mirror of
https://salsa.debian.org/gnuk-team/gnuk/gnuk.git
synced 2024-09-20 02:40:08 +00:00
Update documentation.
This commit is contained in:
NIIBE Yutaka
parent
704d8a5cf1
commit
6c0c510347
12
NEWS
12
NEWS
@ -2,7 +2,7 @@ Gnuk NEWS - User visible changes
|
||||
|
||||
* Major changes in Gnuk 1.2.8
|
||||
|
||||
Released 2018-01-2X, by NIIBE Yutaka
|
||||
Released 2018-01-23, by NIIBE Yutaka
|
||||
|
||||
** No inclusion of VID:PID in gnuk.elf
|
||||
|
||||
@ -16,12 +16,12 @@ gnuk-vidpid.elf and we can check if it is reproducible or not.
|
||||
Now, Gnuk checks length of passphrase if it's too short when
|
||||
changing passphrase.
|
||||
|
||||
** Remove possible access with BY_ADMIN (to flash ROM data)
|
||||
** Remove unused DEK with BY_ADMIN
|
||||
|
||||
For admin-less mode, access by OPENPGP_CARD_INITIAL_PW3 remained on
|
||||
flash ROM. This could be considered a backdoor, if some other person
|
||||
had or kept access to the flash ROM. Now, the entry is cleared by
|
||||
zero when the token is set to admin-less mode.
|
||||
For admin-less mode, DEK by OPENPGP_CARD_INITIAL_PW3 remained on flash
|
||||
ROM. This could be considered a backdoor, if some other person had or
|
||||
kept access to the flash ROM, cheating a user. Now, the DEK is
|
||||
cleared by zero when the token is set to admin-less mode.
|
||||
|
||||
** Upgrade of Chopstx
|
||||
We use Chopstx 1.8.
|
||||
|
||||
29
README
29
README
@ -1,14 +1,14 @@
|
||||
Gnuk - An Implementation of USB Cryptographic Token for GnuPG
|
||||
|
||||
Version 1.2.7
|
||||
2017-11-26
|
||||
Version 1.2.8
|
||||
2018-01-23
|
||||
Niibe Yutaka
|
||||
Free Software Initiative of Japan
|
||||
|
||||
Release Notes
|
||||
=============
|
||||
|
||||
This is the release of Gnuk, version 1.2.7, which has major
|
||||
This is the release of Gnuk, version 1.2.8, which has major
|
||||
incompatible changes to Gnuk 1.0.x. Specifically, it now supports
|
||||
overriding key import, but importing keys (or generating keys) results
|
||||
password reset. Also, you need to import private keys before changing
|
||||
@ -24,13 +24,10 @@ It also supports RSA-4096, but users should know that it takes more
|
||||
than 8 seconds to sign/decrypt. Key generation of RSA-4096 just fails,
|
||||
because the device doesn't have enough memory.
|
||||
|
||||
In this release, experimental KDF-DO support is added. To use the
|
||||
feature, you need to build/install experimental branch of GnuPG by
|
||||
yourself:
|
||||
|
||||
https://dev.gnupg.org/source/gnupg/history/gniibe%252Fscd-kdf-support/
|
||||
|
||||
And manually prepare the KDF-DO on your token.
|
||||
It supports new KDF-DO feature. To use the feature, you need to use
|
||||
newer GnuPG (forthcoming 2.2.5 or later). And you need to manually
|
||||
prepare the KDF-DO on your token. Please note that this is
|
||||
experimental. Better way to prepare KDF-DO will be expected.
|
||||
|
||||
|
||||
What's Gnuk?
|
||||
@ -408,6 +405,10 @@ Then, type:
|
||||
|
||||
Then, we will have "gnuk.elf" under src/build directory.
|
||||
|
||||
Next, we can get the final image by running following command.
|
||||
|
||||
$ make build/gnuk-vidpid.elf
|
||||
|
||||
|
||||
How to install
|
||||
==============
|
||||
@ -416,11 +417,11 @@ Olimex STM32-H103 board
|
||||
-----------------------
|
||||
|
||||
If you are using Olimex JTAG-Tiny, type following to invoke OpenOCD
|
||||
and write "gnuk.elf" to Flash ROM:
|
||||
and write "gnuk-vidpid.elf" to Flash ROM:
|
||||
|
||||
$ openocd -f interface/ftdi/olimex-jtag-tiny.cfg \
|
||||
-f board/olimex_stm32_h103.cfg \
|
||||
-c "program build/gnuk.elf verify reset exit"
|
||||
-c "program build/gnuk-vidpid.elf verify reset exit"
|
||||
|
||||
Command invocation is assumed in src/ directory.
