature, key ID 00f4ad77: OK
+      MD5 digest: OK
+
+
+- If the package verification was successful, in the ``dom0`` terminal, run the following command to transfer the RPM package to dom0 and install SecureDrop Workstation:
 
   .. code-block:: sh
 
     qvm-run --pass-io work "cat /home/user/securedrop-workstation-dom0-config-<versionNumber>-1.fc25.noarch.rpm" > securedrop-workstation.rpm
     sudo dnf install securedrop-workstation.rpm
 
-  where ``<versionNumber>`` is the current SecureDrop Workstation release version. When prompted, press **Y** to install the package.
+  When prompted, press **Y** to install the package.
 
 Configure SecureDrop Workstation
 --------------------------------

docs/index.rst

@@ -30,6 +30,7 @@ against malware and other security risks. It is built on Qubes OS and requires a
    :maxdepth: 2
    :caption: Guide for Administrators
 
+   admin/hardware
    admin/install
    admin/securing_workstation
    admin/troubleshooting_connection