Update documentation.
This commit is contained in:
NIIBE Yutaka
12
NEWS
12
NEWS
@@ -2,7 +2,7 @@ Gnuk NEWS - User visible changes
|
|||||||
|
|
||||||
* Major changes in Gnuk 1.2.8
|
* Major changes in Gnuk 1.2.8
|
||||||
|
|
||||||
Released 2018-01-2X, by NIIBE Yutaka
|
Released 2018-01-23, by NIIBE Yutaka
|
||||||
|
|
||||||
** No inclusion of VID:PID in gnuk.elf
|
** No inclusion of VID:PID in gnuk.elf
|
||||||
|
|
||||||
@@ -16,12 +16,12 @@ gnuk-vidpid.elf and we can check if it is reproducible or not.
|
|||||||
Now, Gnuk checks length of passphrase if it's too short when
|
Now, Gnuk checks length of passphrase if it's too short when
|
||||||
changing passphrase.
|
changing passphrase.
|
||||||
|
|
||||||
** Remove possible access with BY_ADMIN (to flash ROM data)
|
** Remove unused DEK with BY_ADMIN
|
||||||
|
|
||||||
For admin-less mode, access by OPENPGP_CARD_INITIAL_PW3 remained on
|
For admin-less mode, DEK by OPENPGP_CARD_INITIAL_PW3 remained on flash
|
||||||
flash ROM. This could be considered a backdoor, if some other person
|
ROM. This could be considered a backdoor, if some other person had or
|
||||||
had or kept access to the flash ROM. Now, the entry is cleared by
|
kept access to the flash ROM, cheating a user. Now, the DEK is
|
||||||
zero when the token is set to admin-less mode.
|
cleared by zero when the token is set to admin-less mode.
|
||||||
|
|
||||||
** Upgrade of Chopstx
|
** Upgrade of Chopstx
|
||||||
We use Chopstx 1.8.
|
We use Chopstx 1.8.
|
||||||
|
|||||||
29
README
29
README
@@ -1,14 +1,14 @@
|
|||||||
Gnuk - An Implementation of USB Cryptographic Token for GnuPG
|
Gnuk - An Implementation of USB Cryptographic Token for GnuPG
|
||||||
|
|
||||||
Version 1.2.7
|
Version 1.2.8
|
||||||
2017-11-26
|
2018-01-23
|
||||||
Niibe Yutaka
|
Niibe Yutaka
|
||||||
Free Software Initiative of Japan
|
Free Software Initiative of Japan
|
||||||
|
|
||||||
Release Notes
|
Release Notes
|
||||||
=============
|
=============
|
||||||
|
|
||||||
This is the release of Gnuk, version 1.2.7, which has major
|
This is the release of Gnuk, version 1.2.8, which has major
|
||||||
incompatible changes to Gnuk 1.0.x. Specifically, it now supports
|
incompatible changes to Gnuk 1.0.x. Specifically, it now supports
|
||||||
overriding key import, but importing keys (or generating keys) results
|
overriding key import, but importing keys (or generating keys) results
|
||||||
password reset. Also, you need to import private keys before changing
|
password reset. Also, you need to import private keys before changing
|
||||||
@@ -24,13 +24,10 @@ It also supports RSA-4096, but users should know that it takes more
|
|||||||
than 8 seconds to sign/decrypt. Key generation of RSA-4096 just fails,
|
than 8 seconds to sign/decrypt. Key generation of RSA-4096 just fails,
|
||||||
because the device doesn't have enough memory.
|
because the device doesn't have enough memory.
|
||||||
|
|
||||||
In this release, experimental KDF-DO support is added. To use the
|
It supports new KDF-DO feature. To use the feature, you need to use
|
||||||
feature, you need to build/install experimental branch of GnuPG by
|
newer GnuPG (forthcoming 2.2.5 or later). And you need to manually
|
||||||
yourself:
|
prepare the KDF-DO on your token. Please note that this is
|
||||||
|
experimental. Better way to prepare KDF-DO will be expected.
|
||||||
https://dev.gnupg.org/source/gnupg/history/gniibe%252Fscd-kdf-support/
|
|
||||||
|
|
||||||
And manually prepare the KDF-DO on your token.
|
|
||||||
|
|
||||||
|
|
||||||
What's Gnuk?
|
What's Gnuk?
|
||||||
@@ -408,6 +405,10 @@ Then, type:
|
|||||||
|
|
||||||
Then, we will have "gnuk.elf" under src/build directory.
|
Then, we will have "gnuk.elf" under src/build directory.
|
||||||
|
|
||||||
|
Next, we can get the final image by running following command.
|
||||||
|
|
||||||
|
$ make build/gnuk-vidpid.elf
|
||||||
|
|
||||||
|
|
||||||
How to install
|
How to install
|
||||||
==============
|
==============
|
||||||
@@ -416,11 +417,11 @@ Olimex STM32-H103 board
|
|||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
If you are using Olimex JTAG-Tiny, type following to invoke OpenOCD
|
If you are using Olimex JTAG-Tiny, type following to invoke OpenOCD
|
||||||
and write "gnuk.elf" to Flash ROM:
|
and write "gnuk-vidpid.elf" to Flash ROM:
|
||||||
|
|
||||||
$ openocd -f interface/ftdi/olimex-jtag-tiny.cfg \
|
$ openocd -f interface/ftdi/olimex-jtag-tiny.cfg \
|
||||||
-f board/olimex_stm32_h103.cfg \
|
-f board/olimex_stm32_h103.cfg \
|
||||||
-c "program build/gnuk.elf verify reset exit"
|
-c "program build/gnuk-vidpid.elf verify reset exit"
|
||||||
|
|
||||||
Command invocation is assumed in src/ directory.
