usbarmory / usbarmory-debian-base_image Goto Github PK

View Code? Open in Web Editor NEW

77.0 77.0 30.0 170 KB

USB armory Debian base image

License: Other

Makefile 85.45% Shell 9.75% Dockerfile 4.80%

usbarmory-debian-base_image's Introduction

Introduction

USB armory | https://github.com/usbarmory/usbarmory
Copyright (c) WithSecure Corporation

The USB armory from WithSecure Foundry is an open source hardware design, implementing a compact secure computer.

This repository is aimed towards developers, if you wish to purchase a USB armory board please see the ordering information.

Authors

Andrea Barisani
[email protected] | [email protected]

Andrej Rosano
[email protected] | [email protected]

Daniele Bianco
[email protected] | [email protected]

Documentation

The main documentation can be found on the project wiki.

Board models

USB armory Mk II LAN

USB armory Mk II

USB armory Mk I

License

USB armory | https://github.com/usbarmory/usbarmory
Copyright (c) WithSecure Corporation

This is an open hardware design licensed under the terms of the CERN Open Hardware Licence, see board revisions for applicable versions.

This source is distributed WITHOUT ANY EXPRESS OR IMPLIED WARRANTY, INCLUDING OF MERCHANTABILITY, SATISFACTORY QUALITY AND FITNESS FOR A PARTICULAR PURPOSE.

Please see LICENSE files in each source subdirectory for applicable conditions.

usbarmory-debian-base_image's People

Contributors

Stargazers

Watchers

usbarmory-debian-base_image's Issues

Possible regression in commit 19fd662

Its seems that commit 19fd662 contains a regression.

The use of $ symbol within the sudo chroot bash command causes to write corrupted data in /ets/shadow as hash for the usbarmory password.

e.g. in my tests it has been written: usbarmory:E13Mtqs3Fmark-twovaDyPBE6o/Ey0sbyIh5/8tbxBuSiRlLr5rai5M7C70S22HDwBvtu2XOFsvmgRMu.tPdyY6ZcjRrbraF.dWL51:18375:0:99999:7::: where you can read mark-two

\cc @abarisani

Flashing eMMC Assistance

I recently purchased several MkII's but cannot see any of the devices when attaching them to my computer (M1 MacBook Ventura). I've read through all the documentation, but I must be missing something. Can you point me in the right direction for installing the official debain directly on the eMMC. Thanks in advance.

Running diskutil list only returns my main disk.

Image creation failure, MBR overwritten

Hi guys,

Did you test this Makefile? From my experience it has some problems with the image creation, because the mkfs.ext4 command will overwrite the MBR and the generated image will not work. The problem is that mkfs will not respect the offset value when using a file, starting at 0 and overwriting the partition info set in previous steps.
I could get it to work by mounting the image into loop device and doing mkfs there.
Something like this:
${TARGET_IMG}:
fallocate -l 3500MiB ${TARGET_IMG}
/sbin/parted ${TARGET_IMG} --script mklabel msdos
/sbin/parted ${TARGET_IMG} --script mkpart primary ext4 5M 100%

debian: ${TARGET_IMG}
/sbin/losetup /dev/loop0 ${TARGET_IMG} -o 5242880 --sizelimit 3500MiB
/sbin/mkfs.ext4 -F /dev/loop0
/sbin/losetup -d /dev/loop0

Any ideas about this? Using Debian 8.8 to create my custom image. It works after fixing the makefile with these changes.

Thanks,
Pedro

Enable HTTPS on keys.inversepath.com used to fetch software signing keys

While starting experimenting with the packaging of GlobaLeaks for USB Armory MKII i just found out that the GPG key used for verifying fetched resources is fetched via the plain HTTP resource: http://keys.inversepath.com/gpg-andrej.asc

I already produced a patch to be integrated in the repository but it seems to me that the server hosting the keys is not running HTTPS so that before integrating the patch it would be probably required to enable it.

In the meantime probably as an alternative could be hosted inside the script directly or served via the repository/github itself.

