gnupg-root/README.md

# GnuPG root
To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base.
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.


## Prerequisites

 1. small embedded linux powered device
 2. easily available and widely used platform
 3. security orientated os
 4. offline 
 5. RO system
 6. persistance with overlay
 7. possible file integrity checks
 8. USB-A connector(s) for the GNUK token/SmartCard Reader

## terminal user interface

### main page - overview

1. Integrity OK/Fail
 1. /root filesystem
 2. user config
 3. .gnupg path
2. rootCA/MasterKey SmartCard/GNUK available
3. user SmartCard/GNUK available
4. RNG status
5. RTC/Time/Date status
6. Key Expire failure/warning
7. Key length Failure/Warning (BSI recommendation)
8. revocation certificate available


## 00-preparation
 1. format sd card with 3 partitions
  1. MBR 'msdos'
  2. 256MB  FAT32 for /boot partition
  3. 2GB    ext4 for overlay
 2. extract image: `tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner `
 3. edit cmdline.txt
 4. create usercfg.txt
 5. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, pinentry, ccid, opensc, pcsc-lite-libs, tmux, htop, exfat-utils, cryptsetup, mkinitfs, squashfs-tools, p7zip libusb, hwids-usb {pcsc-lite libudev-zero fsverity-utils} ) [70MB]
 6. connect UART TX/RX/GND to pin 8/10/6 green/white/black
 7. boot rpi
 8. mount second partition to folder /media/mmcblk0p2
 9. change /etc/lbu/lbu.conf
 10. run setup-alpine ( rc- add wpa_supplicant boot [confirm])
 11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
 12. add community repo (ccid, opensc)
 13. rc- del acpid default (arm only)
 
## persistent /usr
1. `dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152`
2. `apk add e2fsprogs`
3. `mkfs.ext4 /media/mmcblk0p2/persist.img`
4. `echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab`
5. `mkdir /media/persist`
6. `mount -a`
7. `mkdir /media/persist/usr `
8. `mkdir /media/persist/.work `
9. `echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab `
10. `mount -a`
11. `lbu commit`


## rng
- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
- haveged speeds up the random process to 40seconds
- rngd speeds up this to 52 seconds
- an added BT4.0 usb adapter speeds up this to 20seconds
- an added usb stick speeds up this to 5 seconds
- lbu include /var/lib/misc/random-seed [needs confirm]

## rtc
- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
`[   29.896261] rtc-ds1307 1-0068: registered as rtc0`
- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
`CONFIG_RTC_HCTOSYS not set`


## encrypted container (encrypted storage)
```
apk add cryptsetup
fallocate -l 10MB PRIVATE [minimal 20MB]
cryptsetup -v luksFormat PRIVATE [takes some seconds]
--use secure passphrase
cryptsetup -v luksOpen /mnt/mmcblk0p2/PRIVATE private_file
mkfs -t ext4 /dev/mapper/private_file
mkdir /mnt/private_file
ln -s /mnt/private_file/user/.gnupg /home/user/.gnupg
ln -s /mnt/private_file/root/.gnupg /root/.gnupg
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file
```

```
mkdir /mnt/private_file/user/.gnupg
chmod 750 /mnt/private_file/user
chown user:user /mnt/private_file/user/.gnupg
```

edit /etc/mdev.conf for usb tokens [ToDo]
killall gpg-agent

#mount encrypted container
```
cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file
```

##kernel update [inProgress]

##kernel  [inProgress]
related: [https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980]

```
gnupg-root:/media/mmcblk0p2# mkdir modloopfs
gnupg-root:/media/mmcblk0p2# cd modloopfs/
gnupg-root:/media/mmcblk0p2/modloopfs# unsquashfs /media/mmcblk0p1/boot/modloop-
rpi
Parallel unsquashfs: Using 1 processor
1814 inodes (2087 blocks) to write
created 1814 files
created 359 directories
created 0 symlinks
created 0 devices
created 0 fifos
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# mount | grep modloop
/media/mmcblk0p1/boot/modloop-rpi on /.modloop type squashfs (ro,relatime)
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
lrwxrwxrwx    1 root     root            17 Jan  1  1970 /lib/modules -> /.modloop/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# rm /lib/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ln -s /media/mmcblk0p2/modloopfs/squashfs-root/modules /lib/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
lrwxrwxrwx    1 root     root            48 Sep 26 13:58 /lib/modules -> /media/mmcblk0p2/modloopfs/squashfs-root/modules
```
```
mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
apk add linux-rpi
```

