formatting
This commit is contained in:
coelner
parent
d1f72ce4a0
commit
34649eeff9
44
README.md
44
README.md
@ -3,7 +3,7 @@ To get the hole gpg thing working, you should use a offline computer. This syste
|
|||||||
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
|
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
|
||||||
|
|
||||||
|
|
||||||
# Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
1. small embedded linux powered device
|
1. small embedded linux powered device
|
||||||
2. easily available and widely used platform
|
2. easily available and widely used platform
|
||||||
@ -14,9 +14,9 @@ Most people do not have laying around a lot of hardware, which the would spend u
|
|||||||
7. possible file integrity checks
|
7. possible file integrity checks
|
||||||
8. USB-A connector(s) for the GNUK token/SmartCard Reader
|
8. USB-A connector(s) for the GNUK token/SmartCard Reader
|
||||||
|
|
||||||
# terminal user interface
|
## terminal user interface
|
||||||
|
|
||||||
## main page - overview
|
### main page - overview
|
||||||
|
|
||||||
1. Integrity OK/Fail
|
1. Integrity OK/Fail
|
||||||
1. /root filesystem
|
1. /root filesystem
|
||||||
@ -30,8 +30,6 @@ Most people do not have laying around a lot of hardware, which the would spend u
|
|||||||
7. Key length Failure/Warning (BSI recommendation)
|
7. Key length Failure/Warning (BSI recommendation)
|
||||||
8. revocation certificate available
|
8. revocation certificate available
|
||||||
|
|
||||||
# Links
|
|
||||||
[https://vincentserpoul.github.io/post/alpine-linux-rpi0/]
|
|
||||||
|
|
||||||
## 00-preparation
|
## 00-preparation
|
||||||
1. format sd card with 3 partitions
|
1. format sd card with 3 partitions
|
||||||
@ -109,12 +107,14 @@ edit /etc/mdev.conf for usb tokens [ToDo]
|
|||||||
killall gpg-agent
|
killall gpg-agent
|
||||||
|
|
||||||
#mount encrypted container
|
#mount encrypted container
|
||||||
|
```
|
||||||
cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file
|
cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file
|
||||||
mount /dev/mapper/private_file /mnt/private_file
|
mount /dev/mapper/private_file /mnt/private_file
|
||||||
--Umount and close file
|
--Umount and close file
|
||||||
killall gpg-agent
|
killall gpg-agent
|
||||||
umount /mnt/private_file
|
umount /mnt/private_file
|
||||||
cryptsetup luksClose private_file
|
cryptsetup luksClose private_file
|
||||||
|
```
|
||||||
|
|
||||||
##kernel update [inProgress]
|
##kernel update [inProgress]
|
||||||
|
|
||||||
@ -152,28 +152,29 @@ apk add linux-rpi
|
|||||||
[offline]
|
[offline]
|
||||||
1. extract original image to first partion
|
1. extract original image to first partion
|
||||||
2. restore cmdline and usercfg.txt
|
2. restore cmdline and usercfg.txt
|
||||||
[root] delete from overlay partition the cache folder
|
- [root] delete from overlay partition the cache folder
|
||||||
1. in case of a folder (delete from overlay the /usr)
|
1. in case of a folder (delete from overlay the /usr)
|
||||||
2. in case of an image
|
2. in case of an image
|
||||||
- `rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715`
|
- `rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715`
|
||||||
- `mkfs.ext4 persist.im`
|
- `mkfs.ext4 persist.img`
|
||||||
|
|
||||||
[online]
|
[online]
|
||||||
1. recreate .work folder under /media/persist
|
1. recreate .work folder under /media/persist
|
||||||
2. recreate usr folder under /media/persist
|
2. recreate usr folder under /media/persist
|
||||||
3. `mkdir /mnt/private_file
|
3. `mkdir /mnt/private_file`
|
||||||
4. check mountpoint for /usr | mount /usr
|
4. check mountpoint for /usr | mount /usr
|
||||||
5. fix the repository
|
5. fix the repository
|
||||||
6. fix the network interface
