From fc7cd830ad7b6292849353480bbffc9f17131098 Mon Sep 17 00:00:00 2001
From: cmn <cmn@net.local>
Date: Thu, 28 Dec 2023 09:54:49 +0100
Subject: [PATCH] on the fly luks

---
 filesystems.md      | 13 ++++++++++---
 git_usage.md        |  5 ++++-
 networking.md       | 20 +++++++++++++++++++-
 secureboot-linux.md | 33 +++++++++++++++++++++++++++++++++
 virtualbox.md       | 14 +++++++++++++-
 5 files changed, 79 insertions(+), 6 deletions(-)
 create mode 100644 secureboot-linux.md

diff --git a/filesystems.md b/filesystems.md
index 9bc4ffe..a1975f2 100644
--- a/filesystems.md
+++ b/filesystems.md
@@ -1,6 +1,6 @@
 # Filesystems
-## btrfs
-### btrfs scrub
+### btrfs
+#### btrfs scrub
 As a copy-on-write (COW) filesystem btrfs can compensate some errors from the underlying storage
 - check checksum on READ
 - fix logical block if valid copy is available (RAID1, RADI5/&, DUP)
@@ -24,7 +24,14 @@ for p in $(lsblk -nflo FSTYPE,MOUNTPOINT | awk '$1=="btrfs"{print $2}'); do syst
 ```
 the manual way of creating is eating the correct escape.
 
-###
+### luks
+#### on-the-fly encryption of existing file system
+```
+#reduce filesystem to gain space for the luks header
+btrfs filesystem resize -32m /mounted_filesystem
+#create on the fly encrypted filesystem
+cryptsetup reencrypt --encrypt --reduce-device-size 32m /dev/plaintext_device
+```
 
 ### ATA/SMART
 #### hdparm
diff --git a/git_usage.md b/git_usage.md
index 113dfd5..19014b2 100644
--- a/git_usage.md
+++ b/git_usage.md
@@ -20,4 +20,7 @@ to change/activate git credential storing within the gnome key store:
 git branch -r | grep -v '\->' | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g" | while read remote; do git branch --track "${remote#origin/}" "$remote"; done
 git fetch --all
 git pull --all
-```
\ No newline at end of file
+```
+
+### show diff against stack
+`    git stash show -p`
\ No newline at end of file
diff --git a/networking.md b/networking.md
index 846500e..41923cc 100644
--- a/networking.md
+++ b/networking.md
@@ -1,4 +1,10 @@
 ## networking
+#### source based routing
+```
+    echo 200 isp2 >> /etc/iproute2/rt_tables
+    ip rule add from <interface_IP> table isp2 prio 1
+    ip route add default via <gateway_IP> dev <interface> table isp2
+```
 
 #### CAA desec.io
 ```
@@ -12,4 +18,16 @@
 
