coelner/gedankensplitter
1
0
Fork 0
Code Pull Requests Releases Activity
b0e4cc28d7
gedankensplitter/gnuk.md
coelner 428640156e unknown
2022-06-09 21:50:05 +02:00

143 lines
4.3 KiB
Markdown
Raw Blame History

---
keywords:
- IT
- Security
---
## gpg usage
```bash
add to gpg.conf: keyserver hkps://keys.openpgp.org
gpg --refresh-keys
```
## Gnuk
Passport-opensc:[ https://javacardos.com/tools/passport]( https://javacardos.com/tools/passport)
Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png
https://hackaday.io/project/162597/logs
the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs.
However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition.
Black Pill change for LED, maybe backport to gnuk
[https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987](https://hackaday.io/project/162597/logs)
schematics
https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca
[new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79
----------mailgroup questions----------------
firmware upgrade with public RSA --> lost of all data?
upgrade manual?
get random data from gnuk more than 32byte?
https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service
https://github.com/vletoux/OpenPGP-CSP/issues
https://incenp.org/dvlpt/scdtools.html
```
echo scd random 32 | gpg-connect-agent | xxd
```
-----------------
Nutzer PIN erst mit Zertifikat
adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN
---------UPGRADE----------—
```bash
koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
Admin password:
../regnual/regnual.bin: 4432
../src/build/gnuk.bin: 111616
CRC32: b548ca7b
Device:
Configuration: 1
Interface: 0
./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead.
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
20002a00:20005000
Downloading flash upgrade program...
start 20002a00
end 20003b00
Run flash upgrade program...
Waiting for device to appear:
Wait 1 second...
Wait 1 second...
Wait 1 second...
Wait 1 second...
Wait 1 second...
Device:
08001000:0bfffc00
Downloading the program
start 08001000
end 0801b400
Protecting device
Finish flashing
Resetting device
Update procedure finished
koelner ~/src/gnuk/tool $./usb_strings.py
Vendor: Free Software Initiative of Japan
Product: Gnuk Token
Serial: FSIJ-1.2.13-87123119
Revision: release/1.2.13-1-g3d06051-modified
Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
Sys: 3.0
```
-------
https://github.com/gl-sergei/u2f-token
https://riseup.net/en/security/message-security/openpgp/best-practices
------
gnuk root key station
rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons
Optional hardware: NeuG as TRNG, keyboard, RTC
OS: DietPi
additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe]
activate timedatectl 4
register i2c-rtc and usb-serial, login with dietpi:dietpi
-------------
root@gnupg-root:~# cat hwmon-ds3231.sh
#!/usr/bin/env bash
rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)
rtctemp=$(bc -l <<< "$rtctemp / 1000")
echo "RTC temp = $rtctemp"
-----------
First run
Check for RNG pool
create encrypted storage for the gpg folder [on a removable device]
-with long passphrase
-with the master key and PIN (afterwards)
init gpg settings
create master key
-export as QR-Code for printing (on a SDcard, USB Stick)
-copy it to GNUK token
-N-of-M sharing
-USB-Stick
create hash over gpg folder and sign it
remount as read-only
regulary base
Unmount encrypted storage before update
update only via terminal/(ssh)
--------------
[GUI] Main task are:
-unlock encrypted storage
-copy revocation certificate to unencrypted storage
-renew the sub key
-copy subkey to GNUK
-lock encrypted storage
-renew disable date
[GUI DEBUG]
-upgrade GNUK firmware
-git update
-git verify
-configure
-make
-upgrade via publickey
-reinit GNUK token with saved openpgp data
View Git Blame Copy Permalink