|
6. fix the network interface
|
||||||
7. apk update
|
7. apk update
|
||||||
8. apk upgrade
|
8. apk upgrade
|
||||||
9. 're-add' installed packages [e.g. 00-preparation]
|
9. 're-add' installed packages [e.g. 00-preparation]
|
||||||
10. `remount /media/mmcblk0p1 rewritable`
|
10. remount /media/mmcblk0p1 rewritable
|
||||||
11. `mount -o rw,remount /media/mmcblk0p1/`
|
11. `mount -o rw,remount /media/mmcblk0p1/`
|
||||||
12. `cp apk to /media/mmcblk0p1/apk/armh`
|
12. `cd /media/mmcblk0p2/cache && cp *.apk /media/mmcblk0p1/apks/armhf`
|
||||||
|
13. `lsblk`
|
||||||
-lsblk
|
14. `ln -s /media/mmcblk0p1/boot boot`
|
||||||
-mkinitfs
|
15. `mkinitfs`
|
||||||
reboot without lbu commit
|
16. reboot without lbu commit
|
||||||
|
|
||||||
## fast major release update
|
## fast major release update
|
||||||
1. delete content of first partition
|
1. delete content of first partition
|
||||||
@ -190,13 +191,13 @@ reboot without lbu commit
|
|||||||
10. apk upgrade
|
10. apk upgrade
|
||||||
11. reboot
|
11. reboot
|
||||||
|
|
||||||
##generic minor (to install it into ram)
|
## generic minor (to install it into ram)
|
||||||
1. apk
|
1. apk
|
||||||
2. apk upgrade
|
2. apk upgrade
|
||||||
3. lbu commit
|
3. lbu commit
|
||||||
|
|
||||||
## 1.44" OLED and button
|
## 1.44" OLED and button
|
||||||
#create a overlay for /usr otherwise space is missing
|
create a overlay for /usr otherwise space is missing
|
||||||
https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing]
|
https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing]
|
||||||
apk add python2 #obsolete
|
apk add python2 #obsolete
|
||||||
apk add build-base #binary is build for rpi3
|
apk add build-base #binary is build for rpi3
|
||||||
@ -210,13 +211,14 @@ pip install --user RPi.GPIO
|
|||||||
pip install --user spidev
|
pip install --user spidev
|
||||||
|
|
||||||
|
|
||||||
##modern kernel approach
|
## modern kernel approach
|
||||||
wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip
|
wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip
|
||||||
cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6
|
cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6
|
||||||
apk add raspberrypi-dev
|
apk add raspberrypi-dev
|
||||||
|
|
||||||
|
|
||||||
## nitrokey
|
## nitrokey
|
||||||
|
```
|
||||||
apk add py-pip build-base python3-dev py3-wheel [240Mb]
|
apk add py-pip build-base python3-dev py3-wheel [240Mb]
|
||||||
apk add libffi-dev [7Mb]
|
apk add libffi-dev [7Mb]
|
||||||
apk add openssl-dev rust cargo [337Mb]
|
apk add openssl-dev rust cargo [337Mb]
|
||||||
@ -229,7 +231,8 @@ lbu inc /home
|
|||||||
lbu inc /root
|
lbu inc /root
|
||||||
pip3 install --user wheel
|
pip3 install --user wheel
|
||||||
pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]
|
pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]
|
||||||
|
```
|
||||||
|
|
||||||
#fix $PATH to /root/.local/bin in /etc/profile
|
#fix $PATH to /root/.local/bin in /etc/profile
|
||||||
#need mdev/udev rules to grant access for user
|
#need mdev/udev rules to grant access for user
|
||||||
#libudev-zero is a replacement, which is needed for pcscd
|
#libudev-zero is a replacement, which is needed for pcscd
|
||||||
@ -241,5 +244,6 @@ lbu inc /root
|
|||||||
#general reconsideration of usefulness
|
#general reconsideration of usefulness
|
||||||
|
|
||||||
### links
|
### links
|
||||||
https://github.com/hashbang/airgap
|
[https://github.com/hashbang/airgap]
|
||||||
https://riseup.net/de/security/message-security/openpgp/gpg-best-practices
|
[https://riseup.net/de/security/message-security/openpgp/gpg-best-practices]
|
||||||
|
[https://vincentserpoul.github.io/post/alpine-linux-rpi0/]
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user