minor notes
This commit is contained in:
parent
22568654d7
commit
b623977dd0
86
README.md
86
README.md
@ -8,7 +8,7 @@ Most people do not have laying around a lot of hardware, which the would spend u
|
|||||||
1. small embedded linux powered device
|
1. small embedded linux powered device
|
||||||
2. easily available and widely used platform
|
2. easily available and widely used platform
|
||||||
3. security orientated os
|
3. security orientated os
|
||||||
4. offline update
|
4. offline
|
||||||
5. RO system
|
5. RO system
|
||||||
6. persistance with overlay
|
6. persistance with overlay
|
||||||
7. possible file integrity checks
|
7. possible file integrity checks
|
||||||
@ -46,39 +46,39 @@ https://vincentserpoul.github.io/post/alpine-linux-rpi0/
|
|||||||
7. boot rpi
|
7. boot rpi
|
||||||
8. mount second partition to folder /media/mmcblk0p2
|
8. mount second partition to folder /media/mmcblk0p2
|
||||||
9. change /etc/lbu/lbu.conf
|
9. change /etc/lbu/lbu.conf
|
||||||
10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm])
|
10. run setup-alpine ( rc- add wpa_supplicant boot [confirm])
|
||||||
11. fix chrony and rtc (rc-update add hwclock boot, rc-update del chronyd default rc-update -u [confirm])
|
11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
|
||||||
12. add community repo (ccid, opensc)
|
12. add community repo (ccid, opensc)
|
||||||
13. rc-update del acpid default (arm only)
|
13. rc- del acpid default (arm only)
|
||||||
|
|
||||||
## persistent /usr
|
## persistent /usr
|
||||||
dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
|
1. dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
|
||||||
apk add e2fsprogs
|
2. apk add e2fsprogs
|
||||||
mkfs.ext4 /media/mmcblk0p2/persist.img
|
3. mkfs.ext4 /media/mmcblk0p2/persist.img
|
||||||
echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
|
4. echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
|
||||||
mkdir /media/persist
|
5. mkdir /media/persist
|
||||||
mount -a
|
6. mount -a
|
||||||
mkdir /media/persist/usr
|
7. mkdir /media/persist/usr
|
||||||
mkdir /media/persist/.work
|
8. mkdir /media/persist/.work
|
||||||
echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab
|
9. echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab
|
||||||
mount -a
|
10. mount -a
|
||||||
lbu commit
|
11. lbu commit
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## rng
|
## rng
|
||||||
the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
|
- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
|
||||||
haveged speeds up the random process to 40seconds
|
- haveged speeds up the random process to 40seconds
|
||||||
rngd speeds up this to 52 seconds
|
- rngd speeds up this to 52 seconds
|
||||||
an added BT4.0 usb adapter speeds up this to 20seconds
|
- an added BT4.0 usb adapter speeds up this to 20seconds
|
||||||
an added usb stick speeds up this to 5 seconds
|
- an added usb stick speeds up this to 5 seconds
|
||||||
lbu include /var/lib/misc/random-seed [needs confirm]
|
- lbu include /var/lib/misc/random-seed [needs confirm]
|
||||||
|
|
||||||
## rtc
|
## rtc
|
||||||
a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
|
- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
|
||||||
[ 29.896261] rtc-ds1307 1-0068: registered as rtc0
|
`[ 29.896261] rtc-ds1307 1-0068: registered as rtc0`
|
||||||
glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
|
- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
|
||||||
CONFIG_RTC_HCTOSYS not set
|
`CONFIG_RTC_HCTOSYS not set`
|
||||||
|
|
||||||
|
|
||||||
## encrypted container (encrypted storage)
|
## encrypted container (encrypted storage)
|
||||||
@ -100,7 +100,7 @@ ln -s /mnt/private_file/.gnupg .gnupg
|
|||||||
edit /etc/mdev.conf for usb tokens [ToDo]
|
edit /etc/mdev.conf for usb tokens [ToDo]
|
||||||
killall gpg-agent
|
killall gpg-agent
|
||||||
|
|
||||||
##kernel update [inProgress]
|
##kernel [inProgress]
|
||||||
related: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980
|
related: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980
|
||||||
|
|
||||||
gnupg-root:/media/mmcblk0p2# mkdir modloopfs
|
gnupg-root:/media/mmcblk0p2# mkdir modloopfs
|
||||||
@ -128,14 +128,34 @@ mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
|
|||||||
apk add linux-rpi
|
apk add linux-rpi
|
||||||
|
|
||||||
## generic image upgrade
|
## generic image upgrade
|
||||||
extract original image to first partion
|
1. delete content of first partition
|
||||||
restore cmdline and usercfg.txt
|
2. extract original image to first partion
|
||||||
delete from overlay the cache folder
|
3. restore cmdline and usercfg.txt
|
||||||
|
- `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`
|
||||||
|
- usercfg.txt
|
||||||
|
```
|
||||||
|
gpu_mem=16
|
||||||
|
dtparam=audio=off
