gedankensplitter/gnuk.md

keywords
IT Security Hardware token

gpg usage

add to gpg.conf: keyserver hkps://keys.openpgp.org
gpg --refresh-keys

IMHO

I think this is more or less dead. GnuPG does have a bad stand because of its bad implementation (Debian tries to omit it, git(hub) allows to sign with a ssh key instead of gpg) It is a dinosaur, familiar, powerful but ancient. Like IPsec, it is based on the understanding of security of the 90s. PGP is the idea, that a person has a digital identity to protect the personal data. And at that time the smartcard was the safest place.

However, it is allowed for VS-NfD and it is the successor for Chiasmus, so it will live longer. ( https://gnupg.com/gnupg-desktop.de.html) with the rise of wireguard and the sake of simplicity and therefore some missing comforts, it is clear that we should limit security solutions to a proper, but yet simple cipher suite. There is no option to weaken or disable the suite, it is just on or off.

The hardware itself is not safe at all. It is just a microcontroller which even can't protect successfully the no-readout flag. If you loose your GNUK you need to revoke the key, which is a pain.

• the user interaction button is not easy to implement to different 'plue pill' schematics, STM32 clones, unclear firmware code
• the encasement is for STLinkV2 clones acceptable
• due fake STM32 firmware updates fails
• original one about 50€
  • https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator
  • https://www.gniibe.org/memo/development/fst-01/distributing-fst-01sz.html
  • https://www.gniibe.org/memo/development/fst-01/fst-01-revision-sz.html
  • https://www.gniibe.org/memo/development/read-out-protection/flash-rop.html
  • https://blog.thestaticturtle.fr/lets-make-a-diy-gpg-usb-key/

You could however use a Masterkey deployment, which adds overhead to your key handling.

• secure storage place for the decrypted OS
• a proper hardware system to keep it locked away
• a proper air-gap OS update process
• multiple hardware tokens
• mostly terminal based work to renew all of that
• currently no UIX to respect KISS

alternative is:

• File encryption: https://github.com/FiloSottile/age https://github.com/FiloSottile/age/discussions/432
• File signing: https://github.com/jedisct1/minisign/
• Mail encryption: as intermediate solution: p≡p and a workaround: https://de.wikipedia.org/wiki/Autocrypt and DKIM by the mail provider
• git commit sign https://github.com/git/git/pull/1041
• linux login: pam-poldi --> pam-u2f
• full disk encryption Luks2: --> TPM2 + PIN (for device bundled storage) or FIDO2 based
• SSH:FIDO2 openssh native support

Gnuk

offical Repo: https://salsa.debian.org/gnuk-team

The GNUK is a STM32 based hardware token which implements the openpgp specification. The reference hardware is the FST-01, which is no longer sold. It is possible to buy the hardware, common hardware is the STLink V2 adapter or the 'blue pill' development board. For the german market it is easier to use the nitrokey start: https://github.com/Nitrokey/nitrokey-start-firmware https://github.com/Nitrokey/nitrokey-start-hardware

GNUK is based on chopstx (µC OS) and this is related to neuG (STM32 ADC rng ).

Passport-opensc: https://javacardos.com/tools/passport Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png

https://hackaday.io/project/162597/logs the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs. However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition.

Black Pill change for LED, maybe backport to gnuk https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987 schematics https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca [new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79

----------mailgroup questions---------------- get random data from gnuk more than 32byte? https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service https://github.com/vletoux/OpenPGP-CSP/issues https://incenp.org/dvlpt/scdtools.html

echo scd random 32 | gpg-connect-agent | xxd

--------------—

best practise

Nutzer PIN erst mit Zertifikat adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN

regnual firmware upgrade

koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
Admin password: 
../regnual/regnual.bin: 4432
../src/build/gnuk.bin: 111616
CRC32: b548ca7b

