deon/gnuk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
cd271fbeb5b1d122a0717dbcce8ab52560911506
gnuk/README.md
Deon Spengler cd271fbeb5 Update readme
2022-07-17 01:31:11 +02:00

5.9 KiB
Raw Blame History

Note: This fork of Gnuk fixes some compiling bugs and focuses on using the ST-Link v2 clone hardware.

Here is the link to the original project: http://git.gniibe.org/cgit/gnuk/gnuk.git/

What's Gnuk?

Gnuk is an implementation of USB cryptographic token for GNU Privacy Guard. Gnuk supports OpenPGP card protocol version 3, and it runs on STM32F103 processor (and its compatible). Gnuk allows one to converting a Cheap $2 ST-Link v2 clone into a Hardware GPG Key.

It has supports of Ed25519 and X25519 (ECDH on Curve25519). It also has experimental support of ECDSA (on NIST P256 and secp256k1) and ECDH (on NIST P256 and secp256k1).

It also supports RSA-4096, but users should know that it takes more than 8 seconds to sign/decrypt. Key generation of RSA-4096 just fails, because the device doesn't have enough memory.

Gnuk supports the Key Derived Function (KDF) functionality. With the KDF function enabled, the PIN is stored as a hash on the Gnuk. To use the feature, you need to use GnuPG (2.2.6 or later). The KDF setting needs to be enabled before any keys is put on the Gnuk. Once a key has been placed on the Gnuk and changes to the KDF settings will be prevented until the Gnuk has been reset. Your Gnuk token can be configured with the card-edit/kdf-setup command of GnuPG.

How to build the firmware

You will need the GNU toolchain and newlib for arm-none-eabi.

On Arch Linux this can be installed with the following

sudo pacman -S arm-none-eabi-gcc arm-none-eabi-newlib

On Debian or Ubuntu one can use the following command

sudo apt-get install gcc-arm-none-eabi

Clone source code and compile

git clone --recursive https://git.spengler.co.za/deon/gnuk.git gnuk
cd gnuk/src
./configure --vidpid=1209:2440
make

Then, we will have "gnuk.bin" under src/build directory.

Please read section 'USB vendor ID and product ID' below.

How to flash the Gnuk firmware

Now create a file called stm32f103.cfg with the following content

telnet_port 4444
source [find interface/stlink-v2.cfg]
source [find target/stm32f1x.cfg]
set WORKAREASIZE 0x10000

Now execute the openocd command and connect with telnet

openocd stm32f103.cfg
telnet localhost 4444

Use the following commands to unlock, flash the firmware and lock the device again.

stm32f1x unlock 0
reset halt
flash write_bank 0 ./src/build/gnuk.bin 0
stm32f1x lock 0
reset halt

Testing Gnuk

Type following command to see if GnuPG detects the token.

gpg --card-status

See tests/README for functionality tests.

Personalize the Token, import keys, and change the password

You can personalize the token, putting your information like: Name, Login name, Sex, Languages, URL. To do so, GnuPG command is:

$ gpg --card-edit

Note that the factory setting of user password is "123456" and admin password is "12345678" as the specification.

It is recommended to create your keys on your computer, and import them to Gnuk Token. After you create your keys (they must be 2048-bit RSA), you can import them.

Gnuk supports key generation, but this feature is young and should be considered experimental.

For detail, please see documentation under doc/. You can see the HTML version at: https://www.fsij.org/doc-gnuk/

Firmware update

See doc/note/firmware-update.

Debug enabled

If you compiled with --enable-debug option, Gnuk has two interfaces (one is CCID/ICCD device and another is virtual COM port). Open virtual COM port by:

$ cu -l /dev/ttyACM0

and you will see debug output of Gnuk.

How to debug

We can use GDB.

$ arm-none-eabi-gdb gnuk.elf

Inside GDB, we can connect OpenOCD by:

(gdb) target remote localhost:3333

or

(gdb) target extended-remote localhost:3333

You can see the output of PCSCD:

/etc/init.d/pcscd stop

LIBCCID_ifdLogLevel=7 /usr/sbin/pcscd --debug --foreground

You can observe the traffic of USB using "usbmon". See the file: linux/Documentation/usb/usbmon.txt

USB vendor ID and product ID (USB device ID)

When you have a vendor ID and assign a product ID for Gnuk, edit the file GNUK_USB_DEVICE_ID and add an entry for yours. In this case, please contact Niibe, so that it is listed to the file in the official release of the source code.

When you are modifing Gnuk and installing the binary to device, you should replace the vendor string and serial number to yours (in the file GNUK_USB_DEVICE_ID and SERIALNO of the script of src/configure), so that users can see it's not by original vendor, and it is modified version.

FSIJ allows you to use USB device ID of FSIJ (234b:0000) for devices with Gnuk under one of following conditions:

  • For everyone for experimental purpose:

    • You must not distribute a binary with FSIJ's USB device ID, but must use the binary by yourself only for your experiment. Note that "Distributing binary" includes distributing a device which holds the binary.

  • For general individuals:

    • You must use your Gnuk device with a card serial number which is not by FSIJ. Easy one would be a card serial number generated by chip unique ID.

  • For individuals with explicit permission from FSIJ.

    • You should have an assigned card serial number by FSIJ, please use that number for your device. (There a file 'GNUK_SERIAL_NUMBER' in the official release.)

FSIJ could give companies or business entities "second source manufacturer" license to use USB device ID of FSIJ for devices with unmodified version of Gnuk, provided they support Free Software and respect users' freedom for computing. Please ask FSIJ for the license.

Otherwise, companies which want to distribute Gnuk devices, please use your own USB vendor ID and product ID. Please replace vendor string and possibly product string to yours, when you modify Gnuk.