Armory Mk 1 - uboot fails to start. Debian base image release 20210730

Earlier today I installed the usbarmory-mark-one-usd-debian_buster-base_image-20210730 image to micro-SD card and found the Armory Mark 1 failed to boot. No sign of life, host PC doesn't see the CDC device, no heartbeat LED. Thinking I'd done something wrong I hacked about with checking SHA sums, including comparing the .raw image hash with the bytes on the micro-SD - all matched.
Eventually I thought to try an older image and found that usbarmory-mark-one-usd-debian_buster-base_image-20210108 boots correctly.
This seems to suggest the boot-loader on the 20210730 image is broken.

image-20230315 for MK1 is corrupted

Hello

The image usbarmory-mark-one-usd-debian_bullseye-base_image-20230315.raw.xz for MK1 is corrupted.
I tried 3 different cards, but the result was the same. MK1 does not start.
I take the previous image of usbarmory-mark-one-usd-debian_bullseye-base_image-20221114.raw.xz, then it works fine.

dns tool missing

Hello,

there are two little bugs.
First, the usbarmory-mark-two--base_image-20211129.raw.xz.sha256 files reference usbarmory-mark-two--base_image-20211130.raw.xz (show the date)
Second, in this image i miss a dns tool like "host" or "dig". At this moment i cant update or do anything depended from dns resolving.

best regards

Add the prerequiste public key for u-boot

Unpacking linux-image-6.6-usbarmory (6.6.14-0) ...
Setting up linux-image-6.6-usbarmory (6.6.14-0) ...
sudo cp linux-headers-6.6-usbarmory-mark-one_6.6.14-0_armhf.deb rootfs/tmp/
sudo chroot rootfs /usr/bin/dpkg -i /tmp/linux-headers-6.6-usbarmory-mark-one_6.6.14-0_armhf.deb
Selecting previously unselected package linux-headers-6.6-usbarmory.
(Reading database ... 14569 files and directories currently installed.)
Preparing to unpack .../linux-headers-6.6-usbarmory-mark-one_6.6.14-0_armhf.deb ...
Unpacking linux-headers-6.6-usbarmory (6.6.14-0) ...
Setting up linux-headers-6.6-usbarmory (6.6.14-0) ...
sudo rm rootfs/tmp/linux-image-6.6-usbarmory-mark-one_6.6.14-0_armhf.deb
sudo chroot rootfs apt-get clean
sudo chroot rootfs fake-hwclock
sudo chroot rootfs umount /proc
sudo rm rootfs/usr/bin/qemu-arm-static
rm: cannot remove 'rootfs/usr/bin/qemu-arm-static': No such file or directory
make: [Makefile:146: usbarmory-mark-one-usd-debian_bookworm-base_image-20240213.raw] Error 1 (ignored)
sudo umount rootfs
gpg --verify u-boot-2024.01.tar.bz2.sig
gpg: assuming signed data in 'u-boot-2024.01.tar.bz2'
gpg: Signature made Mon 08 Jan 2024 07:38:20 AM PST
gpg: using RSA key 1A3C7F70E08FAB1707809BBF147C39FF9634B72C
gpg: issuer "[email protected]"
gpg: Can't check signature: No public key
make: *** [Makefile:67: u-boot-2024.01/u-boot.bin] Error 2

can not boot from eMMC

the same image is booting from microSD card with no problem, but from mmc got this on serial:

Card did not respond to voltage select!
switch to partitions #0, OK
mmc1(part 0) is current device
Scanning mmc 1:1...
Card did not respond to voltage select!
Card did not respond to voltage select!
zimage: Bad magic!

Issue importing gpg key: gpg: keyserver receive failed: Cannot assign requested address

I'm having an issue importing the key:

Step 4/8 : RUN gpg --keyserver hkp://keys.gnupg.net --recv-keys 38DBBDC86092693E
 ---> Running in 857af6ee308a
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: keyserver receive failed: Cannot assign requested address

Environment:

FROM debian:stretch

RUN apt update
RUN apt install -y bc binfmt-support bzip2 fakeroot gcc gcc-arm-linux-gnueabihf git gnupg make parted qemu-user-static wget xz-utils zip debootstrap
RUN gpg --keyserver hkp://keys.gnupg.net --recv-keys 38DBBDC86092693E
RUN gpg --keyserver hkp://keys.gnupg.net --recv-keys 87F9F635D31D7652

RUN git clone https://github.com/inversepath/usbarmory-debian-base_image.git
WORKDIR /usbarmory-debian-base_image
RUN make all

But it works with gpg2:

RUN apt install -y gnupg2
RUN gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 38DBBDC86092693E

Related: rvm/rvm#3544

Feel free to close this issue. I'm mostly documenting the error.

