minor notes

2022-03-27 20:18:18 +02:00 · 2022-03-27 20:18:18 +02:00 · b623977dd0
commit b623977dd0
parent 22568654d7
4 changed files with 149 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -8,7 +8,7 @@ Most people do not have laying around a lot of hardware, which the would spend u
 1. small embedded linux powered device
 2. easily available and widely used platform
 3. security orientated os
- 4. offline update
+ 4. offline 
 5. RO system
 6. persistance with overlay
 7. possible file integrity checks
@ -46,39 +46,39 @@ https://vincentserpoul.github.io/post/alpine-linux-rpi0/
 7. boot rpi
 8. mount second partition to folder /media/mmcblk0p2
 9. change /etc/lbu/lbu.conf
- 10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm])
- 11. fix chrony and rtc (rc-update add hwclock boot, rc-update del chronyd default rc-update -u [confirm])
+ 10. run setup-alpine ( rc- add wpa_supplicant boot [confirm])
+ 11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
 12. add community repo (ccid, opensc)
- 13. rc-update del acpid default (arm only)
+ 13. rc- del acpid default (arm only)
 
 ## persistent /usr
-dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
-apk add e2fsprogs
-mkfs.ext4 /media/mmcblk0p2/persist.img
-echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
-mkdir /media/persist 
-mount -a
-mkdir /media/persist/usr 
-mkdir /media/persist/.work 
-echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab 
-mount -a
-lbu commit
+1. dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
+2. apk add e2fsprogs
+3. mkfs.ext4 /media/mmcblk0p2/persist.img
+4. echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
+5. mkdir /media/persist 
+6. mount -a
+7. mkdir /media/persist/usr 
+8. mkdir /media/persist/.work 
+9. echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab 
+10. mount -a
+11. lbu commit



 ## rng
-the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
-haveged speeds up the random process to 40seconds
-rngd speeds up this to 52 seconds
-an added BT4.0 usb adapter speeds up this to 20seconds
-an added usb stick speeds up this to 5 seconds
-lbu include /var/lib/misc/random-seed [needs confirm]
+- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
+- haveged speeds up the random process to 40seconds
+- rngd speeds up this to 52 seconds
+- an added BT4.0 usb adapter speeds up this to 20seconds
+- an added usb stick speeds up this to 5 seconds
+- lbu include /var/lib/misc/random-seed [needs confirm]

 ## rtc
-a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
-[   29.896261] rtc-ds1307 1-0068: registered as rtc0
-glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
-CONFIG_RTC_HCTOSYS not set
+- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
+`[   29.896261] rtc-ds1307 1-0068: registered as rtc0`
+- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
+`CONFIG_RTC_HCTOSYS not set`


 ## encrypted container (encrypted storage)
@ -100,7 +100,7 @@ ln -s /mnt/private_file/.gnupg .gnupg
 edit /etc/mdev.conf for usb tokens [ToDo]
 killall gpg-agent

-##kernel update [inProgress]
+##kernel  [inProgress]
 related: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980

 gnupg-root:/media/mmcblk0p2# mkdir modloopfs
@ -128,14 +128,34 @@ mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
 apk add linux-rpi

 ## generic image upgrade
-extract original image to first partion
-restore cmdline and usercfg.txt
-delete from overlay the cache folder
+ 1. delete content of first partition
+ 2. extract original image to first partion
+ 3. restore cmdline and usercfg.txt
+  - `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`
+  - usercfg.txt
+ ```
+  gpu_mem=16
+dtparam=audio=off
+dtoverlay=pi3-disable-bt
+dtparam=i2c=on
+dtoverlay=i2c-rtc,ds3231
+enable_uart=1
+dtparam=spi=on
+dtoverlay=spi0-1cs
+```
+ 3. delete from overlay the cache folder
+ 4. boot RPI zero
+ 5. change `/etc/apk/repositoties`
+ 6.  7. lbu commit
+ 8. reboot
+ 9. apk update
+ 10. apk upgrade
+ 11. reboot

-##generic minor update (to install it into ram)
-apk update
-apk upgrade
-lbu commit
+##generic minor  (to install it into ram)
+ 1. apk 
+ 2. apk upgrade
+ 3. lbu commit

 ## 1.44" OLED and button
 #create a overlay for /usr otherwise space is missing
--- a/cmdline.txt
+++ b/cmdline.txt
@ -0,0 +1 @@
+modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200
--- a/gpg-howto.md
+++ b/gpg-howto.md
@ -1,6 +1,92 @@
+# gnupg cheatsheet
+## generale notes
+- the additional uids are bundled to the public key
+- 
+## best practise in general usage
+```bash
+# show public from keyroll
+gpg -k
+# show private keys
+gpg -K
+#export things with ascii armor
+```
+## best practice with PIN/passphrase
+1. activate KDF
+2. change the admin PIN (12345678) P← W3
+3. import key material
+4. change user PIN (123456) ← PW1
+5. Generate Reset Code if needed (reset code only apply to PW1)
+- PW2 is legacy and synced to PW1 by the card
+## show recognized card
+```bash
+    #check for scdaemon or pcscd
+gpg --card-status
+Reader ...........: 20A0:4211:FSIJ-1.2.15-AABBCCDD:0
+Application ID ...: D276000124010200FF0AABBCCDD0000
+Application type .: OpenPGP
+Version ..........: 2.0
+Manufacturer .....: unmanaged S/N range
+Serial number ....: AABBCCDD
+Name of cardholder: pseudo  
+Language prefs ...: [nicht gesetzt]
+Salutation .......: 
+URL of public key : [nicht gesetzt]
+Login data .......: [nicht gesetzt]
+Signature PIN ....: zwingend
+Key attributes ...: ed25519 cv25519 ed25519
+Max. PIN lengths .: 127 127 127
+PIN retry counter : 3 3 3
+Signature counter : 0
+KDF setting ......: on
+gpg --card-edit
+<internal cmd structure>
+```
+## generate master key
+```bash
 gpg2 --expert --full-gen-key
 (9) ECC and ECC
 (1) Curve 25519)
 //because of this: http://safecurves.cr.yp.to/index.html
 3y
-//because it is hard enough in real life with humans
+//because it is hard enough in real life with humans
+```
+after creating all needed master keys, generate the revocation certificate and store it hardcopy in reallife.
+```bash
+for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
+do
+  gpg --armor --export --output "$mail".pub "$mail"
+  gpg --armor --output revoc_"$mail".asc --gen-revoke
+done
+
+```
+
+## renew date on smartcard aka gnuk
+```bash
+#mount encrypted .gpg  folder
+gpg --list-keys
+gpg --expert --edit-key #KEYID
+<key 0>
+<key 1>
+<expire>
+1y
+<key 1>
+<key 2>
+<expire>
+...
+<save>
+gpg --expert --edit-key #KEYID
+<key 0>
+<key 1>
+keytocard
+quit
+not to save
+really, really
+```
+the export the refreshed public keys with the new date:
+```
+for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
+do
+  gpg --armor --export --output "$mail".pub "$mail"
+done
+```
+after import those keys atleast GPA needs a restart. Otherwise those keys get not reread.
--- a/usercfg.txt
+++ b/usercfg.txt
@ -0,0 +1,8 @@
+gpu_mem=16
+dtparam=audio=off
+dtoverlay=pi3-disable-bt
+dtparam=i2c=on
+dtoverlay=i2c-rtc,ds3231
+enable_uart=1
+dtparam=spi=on
+dtoverlay=spi0-1cs
				`@ -0,0 +1 @@`
				`modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`