 curl -X GET https://desec.io/api/v1/domains/{domain}/rrsets/?type=CAA  
 --header "Authorization: Token {token}" | jq
-```
\ No newline at end of file
+```
+
+#### Stratosphere Linux IDS
+
+src: https://github.com/stratosphereips/StratosphereLinuxIps
+
+##### usage
+`sudo docker run -it --rm --net=host --cap-add=NET_ADMIN -v /home/user/dataset:/StratosphereLinuxIPS/dataset stratosphereips/slips:latest /bin/bash`
+
+issues:
+- ./kalipso.sh not working with tmux
+- IPv6 icmp typ 133 RA not implemented
+
diff --git a/secureboot-linux.md b/secureboot-linux.md
new file mode 100644
index 0000000..011db50
--- /dev/null
+++ b/secureboot-linux.md
@@ -0,0 +1,33 @@
+## secureboot - linux style
+
+### general description
+Usually UEFI secureboot relies on SHA256 and RSA-2048. The public keys are commonly stored as X.509 certificate. 
+
+Secure Boot typically implements the following keys and lists: 
+- PK - Platform Key - Composed of two parts, PKpub (the public key) and PKpriv (the private key), used to sign the KEK.
+- KEK - Key Exchange Key - The key used to sign the Signatures and Forbidden Signatures database, there can be more than one.
+- db - Signature Database - Contains lists of public keys, signatures, and hashes which are allowed as part of the boot chain.
+- dbx - Forbidden Signature Database - The opposite of the signature database, public keys, signatures, and hashes which should never be allowed to boot.
+
+Only one **Platform Key** can be used on a system, each other type is actually a list or "database". It is common to include the device Manufacturer's Key Exchange Key, and sometimes Microsoft's. On some devices, removing either of these keys could disable all video output.
+
+Several key formats and extensions are used with Secure Boot:
+  - .key - PEM - Used for private keys.
+  - .crt - PEM - Used for public keys.
+  - .cer - DER - Used for public keys.
+  - .esl - EFI Signature List - Used by EFI, a collection of public keys and hashes.
+  - .auth - Signed EFI Signature List - Used by EFI, signed form of an esl.
+
+.esl EFI signature lists are based on UUIDs, which are needed to organize the whole thing. Therefore a UUID is needed, not neccessarly a common one but it helps within an organization.
+
+
+### tools
+for shim (https://github.com/rhboot/shim) (debian, ubuntu, fedora, ...) there is the tool mokutil. The idea behind is to define a Machine-Owner-Key. This is system administrator for this specific device and get 'shimed' in between the secureboot and the linux kernel. The shim is signed by microsoft and allows to load signed efi binaries. Usually it is bundled with grub2. This multistaged trust chain has advantages, but however it is much more easy and resiliant to switch completely to the systemd-boot/uniky universe and skip the shim/grub/initramfs/kernel thing. Nevertheless, shim gets better und implements bugfixes, features and enhancements. But a major problem is the missing PCR for the kernel cmdline.
+
+otherwise the sbctl is useful, but it can be done more or less manually.
+
+the kernel deploys the efi vars as sysfs entries. To manipulate those, the sbsigntools can be used. The key handling or anything else is up to the user.
+https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/
+
+#### systemd
+- https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/
\ No newline at end of file
diff --git a/virtualbox.md b/virtualbox.md
index c44c0f5..3aac239 100644
--- a/virtualbox.md
+++ b/virtualbox.md
@@ -52,4 +52,16 @@ as soon as you have a bridge inside the VM all the networking traffic is broken.
 Maybe it is the copy of the MAC, which breaks it. However, after doing things, it is working now.
 
 ## UEFI and extension pack
-the extention pack provides PXE-intel.rom. This option ROM needs DDIM support which is not possible by booting with UEFI. It is not sufficant to disable PXE boot, you need to rename/delete the rom-file itself. 
\ No newline at end of file
+the extention pack provides PXE-intel.rom. This option ROM needs DDIM support which is not possible by booting with UEFI. It is not sufficant to disable PXE boot, you need to rename/delete the rom-file itself. 
+
+## Secureboot
+```
+`VBoxManage modifynvram` <*`uuid|vmname`*> inituefivarstore
+`VBoxManage modifynvram` <*`uuid|vmname`*> enrollmssignatures
+`VBoxManage modifynvram` <*`uuid|vmname`*> enrollorclpk
+`VBoxManage modifynvram` <*`uuid|vmname`*> enrollpk \[--platform-key=*`filename`*] \[--owner-uuid=*`uuid`*]
+`VBoxManage modifynvram` <*`uuid|vmname`*> enrollmok \[--mok=*`filename`*] \[--owner-uuid=*`uuid`*]
+`VBoxManage modifynvram` <*`uuid|vmname`*> listvars
+```
+VM needs to be off and there is currently a bug: <https://www.virtualbox.org/ticket/21848>
+Somehow it is possible to register the MOK, but it seems that SecureBoot gets then unticked under the settings menu.