Add the prerequisite of go

from lsusb:
Bus 003 Device 014: ID 15a2:004e Freescale Semiconductor, Inc. i.MX53 SystemOnChip in RecoveryMode

I'm following:
https://github.com/usbarmory/usbarmory-debian-base_image?tab=readme-ov-file#pre-requisites
and installed the per-requisites

$ lsb_release -d
Description: Debian GNU/Linux 12 (bookworm)
$ uname -srm
Linux 6.1.0-17-amd64 x86_64

log:
unzip -o armoryctl-1.2.zip
Archive: armoryctl-1.2.zip
32087b57bc5a7b3dd82545a8ae9afc57acd385fb
creating: armoryctl-1.2/
inflating: armoryctl-1.2/LICENSE
inflating: armoryctl-1.2/Makefile
inflating: armoryctl-1.2/README.md
creating: armoryctl-1.2/anna_b112/
inflating: armoryctl-1.2/anna_b112/at.go
inflating: armoryctl-1.2/anna_b112/openocd.go
inflating: armoryctl-1.2/armoryctl.go
creating: armoryctl-1.2/atecc608/
inflating: armoryctl-1.2/atecc608/atecc608.go
creating: armoryctl-1.2/fusb303/
inflating: armoryctl-1.2/fusb303/fusb303.go
inflating: armoryctl-1.2/go.mod
inflating: armoryctl-1.2/go.sum
creating: armoryctl-1.2/internal/
inflating: armoryctl-1.2/internal/armoryctl.go
inflating: armoryctl-1.2/internal/gpio.go
inflating: armoryctl-1.2/internal/i2c_linux.go
inflating: armoryctl-1.2/internal/i2c_tamago.go
inflating: armoryctl-1.2/internal/led_linux.go
inflating: armoryctl-1.2/internal/led_tamago.go
inflating: armoryctl-1.2/internal/uart.go
inflating: armoryctl-1.2/internal/util.go
creating: armoryctl-1.2/led/
inflating: armoryctl-1.2/led/led.go
creating: armoryctl-1.2/pf1510/
inflating: armoryctl-1.2/pf1510/pf1510.go
creating: armoryctl-1.2/tusb320/
inflating: armoryctl-1.2/tusb320/tusb320.go
cd armoryctl-1.2 && GOPATH=/tmp/go GOARCH=arm BUILD_USER=usbarmory BUILD_HOST=usbarmory make
make[1]: Entering directory '/home/improvethings/usbarmory-debian-base_image/armoryctl-1.2'
/bin/bash: line 1: go: command not found
make[1]: *** [Makefile:27: armoryctl] Error 127
make[1]: Leaving directory '/home/improvethings/usbarmory-debian-base_image/armoryctl-1.2'
make: *** [Makefile:353: armoryctl-1.2/armoryctl] Error 2

SSH Host Key not properly generated

I would like to bring to your attention that the host keys that are supposed to be generated during the sshd setup do not seem to be properly generated.

For now, creating it manually seem to fix the issue.

Unable to install Wireguard using DKMS

I am trying to get Wireguard installed on my USB Armory MkII running the latest Debian image.

The wireguard packages are part of the buster-backports repository:

echo "deb http://deb.debian.org/debian buster-backports main" | sudo tee -a /etc/apt/sources.list
sudo apt update && sudo apt dist-upgrade && sudo apt install wireguard
...
Building for 5.4.87-0
Building initial module for 5.4.87-0
Error! Bad return status for module build on kernel: 5.4.87-0 (armv7l)
Consult /var/lib/dkms/wireguard/1.0.20201221/build/make.log for more information.

Here is the contents of the above make.log:

DKMS make.log for wireguard-1.0.20201221 for kernel 5.4.87-0 (armv7l)
Wed 13 Jan 2021 07:12:26 PM UTC
make: Entering directory '/usr/lib/modules/5.4.87-0/build'
make: *** No targets specified and no makefile found.  Stop.
make: Leaving directory '/usr/lib/modules/5.4.87-0/build'

I did some investigating and it appears the debian linux-headers package is normally built using the Linux kernel deb-pkg target which ends up calling scripts/package/builddeb. This script in turn makes a list of the files to be put in the package and then uses tar to put them in the right directory.