## generic image upgrade

[offline]
1. extract original image to first partion
2. restore cmdline and usercfg.txt
  - [root] delete from overlay partition the cache folder
1. in case of a folder	(delete from overlay the /usr)
2. in case of an image
  - `rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715`
  - `mkfs.ext4 persist.img`

[online]
1. recreate .work folder under /media/persist
2. recreate usr folder under /media/persist
3. `mkdir /mnt/private_file`
4. check mountpoint for /usr | mount /usr
5. fix the repository
6. fix the network interface
7. apk update
8. apk upgrade
9. 're-add' installed packages [e.g. 00-preparation]
10. remount /media/mmcblk0p1 rewritable
11. `mount -o rw,remount /media/mmcblk0p1/`
12. `cd /media/mmcblk0p2/cache && cp *.apk /media/mmcblk0p1/apks/armhf`
13. `lsblk`
14. `ln -s /media/mmcblk0p1/boot boot`
15. `mkinitfs`
16. reboot without lbu commit

## fast major release update
 1. delete content of first partition
 2. extract original image to first partion
 3. restore cmdline and usercfg.txt
  - `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`
  - usercfg.txt
 4. delete from overlay the cache folder
 5. boot RPI zero
 6. change `/etc/apk/repositories`
 7. lbu commit
 8. reboot
 9. apk update
 10. apk upgrade
 11. reboot

## generic minor  (to install it into ram)
 1. apk 
 2. apk upgrade
 3. lbu commit

## 1.44" OLED and button
create a overlay for /usr otherwise space is missing
https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing]
apk add python2 #obsolete
apk add build-base #binary is build for rpi3
// ToDo
sudo modprobe fbtft_device name=adafruit18_green gpios=reset:27,dc:25,cs:8,led:24 height=128 width=128 rotate=180 fps=30 bgr=1 speed=40000000 debug=$((1<<5))
vi /etc/modprobe.d/fbtft.conf
options fbtft_device name=fb_st7735r gpios=reset:27,dc:25,led:18 speed=16000000 bgr=1 custom=1 width=128 height=128

## python approach
pip install --user RPi.GPIO
pip install --user spidev


## modern kernel approach
wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip
cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6
apk add raspberrypi-dev


## nitrokey
```
 apk add py-pip build-base python3-dev py3-wheel [240Mb]
 apk add libffi-dev [7Mb]
 apk add openssl-dev rust cargo [337Mb]	
 #pip install --user setuptools_rust
 apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo
 apk add py3-pep517 py3-cryptography
//see https://cryptography.io/en/latest/installation/
reboot
lbu inc /home
lbu inc /root
 pip3 install --user wheel 
 pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]
 ```

 #fix $PATH to /root/.local/bin in /etc/profile
 #need mdev/udev rules to grant access for user
 #libudev-zero is a replacement, which is needed for pcscd
 
## ToDo
 #tmux 
 #camera to scan QR code
 #predefine common action scheme
 #general reconsideration of usefulness
 
### links
[https://github.com/hashbang/airgap]
[https://riseup.net/de/security/message-security/openpgp/gpg-best-practices]
[https://vincentserpoul.github.io/post/alpine-linux-rpi0/]
WIP 2020-09-10 16:02:20 +00:00			`# GnuPG root`
			`To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base.`
			`Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.`


formatting 2022-12-31 08:06:45 +00:00			`## Prerequisites`
WIP 2020-09-10 16:02:20 +00:00
			`1. small embedded linux powered device`
			`2. easily available and widely used platform`
			`3. security orientated os`
minor notes 2022-03-27 18:18:18 +00:00			`4. offline`
WIP 2020-09-10 16:02:20 +00:00			`5. RO system`
			`6. persistance with overlay`
			`7. possible file integrity checks`
			`8. USB-A connector(s) for the GNUK token/SmartCard Reader`

formatting 2022-12-31 08:06:45 +00:00			`## terminal user interface`
WIP 2020-09-10 16:02:20 +00:00
formatting 2022-12-31 08:06:45 +00:00			`### main page - overview`
WIP 2020-09-10 16:02:20 +00:00
			`1. Integrity OK/Fail`
			`1. /root filesystem`
			`2. user config`
			`3. .gnupg path`
			`2. rootCA/MasterKey SmartCard/GNUK available`
			`3. user SmartCard/GNUK available`
			`4. RNG status`
			`5. RTC/Time/Date status`
			`6. Key Expire failure/warning`
			`7. Key length Failure/Warning (BSI recommendation)`
			`8. revocation certificate available`