|
||||||
|
dtoverlay=pi3-disable-bt
|
||||||
|
dtparam=i2c=on
|
||||||
|
dtoverlay=i2c-rtc,ds3231
|
||||||
|
enable_uart=1
|
||||||
|
dtparam=spi=on
|
||||||
|
dtoverlay=spi0-1cs
|
||||||
|
```
|
||||||
|
3. delete from overlay the cache folder
|
||||||
|
4. boot RPI zero
|
||||||
|
5. change `/etc/apk/repositoties`
|
||||||
|
6. 7. lbu commit
|
||||||
|
8. reboot
|
||||||
|
9. apk update
|
||||||
|
10. apk upgrade
|
||||||
|
11. reboot
|
||||||
|
|
||||||
##generic minor update (to install it into ram)
|
##generic minor (to install it into ram)
|
||||||
apk update
|
1. apk
|
||||||
apk upgrade
|
2. apk upgrade
|
||||||
lbu commit
|
3. lbu commit
|
||||||
|
|
||||||
## 1.44" OLED and button
|
## 1.44" OLED and button
|
||||||
#create a overlay for /usr otherwise space is missing
|
#create a overlay for /usr otherwise space is missing
|
||||||
|
1
cmdline.txt
Normal file
1
cmdline.txt
Normal file
@ -0,0 +1 @@
|
|||||||
|
modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200
|
88
gpg-howto.md
88
gpg-howto.md
@ -1,6 +1,92 @@
|
|||||||
|
# gnupg cheatsheet
|
||||||
|
## generale notes
|
||||||
|
- the additional uids are bundled to the public key
|
||||||
|
-
|
||||||
|
## best practise in general usage
|
||||||
|
```bash
|
||||||
|
# show public from keyroll
|
||||||
|
gpg -k
|
||||||
|
# show private keys
|
||||||
|
gpg -K
|
||||||
|
#export things with ascii armor
|
||||||
|
```
|
||||||
|
## best practice with PIN/passphrase
|
||||||
|
1. activate KDF
|
||||||
|
2. change the admin PIN (12345678) P← W3
|
||||||
|
3. import key material
|
||||||
|
4. change user PIN (123456) ← PW1
|
||||||
|
5. Generate Reset Code if needed (reset code only apply to PW1)
|
||||||
|
- PW2 is legacy and synced to PW1 by the card
|
||||||
|
## show recognized card
|
||||||
|
```bash
|
||||||
|
#check for scdaemon or pcscd
|
||||||
|
gpg --card-status
|
||||||
|
Reader ...........: 20A0:4211:FSIJ-1.2.15-AABBCCDD:0
|
||||||
|
Application ID ...: D276000124010200FF0AABBCCDD0000
|
||||||
|
Application type .: OpenPGP
|
||||||
|
Version ..........: 2.0
|
||||||
|
Manufacturer .....: unmanaged S/N range
|
||||||
|
Serial number ....: AABBCCDD
|
||||||
|
Name of cardholder: pseudo
|
||||||
|
Language prefs ...: [nicht gesetzt]
|
||||||
|
Salutation .......:
|
||||||
|
URL of public key : [nicht gesetzt]
|
||||||
|
Login data .......: [nicht gesetzt]
|
||||||
|
Signature PIN ....: zwingend
|
||||||
|
Key attributes ...: ed25519 cv25519 ed25519
|
||||||
|
Max. PIN lengths .: 127 127 127
|
||||||
|
PIN retry counter : 3 3 3
|
||||||
|
Signature counter : 0
|
||||||
|
KDF setting ......: on
|
||||||
|
gpg --card-edit
|
||||||
|
<internal cmd structure>
|
||||||
|
```
|
||||||
|
## generate master key
|
||||||
|
```bash
|
||||||
gpg2 --expert --full-gen-key
|
gpg2 --expert --full-gen-key
|
||||||
(9) ECC and ECC
|
(9) ECC and ECC
|
||||||
(1) Curve 25519)
|
(1) Curve 25519)
|
||||||
//because of this: http://safecurves.cr.yp.to/index.html
|
//because of this: http://safecurves.cr.yp.to/index.html
|
||||||
3y
|
3y
|
||||||
//because it is hard enough in real life with humans
|
//because it is hard enough in real life with humans
|
||||||
|
```
|
||||||
|
after creating all needed master keys, generate the revocation certificate and store it hardcopy in reallife.
|
||||||
|
```bash
|
||||||
|
for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
|
||||||
|
do
|
||||||
|
gpg --armor --export --output "$mail".pub "$mail"
|
||||||
|
gpg --armor --output revoc_"$mail".asc --gen-revoke
|
||||||
|
done
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## renew date on smartcard aka gnuk
|
||||||
|
```bash
|
||||||
|
#mount encrypted .gpg folder
|
||||||
|
gpg --list-keys
|
||||||
|
gpg --expert --edit-key #KEYID
|
||||||
|
<key 0>
|
||||||
|
<key 1>
|
||||||
|
<expire>
|
||||||
|
1y
|
||||||
|
<key 1>
|
||||||
|
<key 2>
|
||||||
|
<expire>
|
||||||
|
...
|
||||||
|
<save>
|
||||||
|
gpg --expert --edit-key #KEYID
|
||||||
|
<key 0>
|
||||||
|
<key 1>
|
||||||
|
keytocard
|
||||||
|
quit
|
||||||
|
not to save
|
||||||
|
really, really
|
||||||
|
```
|
||||||
|
the export the refreshed public keys with the new date:
|
||||||
|
```
|
||||||
|
for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
|
||||||
|
do
|
||||||
|
gpg --armor --export --output "$mail".pub "$mail"
|
||||||
|
done
|
||||||
|
```
|
||||||
|
after import those keys atleast GPA needs a restart. Otherwise those keys get not reread.
|
8
usercfg.txt
Normal file
8
usercfg.txt
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
gpu_mem=16
|
||||||
|
dtparam=audio=off
|
||||||
|
dtoverlay=pi3-disable-bt
|
||||||
|
dtparam=i2c=on
|
||||||
|
dtoverlay=i2c-rtc,ds3231
|
||||||
|
enable_uart=1
|
||||||
|
dtparam=spi=on
|
||||||
|
dtoverlay=spi0-1cs
|
Loading…
Reference in New Issue
Block a user