I created a script based on builddeb called copy_header_files.sh and updated the linux-headers-deb target as follows:

#### linux-headers-deb ####
HEADER_DEPS := check_version
HEADER_DEPS += linux-${LINUX_VER}/arch/arm/boot/zImage
linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf.deb: $(HEADER_DEPS)
        mkdir -p linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf/{DEBIAN,boot,lib/modules/${LINUX_VER}${LOCALVERSION}}
        cd linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf/lib/modules/${LINUX_VER}${LOCALVERSION} ; ln -sf /usr/src/linux-${LINUX_VER}${LOCALVERSION} build
        cat control_template_linux-headers | \
                sed -e 's/XXXX/${LINUX_VER_MAJOR}/'          | \
                sed -e 's/YYYY/${LINUX_VER}${LOCALVERSION}/' | \
                sed -e 's/ZZZZ/linux-image-${LINUX_VER_MAJOR}-usbarmory (=${LINUX_VER}${LOCALVERSION})/' | \
                sed -e 's/USB armory/USB armory ${V}/' \
                > linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf/DEBIAN/control
        @if test "${V}" = "mark-two"; then \
                sed -i -e 's/${LINUX_VER_MAJOR}-usbarmory/${LINUX_VER_MAJOR}-usbarmory-mark-two/' \
                linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf/DEBIAN/control; \
        fi
        # Build headers package similar to kernel script: scripts/package/builddeb
        ./copy_header_files.sh "linux-${LINUX_VER}" "linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf/usr/src/linux-headers-${LINUX_VER}${LOCALVERSION}"
        chmod 755 linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf/DEBIAN
        fakeroot dpkg-deb -b linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf linux-headers-${LINUX_VER_MAJOR}-usbarmory-${V}_${LINUX_VER}${LOCALVERSION}_armhf.deb

Note the changed build link. The contents of the copy_header_files.sh:

#!/bin/sh
srctree=$1
destdir=$2

(cd $srctree; find . -name Makefile\* -o -name Kconfig\* -o -name \*.pl) > ../hdrsrcfiles
(cd $srctree; find arch/*/include include scripts -type f -o -type l) >> ../hdrsrcfiles
(cd $srctree; find arch/arm -name module.lds -o -name Kbuild.platforms -o -name Platform) >> ../hdrsrcfiles
(cd $srctree; find $(find arch/arm -name include -o -name scripts -type d) -type f) >> ../hdrsrcfiles
(cd $srctree; find arch/arm/include Module.symvers include scripts -type f) > ../hdrobjfiles
mkdir -p "$destdir"
(cd $srctree; tar -c -f - -T -) < "../hdrsrcfiles" | (cd $destdir; tar -xf -)
(cd $srctree; tar -c -f - -T -) < "../hdrobjfiles" | (cd $destdir; tar -xf -)
(cd $srctree; cp Kconfig ../$destdir/.config) # copy .config manually to be where it's expected to be

Running the linux-headers-deb target above results in a linux-headers-5.4-usbarmory-mark-two_5.4.87-0_armhf.deb that contains all the files needed to build the wireguard-dkms.

HOWEVER, a number of the binaries under the scripts directory are not cross-compiled. This appears to be a known issue when building for arm (see https://forum.loverpi.com/discussion/555/how-to-fix-dkms-error-bin-sh-1-scripts-basic-fixdep-exec-format-error and https://forum.radxa.com/t/dkms-building-error/307/5). This causes the dkms build to fail:

DKMS make.log for wireguard-1.0.20201221 for kernel 5.4.87-0-usbarmory (armv7l)
Fri 15 Jan 2021 02:45:34 AM UTC
make: Entering directory '/usr/src/linux-headers-5.4.87-0'
  AR      /var/lib/dkms/wireguard/1.0.20201221/build/built-in.a
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/main.o
/bin/sh: 1: scripts/basic/fixdep: Exec format error
make[1]: *** [scripts/Makefile.build:262: /var/lib/dkms/wireguard/1.0.20201221/build/main.o] Error 2
make[1]: *** Deleting file '/var/lib/dkms/wireguard/1.0.20201221/build/main.o'
make: *** [Makefile:1732: /var/lib/dkms/wireguard/1.0.20201221/build] Error 2
make: Leaving directory '/usr/src/linux-headers-5.4.87-0'

I tried the recommended solution by re-building the scripts cd /usr/src/linux-headers-5.4.87-0 && sudo make scripts ON the usb armory, but this doesn't build all the tools needed and the DKMS build fails again:

DKMS make.log for wireguard-1.0.20201221 for kernel 5.4.87-0-usbarmory (armv7l)
Fri 15 Jan 2021 02:48:46 AM UTC
make: Entering directory '/usr/src/linux-headers-5.4.87-0'
  AR      /var/lib/dkms/wireguard/1.0.20201221/build/built-in.a
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/main.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/noise.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/device.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/peer.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/timers.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/queueing.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/send.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/receive.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/socket.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/peerlookup.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/allowedips.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/ratelimiter.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/cookie.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/netlink.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/chacha20/chacha20.o
  PERLASM /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/chacha20/chacha20-arm.S
  AS [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/chacha20/chacha20-arm.o
  AS [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/chacha20/chacha20-unrolled-arm.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/poly1305/poly1305.o
  PERLASM /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/poly1305/poly1305-arm.S
  AS [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/poly1305/poly1305-arm.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/chacha20poly1305.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/blake2s/blake2s.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/curve25519/curve25519.o
  AS [M]  /var/lib/dkms/wireguard/1.0.20201221/build/crypto/zinc/curve25519/curve25519-arm.o
  LD [M]  /var/lib/dkms/wireguard/1.0.20201221/build/wireguard.o
  Building modules, stage 2.
  MODPOST 1 modules
/bin/sh: 1: scripts/mod/modpost: Exec format error
make[1]: *** [scripts/Makefile.modpost:94: __modpost] Error 2
make: *** [Makefile:1645: modules] Error 2
make: Leaving directory '/usr/src/linux-headers-5.4.87-0'

I haven't yet figured out how to rebuild the modpost binary, and even if I do it doesn't solve the problem with there being x86_64 binaries in the linux-headers .deb file. At this point I may just try to build the deb files on an ARM system.

Mk I: u-boot-2019.07 missing dtb version

Getting an error on make all V=mark-one IMX=imx53 during the finalizer step:

sudo dd if=u-boot-2019.07/u-boot-dtb.imx of=usbarmory-mark-one-debian_stretch-base_image-20191008.raw bs=512 seek=2 conv=fsync conv=notrunc
dd: failed to open 'u-boot-2019.07/u-boot-dtb.imx': No such file or directory
Makefile:230: recipe for target 'finalize' failed
make: *** [finalize] Error 1

The dtb or Device Tree Blob, seems to be missing from the u-boot build process. The normal u-boot.imx is there.

Maybe it was renamed?

root@827813faa247:/opt/armory/u-boot-2019.07# ls -la u-boot*
-rwxr-xr-x 1 root root 3186484 Oct  8 08:32 u-boot
-rwxr-xr-x 1 root root  382628 Oct  8 08:32 u-boot-nodtb.bin
-rwxr-xr-x 1 root root  382628 Oct  8 08:32 u-boot.bin
-rw-r--r-- 1 root root    8124 Oct  8 08:31 u-boot.cfg
-rw-r--r-- 1 root root    4669 Oct  8 08:32 u-boot.cfg.configs
-rw-r--r-- 1 root root    1842 Oct  8 08:32 u-boot.cfgout
-rw-r--r-- 1 root root  388096 Oct  8 08:32 u-boot.imx
-rw-r--r-- 1 root root     194 Oct  8 08:32 u-boot.imx.log
-rw-r--r-- 1 root root    1719 Oct  8 08:32 u-boot.lds
-rw-r--r-- 1 root root  473023 Oct  8 08:32 u-boot.map
-rwxr-xr-x 1 root root 1148026 Oct  8 08:32 u-boot.srec
-rw-r--r-- 1 root root  119664 Oct  8 08:32 u-boot.sym

I have a branch to submit a few PRs here in a bit to fix some other Makefile issues. So if you can point me in a direction I"ll try some other combinations.

Make command results in error "losetup: /dev/loop0: failed to set up loop device: No such file or directory"

Following the guide for building the image while running the command make all V=mark-two IMX=imx6ulz BOOT=uSD i get the following error:

losetup: /dev/loop0: failed to set up loop device: No such file or directory

I receive the error at the first time i run the command while any further attempt result in a success.

I successfully reproduced the issue many times with a new git clone but i've still not understood the reason of the failure.

udev dependency missing

Hi,

For the docker image, you may need to add the dependency for udev, as udevadm was not installed in my image.

ear

gpg: keyserver receive failed - Same #9

The same thing as in the related question. But on seeing the comment of a possible error with the packages, I tried to install them. Even though it was unsuccessful and warning that it was recent, after that, the installation worked.

Where can the new public key be retrieved for the package repo?