|
Command invocation is assumed in src/ directory.
|
||||||
|
|
||||||
@@ -433,7 +434,7 @@ If you are using Flying Stone Tiny 01, you need a SWD writer.
|
|||||||
OpenOCD 0.9.0 now supports ST-Link/V2. We can use it like:
|
OpenOCD 0.9.0 now supports ST-Link/V2. We can use it like:
|
||||||
|
|
||||||
$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg \
|
$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg \
|
||||||
-c "program build/gnuk.elf verify reset exit"
|
-c "program build/gnuk-vidpid.elf verify reset exit"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@@ -444,7 +445,7 @@ Reset the board with "USER" switch pushed. Type following to write
|
|||||||
to flash:
|
to flash:
|
||||||
|
|
||||||
# cd ../tool
|
# cd ../tool
|
||||||
# ./dfuse.py ../src/build/gnuk.hex
|
# ./dfuse.py ../src/build/gnuk-vidpid.hex
|
||||||
|
|
||||||
Then, reset the board.
|
Then, reset the board.
|
||||||
|
|
||||||
|
|||||||
@@ -40,11 +40,11 @@ We are using "-O3 -Os" for compiler option.
|
|||||||
Building Gnuk
|
Building Gnuk
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
Change directory to ``src``:
|
Change directory to ``src``: ::
|
||||||
|
|
||||||
$ cd gnuk-VERSION/src
|
$ cd gnuk-VERSION/src
|
||||||
|
|
||||||
Then, run ``configure``:
|
Then, run ``configure``: ::
|
||||||
|
|
||||||
$ ./configure --vidpid=<VID:PID>
|
$ ./configure --vidpid=<VID:PID>
|
||||||
|
|
||||||
@@ -52,8 +52,12 @@ Here, you need to specify USB vendor ID and product ID. For FSIJ's,
|
|||||||
it's: --vidpid=234b:0000 . Please read the section 'USB vendor ID and
|
it's: --vidpid=234b:0000 . Please read the section 'USB vendor ID and
|
||||||
product ID' in README.
|
product ID' in README.
|
||||||
|
|
||||||
Type:
|
Type: ::
|
||||||
|
|
||||||
$ make
|
$ make
|
||||||
|
|
||||||
Then, we will have "gnuk.elf" under src/build directory.
|
Then, we will have "gnuk.elf" under src/build directory.
|
||||||
|
|
||||||
|
Next, we can get the final image by running following command. ::
|
||||||
|
|
||||||
|
$ make build/gnuk-vidpid.elf
|
||||||
|
|||||||
@@ -65,7 +65,7 @@ Invoking firmware update
|
|||||||
|
|
||||||
We specify reGNUal binary and Gnuk binary.
|
We specify reGNUal binary and Gnuk binary.
|
||||||
|
|
||||||
$ ../tool/gnuk_upgrade.py ../regnual/regnual.bin gnuk.bin
|
$ ../tool/gnuk_upgrade.py ../regnual/regnual.bin gnuk-vidpid.bin
|
||||||
|
|
||||||
|
|
||||||
Two or more tokens
|
Two or more tokens
|
||||||
|
|||||||
@@ -73,16 +73,20 @@ and make: ::
|
|||||||
$ make
|
$ make
|
||||||
|
|
||||||
Please take care of configure options. The default target in 1.0.x
|
Please take care of configure options. The default target in 1.0.x
|
||||||
series is Olimex STM32 H103 (not FST-01). The default target in 1.1.8
|
series is Olimex STM32 H103 (not FST-01). The default target in 1.2.x
|
||||||
is FST-01.
|
is FST-01.
|
||||||
|
|
||||||
|
Then you get build/gnuk.elf.
|
||||||
|
|
||||||
Then you get build/gnuk.elf and build/gnuk.bin.
|
Next, we can get the final image by running following command.
|
||||||
|
|
||||||
Invoking configure with FSIJ's USB ID (234b:0000) means that you are
|
$ make build/gnuk-vidpid.elf
|
||||||
using FSIJ's USB ID (for reGNUal in this case). Please note that FSIJ
|
|
||||||
only allows use of its USB ID for specific situations. Please read
|
|
||||||
README of Gnuk about that.
|
Invoking configure with FSIJ's USB ID (234b:0000) and generating
|
||||||
|
gnuk-vidpid.elf means that you are using FSIJ's USB ID (for reGNUal in
|
||||||
|
this case). Please note that FSIJ only allows use of its USB ID for
|
||||||
|
specific situations. Please read README of Gnuk about that.
|
||||||
|
|
||||||
|
|
||||||
Bulding reGNUal
|
Bulding reGNUal
|
||||||
@@ -117,13 +121,13 @@ your environment for Gnuk Token.
|
|||||||
How to run the script: ::
|
How to run the script: ::
|
||||||
|
|
||||||
$ cd tool
|
$ cd tool
|
||||||
$ ./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
|
$ ./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk-vidpid.bin
|
||||||
|
|
||||||
Then, the script on your host PC invoke the steps described above, and
|
Then, the script on your host PC invoke the steps described above, and
|
||||||
you will get new version of Gnuk installed.
|
you will get new version of Gnuk installed.
|
||||||
|
|
||||||
You can also specify -p option to enter your password (other than
|
You can also specify -f option to skip entering your password (it
|
||||||
factory setting).
|
assumes the factory setting).
|
||||||
|
|
||||||
If you already have configured another upgrade key installed, you can
|
If you already have configured another upgrade key installed, you can
|
||||||
specify different slot by -k ``<slot_no>`` option. SLOT_NO can be 0
|
specify different slot by -k ``<slot_no>`` option. SLOT_NO can be 0
|
||||||
|
|||||||
Reference in New Issue
Block a user