			`## 00-preparation`
			`1. format sd card with 3 partitions`
			`1. MBR 'msdos'`
			`2. 256MB FAT32 for /boot partition`
			`3. 2GB ext4 for overlay`
readme format 2022-12-28 20:11:15 +00:00			2. extract image: `tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner `
WIP 2020-09-10 16:02:20 +00:00			`3. edit cmdline.txt`
			`4. create usercfg.txt`
current state 2022-01-07 18:22:39 +00:00			`5. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, pinentry, ccid, opensc, pcsc-lite-libs, tmux, htop, exfat-utils, cryptsetup, mkinitfs, squashfs-tools, p7zip libusb, hwids-usb {pcsc-lite libudev-zero fsverity-utils} ) [70MB]`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`6. connect UART TX/RX/GND to pin 8/10/6 green/white/black`
WIP 2020-09-10 16:02:20 +00:00			`7. boot rpi`
			`8. mount second partition to folder /media/mmcblk0p2`
			`9. change /etc/lbu/lbu.conf`
minor notes 2022-03-27 18:18:18 +00:00			`10. run setup-alpine ( rc- add wpa_supplicant boot [confirm])`
			`11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])`
WIP 2020-09-10 16:02:20 +00:00			`12. add community repo (ccid, opensc)`
minor notes 2022-03-27 18:18:18 +00:00			`13. rc- del acpid default (arm only)`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00
			`## persistent /usr`
readme format 2022-12-28 20:11:15 +00:00			1. `dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152`
			2. `apk add e2fsprogs`
			3. `mkfs.ext4 /media/mmcblk0p2/persist.img`
			4. `echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab`
			5. `mkdir /media/persist`
			6. `mount -a`
			7. `mkdir /media/persist/usr `
			8. `mkdir /media/persist/.work `
			9. `echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab `
			10. `mount -a`
			11. `lbu commit`
WIP 2020-09-10 16:02:20 +00:00


			`## rng`
minor notes 2022-03-27 18:18:18 +00:00			`- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)`
			`- haveged speeds up the random process to 40seconds`
			`- rngd speeds up this to 52 seconds`
			`- an added BT4.0 usb adapter speeds up this to 20seconds`
			`- an added usb stick speeds up this to 5 seconds`
			`- lbu include /var/lib/misc/random-seed [needs confirm]`
WIP 2020-09-10 16:02:20 +00:00
			`## rtc`
minor notes 2022-03-27 18:18:18 +00:00			`- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'`
			`[ 29.896261] rtc-ds1307 1-0068: registered as rtc0`
			`- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352`
			`CONFIG_RTC_HCTOSYS not set`
WIP 2020-09-10 16:02:20 +00:00

			`## encrypted container (encrypted storage)`
readme format 2022-12-28 20:11:15 +00:00			```
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`apk add cryptsetup`
			`fallocate -l 10MB PRIVATE [minimal 20MB]`
			`cryptsetup -v luksFormat PRIVATE [takes some seconds]`
WIP 2020-09-10 16:02:20 +00:00			`--use secure passphrase`
current state 2022-01-07 18:22:39 +00:00			`cryptsetup -v luksOpen /mnt/mmcblk0p2/PRIVATE private_file`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`mkfs -t ext4 /dev/mapper/private_file`
WIP 2020-09-10 16:02:20 +00:00			`mkdir /mnt/private_file`
current state 2022-01-07 18:22:39 +00:00			`ln -s /mnt/private_file/user/.gnupg /home/user/.gnupg`
			`ln -s /mnt/private_file/root/.gnupg /root/.gnupg`
WIP 2020-09-10 16:02:20 +00:00			`mount /dev/mapper/private_file /mnt/private_file`
			`--Umount and close file`
current state 2022-01-07 18:22:39 +00:00			`killall gpg-agent`
WIP 2020-09-10 16:02:20 +00:00			`umount /mnt/private_file`
			`cryptsetup luksClose private_file`
readme format 2022-12-28 20:11:15 +00:00			```
WIP 2020-09-10 16:02:20 +00:00
readme format 2022-12-28 20:11:15 +00:00			```
current state 2022-01-07 18:22:39 +00:00			`mkdir /mnt/private_file/user/.gnupg`
			`chmod 750 /mnt/private_file/user`
			`chown user:user /mnt/private_file/user/.gnupg`
readme format 2022-12-28 20:11:15 +00:00			```
current state 2022-01-07 18:22:39 +00:00
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`edit /etc/mdev.conf for usb tokens [ToDo]`
			`killall gpg-agent`