Hi, when I attempt to look up keys.gnupg.net it fails and your instructions also still reference the old key. But it appears a key change happened (or, perhaps less likely) your repository got compromised.

Where can one find the transition notice and the new public key?

Exact error is:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://f-secure-foundry.github.io/debian stable Rel
ease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A81E36CAA33925BE
W: Failed to fetch https://f-secure-foundry.github.io/debian/dists/stable/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A81E36CAA33925BE
W: Some index files failed to download. They have been ignored, or old ones used instead.

Thanks,

Oliver

PS: I realize the instructions reference the creation of a Debian image, but still.
PPS: I also peeked into the latest available prebuilt image and got the following two public keys shown from the /etc/apt/trusted.gpg which I copied out of there. Neither matched the A81E36CAA33925BE with which the Release.gpg appears to be signed.

$ gpg --homedir $(pwd)/.gnupg -k
gpg: /data/oliver/usbarmory/.gnupg/trustdb.gpg: trustdb created
/data/oliver/usbarmory/.gnupg/pubring.gpg
-----------------------------------------
pub   rsa4096 2021-05-09 [SC] [expires: 2024-05-08]
      BDE162F4702015888046AE02EA178C32AB5654CE
uid           [ unknown] Andrej Rosano <[email protected]>
sub   rsa4096 2021-05-09 [E] [expires: 2024-05-08]
sub   rsa4096 2021-05-09 [S] [expires: 2024-05-08]

pub   dsa1024 2003-12-02 [SC] [expires: 2023-04-08]
      0A76074A02CDE989CE7FAC3FDA47578E864C9B9E
uid           [ unknown] Andrea Barisani <[email protected]>
uid           [ unknown] Andrea Barisani <[email protected]>
sub   rsa2048 2018-04-09 [S] [expires: 2023-04-08]
sub   rsa2048 2018-04-09 [E] [expires: 2023-04-08]

Cant build in docker

i'm trying to build it on my mac (10.15.6) with docker
i'm checkout to 20200714

$ docker info
Client:
 Debug Mode: false

Server:
 Containers: 9
  Running: 0
  Paused: 0
  Stopped: 9
 Images: 65
 Server Version: 19.03.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.19.76-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 1.945GiB
 Name: docker-desktop
 ID: ELHR:33LN:BXHM:R3OB:PQRH:VVKC:AC74:2L55:RW3K:QMTM:X7FD:2OYJ
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 40
  Goroutines: 52
  System Time: 2020-09-22T12:09:32.558559522Z
  EventsListeners: 3
 HTTP Proxy: gateway.docker.internal:3128
 HTTPS Proxy: gateway.docker.internal:3129
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

$ docker build --rm -t armory ./  
Sending build context to Docker daemon  195.1kB
Step 1/11 : FROM debian:10
 ---> f6dcff9b59af
Step 2/11 : RUN apt-get update && apt-get upgrade -y
 ---> Using cache
 ---> 9cc71a570877
Step 3/11 : RUN apt-get install -y     bc binfmt-support bzip2 fakeroot gcc gcc-arm-linux-gnueabihf     git gnupg make parted qemu-user-static wget xz-utils zip     debootstrap sudo dirmngr bison flex libssl-dev kmod udev cpio
 ---> Using cache
 ---> 5886486c2a5e
Step 4/11 : ARG GOLANG_TARBALL=go1.13.6.linux-amd64.tar.gz
 ---> Using cache
 ---> b691796aa3ed
Step 5/11 : RUN wget https://dl.google.com/go/$GOLANG_TARBALL
 ---> Using cache
 ---> a47bde1cd82b
Step 6/11 : RUN echo a1bc06deb070155c4f67c579f896a45eeda5a8fa54f35ba233304074c4abbbbd $GOLANG_TARBALL | sha256sum -c
 ---> Using cache
 ---> 6ebd2a05c5e4
Step 7/11 : RUN tar -C /usr/local -xzf $GOLANG_TARBALL
 ---> Using cache
 ---> 7e9b72e39663
Step 8/11 : RUN rm $GOLANG_TARBALL
 ---> Using cache
 ---> 05b4bdfdcb5b
Step 9/11 : ENV PATH "$PATH:/usr/local/go/bin"
 ---> Using cache
 ---> dc0871cda0ae
Step 10/11 : RUN gpg --keyserver hkp://keys.gnupg.net --recv-keys 38DBBDC86092693E     && gpg --keyserver hkp://keys.gnupg.net --recv-keys 87F9F635D31D7652
 ---> Using cache
 ---> 414eec35efcb
Step 11/11 : WORKDIR /opt/armory
 ---> Using cache
 ---> 34a369750179
Successfully built 34a369750179
Successfully tagged armory:latest