Device: 
Configuration: 1
Interface: 0
./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead.
  main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
20002a00:20005000
Downloading flash upgrade program...
start 20002a00
end   20003b00
Run flash upgrade program...
Waiting for device to appear:
  Wait 1 second...
  Wait 1 second...
  Wait 1 second...
  Wait 1 second...
  Wait 1 second...
Device: 
08001000:0bfffc00
Downloading the program
start 08001000
end   0801b400
Protecting device
Finish flashing
Resetting device
Update procedure finished

koelner ~/src/gnuk/tool $./usb_strings.py 
    Vendor: Free Software Initiative of Japan
   Product: Gnuk Token
    Serial: FSIJ-1.2.13-87123119
  Revision: release/1.2.13-1-g3d06051-modified
    Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
       Sys: 3.0

openocd firmware flash

Make Gnuk
cm@system-legacy:~/src/gnuk/src$ ./configure --vidpid=234b:0000 --target=BLUE_PILL --enable-factory-reset --enable-certdo
./configure --vidpid=234b:0000 --target=ST_DONGLE --enable-factory-reset --enable-certdo --disable-sys1-compat
cm@system-legacy:~/src/gnuk/src$ make -j4
cm@system-legacy:~/src/gnuk/src$ make build/gnuk-vidpid.elf


Flash Gnuk
0. build it like descibed in the offical documentation.
1. connect STLink and then the blue pill itself (GND, 3.3V SWDCLK, SWDIO)
2. use openocd 

$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x_stlink.cfg  -OR-
$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg

3. telnet to openocd server
cm@system-legacy:~/src$ telnet 127.0.0.1 4444
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Open On-Chip Debugger
> stm32f1x unlock 0
device id = 0x20036410
flash size = 64kbytes
Target not halted
> reset halt
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000
> stm32f1x unlock 0
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
stm32x unlocked.
INFO: a reset or power cycle is required for the new settings to take effect.
> reset halt
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000
> flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0
flash write algorithm aborted by target
flash write failed at address 0x8000002
flash memory not erased before writing
error writing to flash at address 0x08000000 at offset 0x00000000
> stm32f1x mass_erase 0
stm32f1x mass erase complete
> flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
wrote 114688 bytes from file /home/cm/src/gnuk/src/build/gnuk-vidpid.bin to flash bank 0 at offset 0x00000000 in 3.447206s (32.490 KiB/s)
> reset halt
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x08003264 msp: 0x20005000
> stm32f1x lock 0
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
stm32x locked
> reset
> shutdown
shutdown command invoked
Connection closed by foreign host.

one liner

openocd -f interface/stlink.cfg \
-c 'transport select hla_swd' \
-f target/stm32f1x.cfg \
-c 'adapter_speed 400' \
-c init \
-c 'reset halt' \
-c 'stm32f1x unlock 0' \
-c 'reset halt' \
-c 'stm32f1x mass_erase 0' \
-c 'flash write_bank 0 /home/koelner/Downloads/gnuk.bin 0' \
-c 'stm32f1x lock 0' \
-c reset \
-c shutdown

links

https://github.com/gl-sergei/u2f-token https://riseup.net/en/security/message-security/openpgp/best-practices https://blog.josefsson.org/tag/openpgp/

gnuk root key station

rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons Optional hardware: NeuG as TRNG, keyboard, RTC

OS: DietPi additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe]

activate timedatectl 4 register i2c-rtc and usb-serial, login with dietpi:dietpi

root@gnupg-root:~# cat hwmon-ds3231.sh 
#!/usr/bin/env bash
rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)
rtctemp=$(bc -l <<< "$rtctemp / 1000")
echo "RTC temp = $rtctemp"

root@gnupg-root:~# cat hwmon-ds3231.sh 
#!/usr/bin/env bash
rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)
echo  "$rtctemp / 1000" | bc
echo "RTC temp = $rtctemp"

First run Check for RNG pool create encrypted storage for the gpg folder [on a removable device] -with long passphrase -with the master key and PIN (afterwards) init gpg settings create master key -export as QR-Code for printing (on a SDcard, USB Stick) -copy it to GNUK token -N-of-M sharing -USB-Stick create hash over gpg folder and sign it remount as read-only

regulary base Unmount encrypted storage before update update only via terminal/(ssh)

---

[GUI] Main task are: -unlock encrypted storage -copy revocation certificate to unencrypted storage -renew the sub key -copy subkey to GNUK -lock encrypted storage -renew disable date [GUI DEBUG] -upgrade GNUK firmware -git update -git verify -configure -make -upgrade via publickey -reinit GNUK token with saved openpgp data