current state 2022-01-07 18:22:39 +00:00			`#mount encrypted container`
formatting 2022-12-31 08:06:45 +00:00			```
current state 2022-01-07 18:22:39 +00:00			`cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file`
			`mount /dev/mapper/private_file /mnt/private_file`
			`--Umount and close file`
			`killall gpg-agent`
			`umount /mnt/private_file`
			`cryptsetup luksClose private_file`
formatting 2022-12-31 08:06:45 +00:00			```
current state 2022-01-07 18:22:39 +00:00
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`##kernel update [inProgress]`
fix merge conflicts artefacts 2022-06-05 09:49:31 +00:00
minor notes 2022-03-27 18:18:18 +00:00			`##kernel [inProgress]`
readme format 2022-12-28 20:11:15 +00:00			`related: [https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980]`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00
readme format 2022-12-28 20:11:15 +00:00			```
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`gnupg-root:/media/mmcblk0p2# mkdir modloopfs`
			`gnupg-root:/media/mmcblk0p2# cd modloopfs/`
			`gnupg-root:/media/mmcblk0p2/modloopfs# unsquashfs /media/mmcblk0p1/boot/modloop-`
			`rpi`
			`Parallel unsquashfs: Using 1 processor`
			`1814 inodes (2087 blocks) to write`
			`created 1814 files`
			`created 359 directories`
			`created 0 symlinks`
			`created 0 devices`
			`created 0 fifos`
			`gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# mount \| grep modloop`
			`/media/mmcblk0p1/boot/modloop-rpi on /.modloop type squashfs (ro,relatime)`
			`gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules`
			`lrwxrwxrwx 1 root root 17 Jan 1 1970 /lib/modules -> /.modloop/modules`
			`gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# rm /lib/modules`
			`gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ln -s /media/mmcblk0p2/modloopfs/squashfs-root/modules /lib/modules`
			`gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules`
			`lrwxrwxrwx 1 root root 48 Sep 26 13:58 /lib/modules -> /media/mmcblk0p2/modloopfs/squashfs-root/modules`
readme format 2022-12-28 20:11:15 +00:00			```
			```
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments`
			`apk add linux-rpi`
readme format 2022-12-28 20:11:15 +00:00			```
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00
			`## generic image upgrade`
fix merge conflicts artefacts 2022-06-05 09:49:31 +00:00
current state 2022-01-07 18:22:39 +00:00			`[offline]`
readme format 2022-12-28 20:11:15 +00:00			`1. extract original image to first partion`
			`2. restore cmdline and usercfg.txt`
formatting 2022-12-31 08:06:45 +00:00			`- [root] delete from overlay partition the cache folder`
readme format 2022-12-28 20:11:15 +00:00			`1. in case of a folder (delete from overlay the /usr)`
			`2. in case of an image`
			- `rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715`
formatting 2022-12-31 08:06:45 +00:00			- `mkfs.ext4 persist.img`

current state 2022-01-07 18:22:39 +00:00			`[online]`
readme format 2022-12-28 20:11:15 +00:00			`1. recreate .work folder under /media/persist`
			`2. recreate usr folder under /media/persist`
formatting 2022-12-31 08:06:45 +00:00			3. `mkdir /mnt/private_file`
readme format 2022-12-28 20:11:15 +00:00			`4. check mountpoint for /usr \| mount /usr`
			`5. fix the repository`
			`6. fix the network interface`
			`7. apk update`
			`8. apk upgrade`
			`9. 're-add' installed packages [e.g. 00-preparation]`
formatting 2022-12-31 08:06:45 +00:00			`10. remount /media/mmcblk0p1 rewritable`
readme format 2022-12-28 20:11:15 +00:00			11. `mount -o rw,remount /media/mmcblk0p1/`
formatting 2022-12-31 08:06:45 +00:00			12. `cd /media/mmcblk0p2/cache && cp *.apk /media/mmcblk0p1/apks/armhf`
			13. `lsblk`
			14. `ln -s /media/mmcblk0p1/boot boot`