|
||||
|
||||
@ -433,7 +434,7 @@ If you are using Flying Stone Tiny 01, you need a SWD writer.
|
||||
OpenOCD 0.9.0 now supports ST-Link/V2. We can use it like:
|
||||
|
||||
$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg \
|
||||
-c "program build/gnuk.elf verify reset exit"
|
||||
-c "program build/gnuk-vidpid.elf verify reset exit"
|
||||
|
||||
|
||||
|
||||
@ -444,7 +445,7 @@ Reset the board with "USER" switch pushed. Type following to write
|
||||
to flash:
|
||||
|
||||
# cd ../tool
|
||||
# ./dfuse.py ../src/build/gnuk.hex
|
||||
# ./dfuse.py ../src/build/gnuk-vidpid.hex
|
||||
|
||||
Then, reset the board.
|
||||
|
||||
|
||||
@ -40,11 +40,11 @@ We are using "-O3 -Os" for compiler option.
|
||||
Building Gnuk
|
||||
-------------
|
||||
|
||||
Change directory to ``src``:
|
||||
Change directory to ``src``: ::
|
||||
|
||||
$ cd gnuk-VERSION/src
|
||||
|
||||
Then, run ``configure``:
|
||||
Then, run ``configure``: ::
|
||||
|
||||
$ ./configure --vidpid=<VID:PID>
|
||||
|
||||
@ -52,8 +52,12 @@ Here, you need to specify USB vendor ID and product ID. For FSIJ's,
|
||||
it's: --vidpid=234b:0000 . Please read the section 'USB vendor ID and
|
||||
product ID' in README.
|
||||
|
||||
Type:
|
||||
Type: ::
|
||||
|
||||
$ make
|
||||
|
||||
Then, we will have "gnuk.elf" under src/build directory.
|
||||
|
||||
Next, we can get the final image by running following command. ::
|
||||
|
||||
$ make build/gnuk-vidpid.elf
|
||||
|
||||
@ -65,7 +65,7 @@ Invoking firmware update
|
||||
|
||||
We specify reGNUal binary and Gnuk binary.
|
||||
|
||||
$ ../tool/gnuk_upgrade.py ../regnual/regnual.bin gnuk.bin
|
||||
$ ../tool/gnuk_upgrade.py ../regnual/regnual.bin gnuk-vidpid.bin
|
||||
|
||||
|
||||
Two or more tokens
|
||||
|
||||
@ -73,16 +73,20 @@ and make: ::
|
||||
$ make
|
||||
|
||||
Please take care of configure options. The default target in 1.0.x
|
||||
series is Olimex STM32 H103 (not FST-01). The default target in 1.1.8
|
||||
series is Olimex STM32 H103 (not FST-01). The default target in 1.2.x
|
||||
is FST-01.
|
||||
|
||||
Then you get build/gnuk.elf.
|
||||
|
||||
Then you get build/gnuk.elf and build/gnuk.bin.
|
||||
Next, we can get the final image by running following command.
|
||||
|
||||
Invoking configure with FSIJ's USB ID (234b:0000) means that you are
|
||||
using FSIJ's USB ID (for reGNUal in this case). Please note that FSIJ
|
||||
only allows use of its USB ID for specific situations. Please read
|
||||
README of Gnuk about that.
|
||||
$ make build/gnuk-vidpid.elf
|
||||
|
||||
|
||||
Invoking configure with FSIJ's USB ID (234b:0000) and generating
|
||||
gnuk-vidpid.elf means that you are using FSIJ's USB ID (for reGNUal in
|
||||
this case). Please note that FSIJ only allows use of its USB ID for
|
||||
specific situations. Please read README of Gnuk about that.
|
||||
|
||||
|
||||
Bulding reGNUal
|
||||
@ -117,13 +121,13 @@ your environment for Gnuk Token.
|
||||
How to run the script: ::
|
||||
|
||||
$ cd tool
|
||||
$ ./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
|
||||
$ ./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk-vidpid.bin
|
||||
|
||||
Then, the script on your host PC invoke the steps described above, and
|
||||
you will get new version of Gnuk installed.
|
||||
|
||||
You can also specify -p option to enter your password (other than
|
||||
factory setting).
|
||||
You can also specify -f option to skip entering your password (it
|
||||
assumes the factory setting).
|
||||
|
||||
If you already have configured another upgrade key installed, you can
|
||||
specify different slot by -k ``<slot_no>`` option. SLOT_NO can be 0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user