***Note:*** *This fork of Gnuk fixes some compiling bugs and focuses on using the ST-Link v2 clone hardware.*
***Note:*** *This fork of Gnuk fixes some compiling bugs and focuses on using the "ST-Link V2" clone hardware.*
Here is the link to the original project: <http://git.gniibe.org/cgit/gnuk/gnuk.git/>
What's Gnuk?
============
Gnuk is an implementation of USB cryptographic token for GNU Privacy Guard. Gnuk supports OpenPGP card protocol version 3, and it runs on STM32F103 processor (and its compatible). Gnuk allows one to converting a Cheap $2 ST-Link v2 clone into a Hardware GPG Key.
Gnuk is an implementation of a USB cryptographic security token that supports the OpenPGP card protocol version 2. It runs on a STM32F103 processor (and its compatible). In short it allows one to convert a cheap $2 "ST-Link V2" clone device into a hardware security token.
It has supports of Ed25519 and X25519 (ECDH on Curve25519). It also has experimental support of ECDSA (on NIST P256 and secp256k1) and ECDH (on NIST P256 and secp256k1).
It also supports RSA-4096, but users should know that it takes more than 8 seconds to sign/decrypt. Key generation of RSA-4096 just fails, because the device doesn't have enough memory.
Gnuk supports the Key Derived Function (KDF) functionality. To use this feature one will need to use GnuPG 2.2.6 or later.
Gnuk supports the Key Derived Function (KDF) functionality. With the KDF function enabled, the PIN is stored as a hash on the Gnuk. To use the feature, you need to use GnuPG (2.2.6 or later). The KDF setting needs to be enabled before any keys is put on the Gnuk. Once a key has been placed on the Gnuk and changes to the KDF settings will be prevented until the Gnuk has been reset. Your Gnuk token can be configured with the card-edit/kdf-setup command of GnuPG.
How to build the Gnuk firmware
==============================
You will need the GNU toolchain for arm-none-eabi and newlib.
How to build the firmware
=========================
You will need the GNU toolchain and newlib for arm-none-eabi.
On Arch Linux this can be installed with the following
Use the following commands to unlock, flash the firmware and lock the device again.
```
reset halt
stm32f1x unlock 0
reset halt
flash write_bank 0 ./build/gnuk.bin 0
stm32f1x lock 0
reset halt
```
After power-off / power-on sequence, the contents of flash ROM cannot
be accessible from JTAG debugger.
How to reflash the ST-LINK
==========================
To reflash the ST-LINK, connect the device to a programmer as before while keeping pins 7 and 8 shorted. While the LED is blinking, run openocd. Once it’s running (i.e. it doesn’t show any errors), you can unshort the pins.
You can personalize your token by putting in your information like: Name, Login and Language.
You can personalize the token, putting your information like: Name,
Login name, Sex, Languages, URL. To do so, GnuPG command is:
The KDF setting needs to be enabled before any keys are imported into the Gnuk token. Once a key has been imported the KDF setting can't be changed until the token has been reset.
$ gpg --card-edit
***Note:*** That the factory user password is "123456" and admin password is "12345678". It is recommended to create your keys on your computer, and import them into the token. Gnuk supports key generation, but this feature is young and should be considered experimental.
Note that the factory setting of user password is "123456" and admin
password is "12345678" as the specification.
To configure your Gnuk token use the following command.
```
gpg --card-edit
```
It is recommended to create your keys on your computer, and import
them to Gnuk Token. After you create your keys (they must be 2048-bit
RSA), you can import them.
Gnuk supports key generation, but this feature is young and should be
considered experimental.
For detail, please see documentation under doc/. You can see the HTML
version at: https://www.fsij.org/doc-gnuk/
For further details, please see documentation under doc.
Firmware update
===============
See doc/note/firmware-update.
Debug enabled
-------------
If you compiled with --enable-debug option, Gnuk has two interfaces
(one is CCID/ICCD device and another is virtual COM port). Open
virtual COM port by:
$ cu -l /dev/ttyACM0
and you will see debug output of Gnuk.
How to debug
============
Ensure that you have arm-none-eabi-gdb installed and then you must configure and compile the Gnuk firmware with --enable-debug option. After flashing Gnuk debug firmware one will see two interfaces, one is CCID/ICCD device and the another is a virtual COM port.
You can observe the traffic of USB using "usbmon". See the file:
linux/Documentation/usb/usbmon.txt
You can see the output of PCSCD with the following command:
```
/usr/bin/pcscd --debug --foreground
```
You can also observe the traffic of the USB interface using "usbmon".
USB vendor ID and product ID (USB device ID)
============================================
When you have a vendor ID and assign a product ID for Gnuk, edit the file GNUK_USB_DEVICE_ID and add an entry for yours. In this case, please contact Niibe, so that it is listed to the file in the official release of the source code.
When you have a vendor ID and assign a product ID for Gnuk, edit the
file GNUK_USB_DEVICE_ID and add an entry for yours. In this case,
please contact Niibe, so that it is listed to the file in the official
release of the source code.
When you are modifing Gnuk and installing the binary to device, you
should replace the vendor string and serial number to yours (in the
file GNUK_USB_DEVICE_ID and SERIALNO of the script of src/configure),
so that users can see it's not by original vendor, and it is modified
version.
FSIJ allows you to use USB device ID of FSIJ (234b:0000) for devices
with Gnuk under one of following conditions:
When you are modifing Gnuk and installing the binary to device, you should replace the vendor string and serial number to yours (in the file GNUK_USB_DEVICE_ID and SERIALNO of the script of src/configure), so that users can see it's not by original vendor, and it is modified version.
FSIJ allows you to use USB device ID of FSIJ (234b:0000) for devices with Gnuk under one of following conditions:
* For everyone for experimental purpose:
- You must not distribute a binary with FSIJ's USB device ID, but
must use the binary by yourself only for your experiment. Note
that "Distributing binary" includes distributing a device which
holds the binary.
- You must not distribute a binary with FSIJ's USB device ID, but must use the binary by yourself only for your experiment. Note that "Distributing binary" includes distributing a device which holds the binary.
* For general individuals:
- You must use your Gnuk device with a card serial number which is
*not* by FSIJ. Easy one would be a card serial number generated
by chip unique ID.
- You must use your Gnuk device with a card serial number which is *not* by FSIJ. Easy one would be a card serial number generated by chip unique ID.
* For individuals with explicit permission from FSIJ.
- You should have an assigned card serial number by FSIJ,
please use that number for your device.
- You should have an assigned card serial number by FSIJ, please use that number for your device.
(There a file 'GNUK_SERIAL_NUMBER' in the official release.)
FSIJ could give companies or business entities "second source
manufacturer" license to use USB device ID of FSIJ for devices with
unmodified version of Gnuk, provided they support Free Software and
respect users' freedom for computing. Please ask FSIJ for the
license.
Otherwise, companies which want to distribute Gnuk devices, please use
your own USB vendor ID and product ID. Please replace vendor string
and possibly product string to yours, when you modify Gnuk.
FSIJ could give companies or business entities "second source manufacturer" license to use USB device ID of FSIJ for devices with unmodified version of Gnuk, provided they support Free Software and respect users' freedom for computing. Please ask FSIJ for the license.
Otherwise, companies which want to distribute Gnuk devices, please use your own USB vendor ID and product ID. Please replace vendor string and possibly product string to yours, when you modify Gnuk.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
