minor notes
This commit is contained in:
parent
22568654d7
commit
b623977dd0
86
README.md
86
README.md
@ -8,7 +8,7 @@ Most people do not have laying around a lot of hardware, which the would spend u
|
||||
1. small embedded linux powered device
|
||||
2. easily available and widely used platform
|
||||
3. security orientated os
|
||||
4. offline update
|
||||
4. offline
|
||||
5. RO system
|
||||
6. persistance with overlay
|
||||
7. possible file integrity checks
|
||||
@ -46,39 +46,39 @@ https://vincentserpoul.github.io/post/alpine-linux-rpi0/
|
||||
7. boot rpi
|
||||
8. mount second partition to folder /media/mmcblk0p2
|
||||
9. change /etc/lbu/lbu.conf
|
||||
10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm])
|
||||
11. fix chrony and rtc (rc-update add hwclock boot, rc-update del chronyd default rc-update -u [confirm])
|
||||
10. run setup-alpine ( rc- add wpa_supplicant boot [confirm])
|
||||
11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
|
||||
12. add community repo (ccid, opensc)
|
||||
13. rc-update del acpid default (arm only)
|
||||
13. rc- del acpid default (arm only)
|
||||
|
||||
## persistent /usr
|
||||
dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
|
||||
apk add e2fsprogs
|
||||
mkfs.ext4 /media/mmcblk0p2/persist.img
|
||||
echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
|
||||
mkdir /media/persist
|
||||
mount -a
|
||||
mkdir /media/persist/usr
|
||||
mkdir /media/persist/.work
|
||||
echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab
|
||||
mount -a
|
||||
lbu commit
|
||||
1. dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
|
||||
2. apk add e2fsprogs
|
||||
3. mkfs.ext4 /media/mmcblk0p2/persist.img
|
||||
4. echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
|
||||
5. mkdir /media/persist
|
||||
6. mount -a
|
||||
7. mkdir /media/persist/usr
|
||||
8. mkdir /media/persist/.work
|
||||
9. echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab
|
||||
10. mount -a
|
||||
11. lbu commit
|
||||
|
||||
|
||||
|
||||
## rng
|
||||
the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
|
||||
haveged speeds up the random process to 40seconds
|
||||
rngd speeds up this to 52 seconds
|
||||
an added BT4.0 usb adapter speeds up this to 20seconds
|
||||
an added usb stick speeds up this to 5 seconds
|
||||
lbu include /var/lib/misc/random-seed [needs confirm]
|
||||
- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
|
||||
- haveged speeds up the random process to 40seconds
|
||||
- rngd speeds up this to 52 seconds
|
||||
- an added BT4.0 usb adapter speeds up this to 20seconds
|
||||
- an added usb stick speeds up this to 5 seconds
|
||||
- lbu include /var/lib/misc/random-seed [needs confirm]
|
||||
|
||||
## rtc
|
||||
a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
|
||||
[ 29.896261] rtc-ds1307 1-0068: registered as rtc0
|
||||
glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
|
||||
CONFIG_RTC_HCTOSYS not set
|
||||
- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
|
||||
`[ 29.896261] rtc-ds1307 1-0068: registered as rtc0`
|
||||
- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
|
||||
`CONFIG_RTC_HCTOSYS not set`
|
||||
|
||||
|
||||
## encrypted container (encrypted storage)
|
||||
@ -100,7 +100,7 @@ ln -s /mnt/private_file/.gnupg .gnupg
|
||||
edit /etc/mdev.conf for usb tokens [ToDo]
|
||||
killall gpg-agent
|
||||
|
||||
##kernel update [inProgress]
|
||||
##kernel [inProgress]
|
||||
related: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980
|
||||
|
||||
gnupg-root:/media/mmcblk0p2# mkdir modloopfs
|
||||
@ -128,14 +128,34 @@ mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
|
||||
apk add linux-rpi
|
||||
|
||||
## generic image upgrade
|
||||
extract original image to first partion
|
||||
restore cmdline and usercfg.txt
|
||||
delete from overlay the cache folder
|
||||
1. delete content of first partition
|
||||
2. extract original image to first partion
|
||||
3. restore cmdline and usercfg.txt
|
||||
- `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`
|
||||
- usercfg.txt
|
||||
```
|
||||
gpu_mem=16
|
||||
dtparam=audio=off
