From b623977dd032cc56e6b6b14f85358a3723669001 Mon Sep 17 00:00:00 2001 From: coelner Date: Sun, 27 Mar 2022 20:18:18 +0200 Subject: [PATCH] minor notes --- README.md | 86 ++++++++++++++++++++++++++++++-------------------- cmdline.txt | 1 + gpg-howto.md | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++- usercfg.txt | 8 +++++ 4 files changed, 149 insertions(+), 34 deletions(-) create mode 100644 cmdline.txt create mode 100644 usercfg.txt diff --git a/README.md b/README.md index 8962146..45d9ce0 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Most people do not have laying around a lot of hardware, which the would spend u 1. small embedded linux powered device 2. easily available and widely used platform 3. security orientated os - 4. offline update + 4. offline 5. RO system 6. persistance with overlay 7. possible file integrity checks @@ -46,39 +46,39 @@ https://vincentserpoul.github.io/post/alpine-linux-rpi0/ 7. boot rpi 8. mount second partition to folder /media/mmcblk0p2 9. change /etc/lbu/lbu.conf - 10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm]) - 11. fix chrony and rtc (rc-update add hwclock boot, rc-update del chronyd default rc-update -u [confirm]) + 10. run setup-alpine ( rc- add wpa_supplicant boot [confirm]) + 11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm]) 12. add community repo (ccid, opensc) - 13. rc-update del acpid default (arm only) + 13. rc- del acpid default (arm only) ## persistent /usr -dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152 -apk add e2fsprogs -mkfs.ext4 /media/mmcblk0p2/persist.img -echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab -mkdir /media/persist -mount -a -mkdir /media/persist/usr -mkdir /media/persist/.work -echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab -mount -a -lbu commit +1. dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152 +2. apk add e2fsprogs +3. mkfs.ext4 /media/mmcblk0p2/persist.img +4. echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab +5. mkdir /media/persist +6. mount -a +7. mkdir /media/persist/usr +8. mkdir /media/persist/.work +9. echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab +10. mount -a +11. lbu commit ## rng -the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y) -haveged speeds up the random process to 40seconds -rngd speeds up this to 52 seconds -an added BT4.0 usb adapter speeds up this to 20seconds -an added usb stick speeds up this to 5 seconds -lbu include /var/lib/misc/random-seed [needs confirm] +- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y) +- haveged speeds up the random process to 40seconds +- rngd speeds up this to 52 seconds +- an added BT4.0 usb adapter speeds up this to 20seconds +- an added usb stick speeds up this to 5 seconds +- lbu include /var/lib/misc/random-seed [needs confirm] ## rtc -a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231' -[ 29.896261] rtc-ds1307 1-0068: registered as rtc0 -glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352 -CONFIG_RTC_HCTOSYS not set +- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231' +`[ 29.896261] rtc-ds1307 1-0068: registered as rtc0` +- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352 +`CONFIG_RTC_HCTOSYS not set` ## encrypted container (encrypted storage) @@ -100,7 +100,7 @@ ln -s /mnt/private_file/.gnupg .gnupg edit /etc/mdev.conf for usb tokens [ToDo] killall gpg-agent -##kernel update [inProgress] +##kernel [inProgress] related: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980 gnupg-root:/media/mmcblk0p2# mkdir modloopfs @@ -128,14 +128,34 @@ mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments apk add linux-rpi ## generic image upgrade -extract original image to first partion -restore cmdline and usercfg.txt -delete from overlay the cache folder + 1. delete content of first partition + 2. extract original image to first partion + 3. restore cmdline and usercfg.txt + - `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200` + - usercfg.txt + ``` + gpu_mem=16 +dtparam=audio=off +dtoverlay=pi3-disable-bt +dtparam=i2c=on +dtoverlay=i2c-rtc,ds3231 +enable_uart=1 +dtparam=spi=on +dtoverlay=spi0-1cs +``` + 3. delete from overlay the cache folder + 4. boot RPI zero + 5. change `/etc/apk/repositoties` + 6. 7. lbu commit + 8. reboot + 9. apk update + 10. apk upgrade + 11. reboot -##generic minor update (to install it into ram) -apk update -apk upgrade -lbu commit +##generic minor (to install it into ram) + 1. apk + 2. apk upgrade + 3. lbu commit ## 1.44" OLED and button #create a overlay for /usr otherwise space is missing diff --git a/cmdline.txt b/cmdline.txt new file mode 100644 index 0000000..a2000de --- /dev/null +++ b/cmdline.txt @@ -0,0 +1 @@ +modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200 diff --git a/gpg-howto.md b/gpg-howto.md index 69f5f02..aaee51a 100644 --- a/gpg-howto.md +++ b/gpg-howto.md @@ -1,6 +1,92 @@ +# gnupg cheatsheet +## generale notes +- the additional uids are bundled to the public key +- +## best practise in general usage +```bash +# show public from keyroll +gpg -k +# show private keys +gpg -K +#export things with ascii armor +``` +## best practice with PIN/passphrase +1. activate KDF +2. change the admin PIN (12345678) Pā† W3 +3. import key material +4. change user PIN (123456) ā† PW1 +5. Generate Reset Code if needed (reset code only apply to PW1) +- PW2 is legacy and synced to PW1 by the card +## show recognized card +```bash + #check for scdaemon or pcscd +gpg --card-status +Reader ...........: 20A0:4211:FSIJ-1.2.15-AABBCCDD:0 +Application ID ...: D276000124010200FF0AABBCCDD0000 +Application type .: OpenPGP +Version ..........: 2.0 +Manufacturer .....: unmanaged S/N range +Serial number ....: AABBCCDD +Name of cardholder: pseudo +Language prefs ...: [nicht gesetzt] +Salutation .......: +URL of public key : [nicht gesetzt] +Login data .......: [nicht gesetzt] +Signature PIN ....: zwingend +Key attributes ...: ed25519 cv25519 ed25519 +Max. PIN lengths .: 127 127 127 +PIN retry counter : 3 3 3 +Signature counter : 0 +KDF setting ......: on +gpg --card-edit + +``` +## generate master key +```bash gpg2 --expert --full-gen-key (9) ECC and ECC (1) Curve 25519) //because of this: http://safecurves.cr.yp.to/index.html 3y -//because it is hard enough in real life with humans \ No newline at end of file +//because it is hard enough in real life with humans +``` +after creating all needed master keys, generate the revocation certificate and store it hardcopy in reallife. +```bash +for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g') +do + gpg --armor --export --output "$mail".pub "$mail" + gpg --armor --output revoc_"$mail".asc --gen-revoke +done + +``` + +## renew date on smartcard aka gnuk +```bash +#mount encrypted .gpg folder +gpg --list-keys +gpg --expert --edit-key #KEYID + + + +1y + + + +... + +gpg --expert --edit-key #KEYID + + +keytocard +quit +not to save +really, really +``` +the export the refreshed public keys with the new date: +``` +for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g') +do + gpg --armor --export --output "$mail".pub "$mail" +done +``` +after import those keys atleast GPA needs a restart. Otherwise those keys get not reread. \ No newline at end of file diff --git a/usercfg.txt b/usercfg.txt new file mode 100644 index 0000000..a7397d1 --- /dev/null +++ b/usercfg.txt @@ -0,0 +1,8 @@ +gpu_mem=16 +dtparam=audio=off +dtoverlay=pi3-disable-bt +dtparam=i2c=on +dtoverlay=i2c-rtc,ds3231 +enable_uart=1 +dtparam=spi=on +dtoverlay=spi0-1cs