diff --git a/NEWS b/NEWS index a3c68f9..45d24ba 100644 --- a/NEWS +++ b/NEWS @@ -2,7 +2,7 @@ Gnuk NEWS - User visible changes * Major changes in Gnuk 1.2.8 - Released 2018-01-2X, by NIIBE Yutaka + Released 2018-01-23, by NIIBE Yutaka ** No inclusion of VID:PID in gnuk.elf @@ -16,12 +16,12 @@ gnuk-vidpid.elf and we can check if it is reproducible or not. Now, Gnuk checks length of passphrase if it's too short when changing passphrase. -** Remove possible access with BY_ADMIN (to flash ROM data) +** Remove unused DEK with BY_ADMIN -For admin-less mode, access by OPENPGP_CARD_INITIAL_PW3 remained on -flash ROM. This could be considered a backdoor, if some other person -had or kept access to the flash ROM. Now, the entry is cleared by -zero when the token is set to admin-less mode. +For admin-less mode, DEK by OPENPGP_CARD_INITIAL_PW3 remained on flash +ROM. This could be considered a backdoor, if some other person had or +kept access to the flash ROM, cheating a user. Now, the DEK is +cleared by zero when the token is set to admin-less mode. ** Upgrade of Chopstx We use Chopstx 1.8. diff --git a/README b/README index 65a20e9..080cc03 100644 --- a/README +++ b/README @@ -1,14 +1,14 @@ Gnuk - An Implementation of USB Cryptographic Token for GnuPG - Version 1.2.7 - 2017-11-26 + Version 1.2.8 + 2018-01-23 Niibe Yutaka Free Software Initiative of Japan Release Notes ============= -This is the release of Gnuk, version 1.2.7, which has major +This is the release of Gnuk, version 1.2.8, which has major incompatible changes to Gnuk 1.0.x. Specifically, it now supports overriding key import, but importing keys (or generating keys) results password reset. Also, you need to import private keys before changing @@ -24,13 +24,10 @@ It also supports RSA-4096, but users should know that it takes more than 8 seconds to sign/decrypt. Key generation of RSA-4096 just fails, because the device doesn't have enough memory. -In this release, experimental KDF-DO support is added. To use the -feature, you need to build/install experimental branch of GnuPG by -yourself: - - https://dev.gnupg.org/source/gnupg/history/gniibe%252Fscd-kdf-support/ - -And manually prepare the KDF-DO on your token. +It supports new KDF-DO feature. To use the feature, you need to use +newer GnuPG (forthcoming 2.2.5 or later). And you need to manually +prepare the KDF-DO on your token. Please note that this is +experimental. Better way to prepare KDF-DO will be expected. What's Gnuk? @@ -408,6 +405,10 @@ Then, type: Then, we will have "gnuk.elf" under src/build directory. +Next, we can get the final image by running following command. + + $ make build/gnuk-vidpid.elf + How to install ============== @@ -416,11 +417,11 @@ Olimex STM32-H103 board ----------------------- If you are using Olimex JTAG-Tiny, type following to invoke OpenOCD -and write "gnuk.elf" to Flash ROM: +and write "gnuk-vidpid.elf" to Flash ROM: $ openocd -f interface/ftdi/olimex-jtag-tiny.cfg \ -f board/olimex_stm32_h103.cfg \ - -c "program build/gnuk.elf verify reset exit" + -c "program build/gnuk-vidpid.elf verify reset exit" Command invocation is assumed in src/ directory. @@ -433,7 +434,7 @@ If you are using Flying Stone Tiny 01, you need a SWD writer. OpenOCD 0.9.0 now supports ST-Link/V2. We can use it like: $ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg \ - -c "program build/gnuk.elf verify reset exit" + -c "program build/gnuk-vidpid.elf verify reset exit" @@ -444,7 +445,7 @@ Reset the board with "USER" switch pushed. Type following to write to flash: # cd ../tool - # ./dfuse.py ../src/build/gnuk.hex + # ./dfuse.py ../src/build/gnuk-vidpid.hex Then, reset the board. diff --git a/doc/development.rst b/doc/development.rst index 0e9f994..19eb69b 100644 --- a/doc/development.rst +++ b/doc/development.rst @@ -40,11 +40,11 @@ We are using "-O3 -Os" for compiler option. Building Gnuk ------------- -Change directory to ``src``: +Change directory to ``src``: :: $ cd gnuk-VERSION/src -Then, run ``configure``: +Then, run ``configure``: :: $ ./configure --vidpid= @@ -52,8 +52,12 @@ Here, you need to specify USB vendor ID and product ID. For FSIJ's, it's: --vidpid=234b:0000 . Please read the section 'USB vendor ID and product ID' in README. -Type: +Type: :: $ make Then, we will have "gnuk.elf" under src/build directory. + +Next, we can get the final image by running following command. :: + + $ make build/gnuk-vidpid.elf diff --git a/doc/note/firmware-update b/doc/note/firmware-update index 386fe8a..d312cb2 100644 --- a/doc/note/firmware-update +++ b/doc/note/firmware-update @@ -65,7 +65,7 @@ Invoking firmware update We specify reGNUal binary and Gnuk binary. - $ ../tool/gnuk_upgrade.py ../regnual/regnual.bin gnuk.bin + $ ../tool/gnuk_upgrade.py ../regnual/regnual.bin gnuk-vidpid.bin Two or more tokens diff --git a/doc/note/firmware-update-2 b/doc/note/firmware-update-2 index 6f78599..830293f 100644 --- a/doc/note/firmware-update-2 +++ b/doc/note/firmware-update-2 @@ -73,16 +73,20 @@ and make: :: $ make Please take care of configure options. The default target in 1.0.x -series is Olimex STM32 H103 (not FST-01). The default target in 1.1.8 +series is Olimex STM32 H103 (not FST-01). The default target in 1.2.x is FST-01. +Then you get build/gnuk.elf. -Then you get build/gnuk.elf and build/gnuk.bin. +Next, we can get the final image by running following command. -Invoking configure with FSIJ's USB ID (234b:0000) means that you are -using FSIJ's USB ID (for reGNUal in this case). Please note that FSIJ -only allows use of its USB ID for specific situations. Please read -README of Gnuk about that. + $ make build/gnuk-vidpid.elf + + +Invoking configure with FSIJ's USB ID (234b:0000) and generating +gnuk-vidpid.elf means that you are using FSIJ's USB ID (for reGNUal in +this case). Please note that FSIJ only allows use of its USB ID for +specific situations. Please read README of Gnuk about that. Bulding reGNUal @@ -117,13 +121,13 @@ your environment for Gnuk Token. How to run the script: :: $ cd tool - $ ./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin + $ ./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk-vidpid.bin Then, the script on your host PC invoke the steps described above, and you will get new version of Gnuk installed. -You can also specify -p option to enter your password (other than -factory setting). +You can also specify -f option to skip entering your password (it +assumes the factory setting). If you already have configured another upgrade key installed, you can specify different slot by -k ```` option. SLOT_NO can be 0