summaryrefslogtreecommitdiff
path: root/raw-wiki-dump/GettingStartedNovena
blob: 1de2cefad6fe38ceae001ef0e70a9bd66c7d0393 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
[[PageOutline]]

= Getting Started on the Novena =

== The Novena Board == 

[[Image(http://bunniefoo.com/novena/pvt1_release/novena_pvt1e_top_sm.jpg)]]

[http://www.kosagi.com/w/index.php?title=Novena_Main_Page Novena] is an open hardware and F/OSS-friendly computing platform. It is a small single-board Linux PC, with a Freescale i.MX6 (ARM
Cortex-A9) CPU and a Xilinx Spartan-6 LX45 FPGA.

It is available in limited quantities through [https://www.crowdsupply.com/sutajio-kosagi/novena crowd supply].

=== Setting up the Novena ===

The Novena PVT-2 requires some initial setup. You will need to attach a USB keyboard and HDMI monitor.

Once this is done, most of us prefer to run it headless, and ssh in.

You may also want to bring the packages up to date:

{{{
$ sudo apt-get update
$ sudo apt-get upgrade
}}}

== The Avalanche Noise Board ==

[[Image(rev03-on-novena.jpg, 40%)]]

The avalanche noise board is a Novena daughter board that contains a zener-diode noise circuit that can be read directly by the FPGA.

''(More information from FT: block diagram, schematics, ...)''

It is available in limited quantities directly from Fredrik Thulin, and will be distributed at the PrahaWorkshop.

== Binary Packages ==

Cryptech maintains an {{{apt}}} repository, with two binary packages for the Novena:
* a bitstream, to be configured into the FPGA
* software, to run on the CPU

=== How to get them ===

All commands are run on the Novena.

1. First, get the hactrn CA certificate:

{{{
$ wget http://www.hactrn.net/cacert.asc
}}}

Get the key used to sign the CA certificate.

{{{
$ gpg --recv-keys 2DC6FF82
}}}

Validate the CA certificate

{{{
$ gpg cacert.asc
}}}

Install the CA certficiate.

{{{
$ sudo mkdir /usr/share/ca-certificates/hactrn.org
$ sudo mv cacert /usr/share/ca-certificates/hactrn.org/cacert.crt
$ sudo dpkg-reconfigure ca-certificates
}}}

2. Get the repository key.

{{{
$ wget https://apt.cryptech.is/novena/apt-gpg-key.asc
}}}

Validate the key.

{{{
$ id=37A8E93F5D7E7B9A
$ gpg --recv-key $id
$ gpg --check-sig $id
$ gpg --export $id | sudo apt-key add -
}}}

See the apt-key(8) manual page for more information about the APT key database, including how to remove keys you don't want anymore.

Install the key.

{{{
$ sudo apt-key add apt-gpg-key.asc
}}}

3. Get the packages

Configure apt to use the repository.

{{{
$ sudo wget -q -O /etc/apt/sources.list.d/novena.list http://apt.cryptech.is/novena/sources.list
}}}

Update the package index file.

{{{
$ sudo apt-get update
}}}

Get the cryptech meta-package.

{{{
$ sudo apt-get install cryptech-novena
}}}

This installs the {{{cryptech-novena-rtl}}} and {{{cryptech-novena-sw}}} packages.

The {{{cryptech-novena-rtl}}} package includes an {{{init.d}}} script that configures the FPGA on system startup. This script should run automatically as part of the install process.

=== Updating the packages ===

Once you've performed the steps above you should be able to upgrade to newer
version of the code using the normal APT upgrade process, eg:

{{{
$ sudo apt-get update
$ sudo apt-get upgrade
}}}

== Setting up PKCS!#11 ==

The PKCS11 token is in /usr/lib/libpkcs11.so. In order to start using it you need to set a pin and an SO pin. This you do with p11util thus:

{{{
(echo 12345678;echo 1234) | sudo p11util --set-so-pin --set-user-pin --pin-from-stdin
}}}

It is strongly suggested to change the so pin and pin (in that order above) to something sensible. Now your token is ready to use. Your favorite PKCS11-client may or may not work depending on the state of support for PKCS11 function calls - please open tickets for whatever is missing. If you want/need to talk PKCS11 from another host, you could install and configure [[PKCS11Proxy]] on both the novena and your host. Note that currently pkcs11-proxy doesn't handle differing word-lengths so your client-side will have to be 32bit (since the novena is).


== Setting up the lab signer ==

The lab DNSSEC signer MUST, at this point, be running on a 32-bit system in order to work with the 32-bit Novena.

[[https://www.dropbox.com/s/f8b4s9vic7hsqyb/cryptech-proxy-lab-20150718r2.pdf]]