then i enter build envaierment via docker run -it --privileged -v $(pwd):/opt/armory --name armory --rm armory

root@88fa4924a1dc:/opt/armory# make all V=mark-two IMX=imx6ulz BOOT=eMMC
target: USB armory V=mark-two IMX=imx6ulz BOOT=eMMC
--2020-09-22 12:17:03--  https://github.com/f-secure-foundry/armoryctl/archive/v1.0.zip
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/f-secure-foundry/armoryctl/zip/v1.0 [following]
--2020-09-22 12:17:05--  https://codeload.github.com/f-secure-foundry/armoryctl/zip/v1.0
Resolving codeload.github.com (codeload.github.com)... 140.82.121.10
Connecting to codeload.github.com (codeload.github.com)|140.82.121.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: 'armoryctl-v1.0.zip'

armoryctl-v1.0.zip                                                     [ <=>                                                                                                                                                            ]  24.62K  --.-KB/s    in 0.06s

2020-09-22 12:17:14 (395 KB/s) - 'armoryctl-v1.0.zip' saved [25206]

Archive:  armoryctl-v1.0.zip
7a563b78b9b78c201d326afd27afdd1f4a30a746
   creating: armoryctl-1.0/
  inflating: armoryctl-1.0/LICENSE
  inflating: armoryctl-1.0/Makefile
  inflating: armoryctl-1.0/README.md
   creating: armoryctl-1.0/anna_b112/
  inflating: armoryctl-1.0/anna_b112/at.go
  inflating: armoryctl-1.0/anna_b112/openocd.go
  inflating: armoryctl-1.0/armoryctl.go
   creating: armoryctl-1.0/atecc608a/
  inflating: armoryctl-1.0/atecc608a/atecc608a.go
   creating: armoryctl-1.0/fusb303/
  inflating: armoryctl-1.0/fusb303/fusb303.go
  inflating: armoryctl-1.0/go.mod
  inflating: armoryctl-1.0/go.sum
   creating: armoryctl-1.0/internal/
  inflating: armoryctl-1.0/internal/armoryctl.go
  inflating: armoryctl-1.0/internal/gpio.go
  inflating: armoryctl-1.0/internal/i2c.go
  inflating: armoryctl-1.0/internal/led.go
  inflating: armoryctl-1.0/internal/uart.go
  inflating: armoryctl-1.0/internal/util.go
   creating: armoryctl-1.0/led/
  inflating: armoryctl-1.0/led/led.go
   creating: armoryctl-1.0/pf1510/
  inflating: armoryctl-1.0/pf1510/pf1510.go
   creating: armoryctl-1.0/tusb320/
  inflating: armoryctl-1.0/tusb320/tusb320.go
make[1]: Entering directory '/opt/armory/armoryctl-1.0'
go: downloading periph.io/x/periph v3.6.2+incompatible
go: downloading github.com/albenik/go-serial/v2 v2.0.0
go: extracting github.com/albenik/go-serial/v2 v2.0.0
go: downloading go.uber.org/multierr v1.4.0
go: downloading github.com/creack/goselect v0.1.1
go: downloading golang.org/x/sys v0.0.0-20200107162124-548cf772de50
go: extracting go.uber.org/multierr v1.4.0
go: extracting github.com/creack/goselect v0.1.1
go: downloading go.uber.org/atomic v1.5.1
go: extracting go.uber.org/atomic v1.5.1
go: extracting periph.io/x/periph v3.6.2+incompatible
go: extracting golang.org/x/sys v0.0.0-20200107162124-548cf772de50
go: finding github.com/albenik/go-serial/v2 v2.0.0
go: finding github.com/creack/goselect v0.1.1
go: finding go.uber.org/multierr v1.4.0
go: finding go.uber.org/atomic v1.5.1
go: finding golang.org/x/sys v0.0.0-20200107162124-548cf772de50
go: finding periph.io/x/periph v3.6.2+incompatible
runtime/internal/sys
internal/cpu
runtime/internal/math
internal/bytealg
runtime/internal/atomic
math/bits
runtime
math
unicode/utf8
internal/race
sync/atomic
unicode
internal/testlog
encoding
unicode/utf16
internal/reflectlite
sync
math/rand
errors
sort
strconv
io
internal/oserror
syscall
reflect
time
internal/poll
internal/fmtsort
internal/syscall/unix
