.gitignore | ||
00-initial.sh | ||
cmdline.txt | ||
gpg-howto.md | ||
raspbian.txt | ||
README.md | ||
usercfg.txt |
GnuPG root
To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base. Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
Prerequisites
- small embedded linux powered device
- easily available and widely used platform
- security orientated os
- offline
- RO system
- persistance with overlay
- possible file integrity checks
- USB-A connector(s) for the GNUK token/SmartCard Reader
terminal user interface
main page - overview
- Integrity OK/Fail
- /root filesystem
- user config
- .gnupg path
- rootCA/MasterKey SmartCard/GNUK available
- user SmartCard/GNUK available
- RNG status
- RTC/Time/Date status
- Key Expire failure/warning
- Key length Failure/Warning (BSI recommendation)
- revocation certificate available
00-preparation
- format sd card with 3 partitions
- MBR 'msdos'
- 256MB FAT32 for /boot partition
- 2GB ext4 for overlay
- extract image:
tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner
- edit cmdline.txt
- create usercfg.txt
- prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, pinentry, ccid, opensc, pcsc-lite-libs, tmux, htop, exfat-utils, cryptsetup, mkinitfs, squashfs-tools, p7zip libusb, hwids-usb {pcsc-lite libudev-zero fsverity-utils} ) [70MB]
- connect UART TX/RX/GND to pin 8/10/6 green/white/black
- boot rpi
- mount second partition to folder /media/mmcblk0p2
- change /etc/lbu/lbu.conf
- run setup-alpine ( rc- add wpa_supplicant boot [confirm])
- fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
- add community repo (ccid, opensc)
- rc- del acpid default (arm only)
persistent /usr
dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
apk add e2fsprogs
mkfs.ext4 /media/mmcblk0p2/persist.img
echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
mkdir /media/persist
mount -a
mkdir /media/persist/usr
mkdir /media/persist/.work
echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab
mount -a
lbu commit
rng
- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
- haveged speeds up the random process to 40seconds
- rngd speeds up this to 52 seconds
- an added BT4.0 usb adapter speeds up this to 20seconds
- an added usb stick speeds up this to 5 seconds
- lbu include /var/lib/misc/random-seed [needs confirm]
rtc
- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
[ 29.896261] rtc-ds1307 1-0068: registered as rtc0
- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
CONFIG_RTC_HCTOSYS not set
encrypted container (encrypted storage)
apk add cryptsetup
fallocate -l 10MB PRIVATE [minimal 20MB]
cryptsetup -v luksFormat PRIVATE [takes some seconds]
--use secure passphrase
cryptsetup -v luksOpen /mnt/mmcblk0p2/PRIVATE private_file
mkfs -t ext4 /dev/mapper/private_file
mkdir /mnt/private_file
ln -s /mnt/private_file/user/.gnupg /home/user/.gnupg
ln -s /mnt/private_file/root/.gnupg /root/.gnupg
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file
mkdir /mnt/private_file/user/.gnupg
chmod 750 /mnt/private_file/user
chown user:user /mnt/private_file/user/.gnupg
edit /etc/mdev.conf for usb tokens [ToDo] killall gpg-agent
#mount encrypted container
cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file
##kernel update [inProgress]
##kernel [inProgress] related: [https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980]
gnupg-root:/media/mmcblk0p2# mkdir modloopfs
gnupg-root:/media/mmcblk0p2# cd modloopfs/
gnupg-root:/media/mmcblk0p2/modloopfs# unsquashfs /media/mmcblk0p1/boot/modloop-
rpi
Parallel unsquashfs: Using 1 processor
1814 inodes (2087 blocks) to write
created 1814 files
created 359 directories
created 0 symlinks
created 0 devices
created 0 fifos
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# mount | grep modloop
/media/mmcblk0p1/boot/modloop-rpi on /.modloop type squashfs (ro,relatime)
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
lrwxrwxrwx 1 root root 17 Jan 1 1970 /lib/modules -> /.modloop/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# rm /lib/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ln -s /media/mmcblk0p2/modloopfs/squashfs-root/modules /lib/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
lrwxrwxrwx 1 root root 48 Sep 26 13:58 /lib/modules -> /media/mmcblk0p2/modloopfs/squashfs-root/modules
mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
apk add linux-rpi
generic image upgrade
[offline]
- extract original image to first partion
- restore cmdline and usercfg.txt
- [root] delete from overlay partition the cache folder
- in case of a folder (delete from overlay the /usr)
- in case of an image
rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715
mkfs.ext4 persist.img
[online]
- recreate .work folder under /media/persist
- recreate usr folder under /media/persist
mkdir /mnt/private_file
- check mountpoint for /usr | mount /usr
- fix the repository
- fix the network interface
- apk update
- apk upgrade
- 're-add' installed packages [e.g. 00-preparation]
- remount /media/mmcblk0p1 rewritable
mount -o rw,remount /media/mmcblk0p1/
cd /media/mmcblk0p2/cache && cp *.apk /media/mmcblk0p1/apks/armhf
lsblk
ln -s /media/mmcblk0p1/boot boot
mkinitfs
- reboot without lbu commit
fast major release update
- delete content of first partition
- extract original image to first partion
- restore cmdline and usercfg.txt
modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200
- usercfg.txt
- delete from overlay the cache folder
- boot RPI zero
- change
/etc/apk/repositories
- lbu commit
- reboot
- apk update
- apk upgrade
- reboot
generic minor (to install it into ram)
- apk
- apk upgrade
- lbu commit
1.44" OLED and button
create a overlay for /usr otherwise space is missing https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing] apk add python2 #obsolete apk add build-base #binary is build for rpi3 // ToDo sudo modprobe fbtft_device name=adafruit18_green gpios=reset:27,dc:25,cs:8,led:24 height=128 width=128 rotate=180 fps=30 bgr=1 speed=40000000 debug=$((1<<5)) vi /etc/modprobe.d/fbtft.conf options fbtft_device name=fb_st7735r gpios=reset:27,dc:25,led:18 speed=16000000 bgr=1 custom=1 width=128 height=128
python approach
pip install --user RPi.GPIO pip install --user spidev
modern kernel approach
wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6 apk add raspberrypi-dev
nitrokey
apk add py-pip build-base python3-dev py3-wheel [240Mb]
apk add libffi-dev [7Mb]
apk add openssl-dev rust cargo [337Mb]
#pip install --user setuptools_rust
apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo
apk add py3-pep517 py3-cryptography
//see https://cryptography.io/en/latest/installation/
reboot
lbu inc /home
lbu inc /root
pip3 install --user wheel
pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]
#fix $PATH to /root/.local/bin in /etc/profile #need mdev/udev rules to grant access for user #libudev-zero is a replacement, which is needed for pcscd
ToDo
#tmux #camera to scan QR code #predefine common action scheme #general reconsideration of usefulness
links
[https://github.com/hashbang/airgap] [https://riseup.net/de/security/message-security/openpgp/gpg-best-practices] [https://vincentserpoul.github.io/post/alpine-linux-rpi0/]