			15. `mkinitfs`
			`16. reboot without lbu commit`
fix merge conflicts artefacts 2022-06-05 09:49:31 +00:00
			`## fast major release update`
minor notes 2022-03-27 18:18:18 +00:00			`1. delete content of first partition`
			`2. extract original image to first partion`
			`3. restore cmdline and usercfg.txt`
			- `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`
			`- usercfg.txt`
fix merge conflicts artefacts 2022-06-05 09:49:31 +00:00			`4. delete from overlay the cache folder`
			`5. boot RPI zero`
readme format 2022-12-28 20:11:15 +00:00			6. change `/etc/apk/repositories`
fix merge conflicts artefacts 2022-06-05 09:49:31 +00:00			`7. lbu commit`
minor notes 2022-03-27 18:18:18 +00:00			`8. reboot`
			`9. apk update`
			`10. apk upgrade`
			`11. reboot`

formatting 2022-12-31 08:06:45 +00:00			`## generic minor (to install it into ram)`
minor notes 2022-03-27 18:18:18 +00:00			`1. apk`
			`2. apk upgrade`
			`3. lbu commit`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00
			`## 1.44" OLED and button`
formatting 2022-12-31 08:06:45 +00:00			`create a overlay for /usr otherwise space is missing`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing]`
			`apk add python2 #obsolete`
current state 2022-01-07 18:22:39 +00:00			`apk add build-base #binary is build for rpi3`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`// ToDo`
			`sudo modprobe fbtft_device name=adafruit18_green gpios=reset:27,dc:25,cs:8,led:24 height=128 width=128 rotate=180 fps=30 bgr=1 speed=40000000 debug=$((1<<5))`
			`vi /etc/modprobe.d/fbtft.conf`
			`options fbtft_device name=fb_st7735r gpios=reset:27,dc:25,led:18 speed=16000000 bgr=1 custom=1 width=128 height=128`

current state 2022-01-07 18:22:39 +00:00			`## python approach`
			`pip install --user RPi.GPIO`
			`pip install --user spidev`


formatting 2022-12-31 08:06:45 +00:00			`## modern kernel approach`
current state 2022-01-07 18:22:39 +00:00			`wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip`
			`cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6`
			`apk add raspberrypi-dev`


alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`## nitrokey`
formatting 2022-12-31 08:06:45 +00:00			```
current state 2022-01-07 18:22:39 +00:00			`apk add py-pip build-base python3-dev py3-wheel [240Mb]`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`apk add libffi-dev [7Mb]`
current state 2022-01-07 18:22:39 +00:00			`apk add openssl-dev rust cargo [337Mb]`
			`#pip install --user setuptools_rust`
			`apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo`
			`apk add py3-pep517 py3-cryptography`
			`//see https://cryptography.io/en/latest/installation/`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`reboot`
			`lbu inc /home`
			`lbu inc /root`
current state 2022-01-07 18:22:39 +00:00			`pip3 install --user wheel`
			`pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]`
formatting 2022-12-31 08:06:45 +00:00			```

alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`#fix $PATH to /root/.local/bin in /etc/profile`
			`#need mdev/udev rules to grant access for user`
			`#libudev-zero is a replacement, which is needed for pcscd`
current state 2022-01-07 18:22:39 +00:00
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00			`## ToDo`
			`#tmux`
current state 2022-01-07 18:22:39 +00:00			`#camera to scan QR code`
			`#predefine common action scheme`
			`#general reconsideration of usefulness`
alpine 3.12.3 fiddling 2021-01-13 10:28:08 +00:00
WIP 2020-09-10 16:02:20 +00:00			`### links`
formatting 2022-12-31 08:06:45 +00:00			`[https://github.com/hashbang/airgap]`
			`[https://riseup.net/de/security/message-security/openpgp/gpg-best-practices]`
			`[https://vincentserpoul.github.io/post/alpine-linux-rpi0/]`