|
||||
dtoverlay=pi3-disable-bt
|
||||
dtparam=i2c=on
|
||||
dtoverlay=i2c-rtc,ds3231
|
||||
enable_uart=1
|
||||
dtparam=spi=on
|
||||
dtoverlay=spi0-1cs
|
||||
```
|
||||
3. delete from overlay the cache folder
|
||||
4. boot RPI zero
|
||||
5. change `/etc/apk/repositoties`
|
||||
6. 7. lbu commit
|
||||
8. reboot
|
||||
9. apk update
|
||||
10. apk upgrade
|
||||
11. reboot
|
||||
|
||||
##generic minor update (to install it into ram)
|
||||
apk update
|
||||
apk upgrade
|
||||
lbu commit
|
||||
##generic minor (to install it into ram)
|
||||
1. apk
|
||||
2. apk upgrade
|
||||
3. lbu commit
|
||||
|
||||
## 1.44" OLED and button
|
||||
#create a overlay for /usr otherwise space is missing
|
||||
|
1
cmdline.txt
Normal file
1
cmdline.txt
Normal file
@ -0,0 +1 @@
|
||||
modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200
|
88
gpg-howto.md
88
gpg-howto.md
@ -1,6 +1,92 @@
|
||||
# gnupg cheatsheet
|
||||
## generale notes
|
||||
- the additional uids are bundled to the public key
|
||||
-
|
||||
## best practise in general usage
|
||||
```bash
|
||||
# show public from keyroll
|
||||
gpg -k
|
||||
# show private keys
|
||||
gpg -K
|
||||
#export things with ascii armor
|
||||
```
|
||||
## best practice with PIN/passphrase
|
||||
1. activate KDF
|
||||
2. change the admin PIN (12345678) P← W3
|
||||
3. import key material
|
||||
4. change user PIN (123456) ← PW1
|
||||
5. Generate Reset Code if needed (reset code only apply to PW1)
|
||||
- PW2 is legacy and synced to PW1 by the card
|
||||
## show recognized card
|
||||
```bash
|
||||
#check for scdaemon or pcscd
|
||||
gpg --card-status
|
||||
Reader ...........: 20A0:4211:FSIJ-1.2.15-AABBCCDD:0
|
||||
Application ID ...: D276000124010200FF0AABBCCDD0000
|
||||
Application type .: OpenPGP
|
||||
Version ..........: 2.0
|
||||
Manufacturer .....: unmanaged S/N range
|
||||
Serial number ....: AABBCCDD
|
||||
Name of cardholder: pseudo
|
||||
Language prefs ...: [nicht gesetzt]
|
||||
Salutation .......:
|
||||
URL of public key : [nicht gesetzt]
|
||||
Login data .......: [nicht gesetzt]
|
||||
Signature PIN ....: zwingend
|
||||
Key attributes ...: ed25519 cv25519 ed25519
|
||||
Max. PIN lengths .: 127 127 127
|
||||
PIN retry counter : 3 3 3
|
||||
Signature counter : 0
|
||||
KDF setting ......: on
|
||||
gpg --card-edit
|
||||
<internal cmd structure>
|
||||
```
|
||||
## generate master key
|
||||
```bash
|
||||
gpg2 --expert --full-gen-key
|
||||
(9) ECC and ECC
|
||||
(1) Curve 25519)
|
||||
//because of this: http://safecurves.cr.yp.to/index.html
|
||||
3y
|
||||
//because it is hard enough in real life with humans
|
||||
//because it is hard enough in real life with humans
|
||||
```
|
||||
after creating all needed master keys, generate the revocation certificate and store it hardcopy in reallife.
|
||||
```bash
|
||||
for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
|
||||
do
|
||||
gpg --armor --export --output "$mail".pub "$mail"
|
||||
gpg --armor --output revoc_"$mail".asc --gen-revoke
|
||||
done
|
||||
|
||||
```
|
||||
|
||||
## renew date on smartcard aka gnuk
|
||||
```bash
|
||||
#mount encrypted .gpg folder
|
||||
gpg --list-keys
|
||||
gpg --expert --edit-key #KEYID
|
||||
<key 0>
|
||||
<key 1>
|
||||
<expire>
|
||||
1y
|
||||
<key 1>
|
||||
<key 2>
|
||||
<expire>
|
||||
...
|
||||
<save>
|
||||
gpg --expert --edit-key #KEYID
|
||||
<key 0>
|
||||
<key 1>
|
||||
keytocard
|
||||
quit
|
||||
not to save
|
||||
really, really
|
||||
```
|
||||
the export the refreshed public keys with the new date:
|
||||
```
|
||||
for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
|
||||
do
|
||||
gpg --armor --export --output "$mail".pub "$mail"
|
||||
done
|
||||
```
|
||||
after import those keys atleast GPA needs a restart. Otherwise those keys get not reread.
|
8
usercfg.txt
Normal file
8
usercfg.txt
Normal file
@ -0,0 +1,8 @@
|
||||
gpu_mem=16
|
||||
dtparam=audio=off
|
||||
dtoverlay=pi3-disable-bt
|
||||
dtparam=i2c=on
|
||||
dtoverlay=i2c-rtc,ds3231
|
||||
enable_uart=1
|
||||
dtparam=spi=on
|
||||
dtoverlay=spi0-1cs
|
Loading…
Reference in New Issue
Block a user