minor notes

2022-03-27 20:18:18 +02:00 · 2022-03-27 20:18:18 +02:00 · b623977dd0
commit b623977dd0
parent 22568654d7
4 changed files with 149 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -8,7 +8,7 @@ Most people do not have laying around a lot of hardware, which the would spend u
 1. small embedded linux powered device
 2. easily available and widely used platform
 3. security orientated os
- 4. offline update
+ 4. offline 
 5. RO system
 6. persistance with overlay
 7. possible file integrity checks
@ -46,39 +46,39 @@ https://vincentserpoul.github.io/post/alpine-linux-rpi0/
 7. boot rpi
 8. mount second partition to folder /media/mmcblk0p2
 9. change /etc/lbu/lbu.conf
- 10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm])
+ 10. run setup-alpine ( rc- add wpa_supplicant boot [confirm])
- 11. fix chrony and rtc (rc-update add hwclock boot, rc-update del chronyd default rc-update -u [confirm])
+ 11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
 12. add community repo (ccid, opensc)
- 13. rc-update del acpid default (arm only)
+ 13. rc- del acpid default (arm only)
 ## persistent /usr
-dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
+1. dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
-apk add e2fsprogs
+2. apk add e2fsprogs
-mkfs.ext4 /media/mmcblk0p2/persist.img
+3. mkfs.ext4 /media/mmcblk0p2/persist.img
-echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
+4. echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
-mkdir /media/persist 
+5. mkdir /media/persist 
-mount -a
+6. mount -a
-mkdir /media/persist/usr 
+7. mkdir /media/persist/usr 
-mkdir /media/persist/.work 
+8. mkdir /media/persist/.work 
-echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab 
+9. echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab 
-mount -a
+10. mount -a
-lbu commit
+11. lbu commit
 ## rng
-the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
+- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
-haveged speeds up the random process to 40seconds
+- haveged speeds up the random process to 40seconds
-rngd speeds up this to 52 seconds
+- rngd speeds up this to 52 seconds
-an added BT4.0 usb adapter speeds up this to 20seconds
+- an added BT4.0 usb adapter speeds up this to 20seconds
-an added usb stick speeds up this to 5 seconds
+- an added usb stick speeds up this to 5 seconds
-lbu include /var/lib/misc/random-seed [needs confirm]
+- lbu include /var/lib/misc/random-seed [needs confirm]
 ## rtc
-a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
+- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
-[   29.896261] rtc-ds1307 1-0068: registered as rtc0
+`[   29.896261] rtc-ds1307 1-0068: registered as rtc0`
-glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
+- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
-CONFIG_RTC_HCTOSYS not set
+`CONFIG_RTC_HCTOSYS not set`
 ## encrypted container (encrypted storage)
@ -100,7 +100,7 @@ ln -s /mnt/private_file/.gnupg .gnupg
 edit /etc/mdev.conf for usb tokens [ToDo]
 killall gpg-agent
-##kernel update [inProgress]
+##kernel  [inProgress]
 related: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980
 gnupg-root:/media/mmcblk0p2# mkdir modloopfs
@ -128,14 +128,34 @@ mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
 apk add linux-rpi
 ## generic image upgrade
-extract original image to first partion
+ 1. delete content of first partition
-restore cmdline and usercfg.txt
+ 2. extract original image to first partion
-delete from overlay the cache folder
+ 3. restore cmdline and usercfg.txt
  - `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`
  - usercfg.txt
 ```
  gpu_mem=16
 dtparam=audio=off
 dtoverlay=pi3-disable-bt
 dtparam=i2c=on
 dtoverlay=i2c-rtc,ds3231
 enable_uart=1
 dtparam=spi=on
 dtoverlay=spi0-1cs
 ```
 3. delete from overlay the cache folder
 4. boot RPI zero
 5. change `/etc/apk/repositoties`
 6.  7. lbu commit
 8. reboot
 9. apk update
 10. apk upgrade
 11. reboot
-##generic minor update (to install it into ram)
+##generic minor  (to install it into ram)
-apk update
+ 1. apk 
-apk upgrade
+ 2. apk upgrade
-lbu commit
+ 3. lbu commit
 ## 1.44" OLED and button
 #create a overlay for /usr otherwise space is missing
--- a/cmdline.txt
+++ b/cmdline.txt
@ -0,0 +1 @@
 modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200
--- a/gpg-howto.md
+++ b/gpg-howto.md
@ -1,6 +1,92 @@
 # gnupg cheatsheet
 ## generale notes
 - the additional uids are bundled to the public key
 - 
 ## best practise in general usage
 ```bash
 # show public from keyroll
 gpg -k
 # show private keys
 gpg -K
 #export things with ascii armor
 ```
 ## best practice with PIN/passphrase
 1. activate KDF
 2. change the admin PIN (12345678) P← W3
 3. import key material
 4. change user PIN (123456) ← PW1
 5. Generate Reset Code if needed (reset code only apply to PW1)
 - PW2 is legacy and synced to PW1 by the card
 ## show recognized card
 ```bash
    #check for scdaemon or pcscd
 gpg --card-status
 Reader ...........: 20A0:4211:FSIJ-1.2.15-AABBCCDD:0
 Application ID ...: D276000124010200FF0AABBCCDD0000
 Application type .: OpenPGP
 Version ..........: 2.0
 Manufacturer .....: unmanaged S/N range
 Serial number ....: AABBCCDD
 Name of cardholder: pseudo  
 Language prefs ...: [nicht gesetzt]
 Salutation .......: 
 URL of public key : [nicht gesetzt]
 Login data .......: [nicht gesetzt]
 Signature PIN ....: zwingend
 Key attributes ...: ed25519 cv25519 ed25519
 Max. PIN lengths .: 127 127 127
 PIN retry counter : 3 3 3
 Signature counter : 0
 KDF setting ......: on
 gpg --card-edit
 <internal cmd structure>
 ```
 ## generate master key
 ```bash
 gpg2 --expert --full-gen-key
 (9) ECC and ECC
 (1) Curve 25519)
 //because of this: http://safecurves.cr.yp.to/index.html
 3y
-//because it is hard enough in real life with humans
+//because it is hard enough in real life with humans
 ```
 after creating all needed master keys, generate the revocation certificate and store it hardcopy in reallife.
 ```bash
 for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
 do
  gpg --armor --export --output "$mail".pub "$mail"
  gpg --armor --output revoc_"$mail".asc --gen-revoke
 done
 ```
 ## renew date on smartcard aka gnuk
 ```bash
 #mount encrypted .gpg  folder
 gpg --list-keys
 gpg --expert --edit-key #KEYID
 <key 0>
 <key 1>
 <expire>
 1y
 <key 1>
 <key 2>
 <expire>
 ...
 <save>
 gpg --expert --edit-key #KEYID
 <key 0>
 <key 1>
 keytocard
 quit
 not to save
 really, really
 ```
 the export the refreshed public keys with the new date:
 ```
 for mail in $(gpg --list-keys | grep uid | sed 's/.*<\(.*\)>/\1/g')
 do
  gpg --armor --export --output "$mail".pub "$mail"
 done
 ```
 after import those keys atleast GPA needs a restart. Otherwise those keys get not reread.
--- a/usercfg.txt
+++ b/usercfg.txt
@ -0,0 +1,8 @@
 gpu_mem=16
 dtparam=audio=off
 dtoverlay=pi3-disable-bt
 dtparam=i2c=on
 dtoverlay=i2c-rtc,ds3231
 enable_uart=1
 dtparam=spi=on
 dtoverlay=spi0-1cs
		`@ -0,0 +1 @@`
							`modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`