strings
os
encoding/binary
bytes
fmt
encoding/base64
bufio
hash
flag
encoding/json
compress/flate
hash/crc32
path/filepath
path
github.com/creack/goselect
io/ioutil
github.com/albenik/go-serial/v2/unixutils
go.uber.org/atomic
archive/zip
go.uber.org/multierr
golang.org/x/sys/unix
regexp/syntax
regexp
log
github.com/albenik/go-serial/v2
context
os/exec
periph.io/x/periph/conn
periph.io/x/periph/conn/physic
periph.io/x/periph/conn/pin
periph.io/x/periph
periph.io/x/periph/host/fs
periph.io/x/periph/conn/gpio
periph.io/x/periph/host/cpu
periph.io/x/periph/conn/gpio/gpioreg
periph.io/x/periph/conn/i2c
periph.io/x/periph/host/distro
periph.io/x/periph/conn/i2c/i2creg
periph.io/x/periph/host/pmem
periph.io/x/periph/conn/spi
periph.io/x/periph/conn/spi/spireg
periph.io/x/periph/host/sysfs
periph.io/x/periph/host/am335x
periph.io/x/periph/conn/gpio/gpiostream
periph.io/x/periph/host/videocore
periph.io/x/periph/conn/pin/pinreg
periph.io/x/periph/host/beagle/black
os/user
periph.io/x/periph/host/bcm283x
periph.io/x/periph/host/allwinner
periph.io/x/periph/host/beagle/green
periph.io/x/periph/host/beagle/bone
periph.io/x/periph/host/chip
periph.io/x/periph/host/odroidc1
periph.io/x/periph/host/pine64
periph.io/x/periph/host/rpi
periph.io/x/periph/host
github.com/f-secure-foundry/armoryctl/internal
github.com/f-secure-foundry/armoryctl/atecc608a
github.com/f-secure-foundry/armoryctl/anna_b112
github.com/f-secure-foundry/armoryctl/fusb303
github.com/f-secure-foundry/armoryctl/led
github.com/f-secure-foundry/armoryctl/pf1510
github.com/f-secure-foundry/armoryctl/tusb320
command-line-arguments
compiled armoryctl 9196e0c (root@88fa4924a1dc on 2020-09-22 12:17:14)
make[1]: Leaving directory '/opt/armory/armoryctl-1.0'
mkdir -p armoryctl_1.0_armhf/{DEBIAN,sbin}
cat control_template_armoryctl | \
	sed -e 's/YYYY/1.0/' \
	> armoryctl_1.0_armhf/DEBIAN/control
cp -r armoryctl-1.0/armoryctl armoryctl_1.0_armhf/sbin
chmod 755 armoryctl_1.0_armhf/DEBIAN
fakeroot dpkg-deb -b armoryctl_1.0_armhf armoryctl_1.0_armhf.deb
dpkg-deb: building package 'armoryctl' in 'armoryctl_1.0_armhf.deb'.
wget https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.4.51.tar.xz -O linux-5.4.51.tar.xz
--2020-09-22 12:17:41--  https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.4.51.tar.xz
Resolving www.kernel.org (www.kernel.org)... 136.144.49.103, 2604:1380:40b0:1a00::1
Connecting to www.kernel.org (www.kernel.org)|136.144.49.103|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.4.51.tar.xz [following]
--2020-09-22 12:17:42--  https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.4.51.tar.xz
Resolving mirrors.edge.kernel.org (mirrors.edge.kernel.org)... 147.75.101.1, 2604:1380:2001:3900::1
Connecting to mirrors.edge.kernel.org (mirrors.edge.kernel.org)|147.75.101.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 109562468 (104M) [application/x-xz]
Saving to: 'linux-5.4.51.tar.xz'

linux-5.4.51.tar.xz                                                100%[===============================================================================================================================================================>] 104.49M  5.86MB/s    in 32s

2020-09-22 12:18:15 (3.29 MB/s) - 'linux-5.4.51.tar.xz' saved [109562468/109562468]

wget https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.4.51.tar.sign -O linux-5.4.51.tar.sign
--2020-09-22 12:18:15--  https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.4.51.tar.sign
Resolving www.kernel.org (www.kernel.org)... 136.144.49.103, 2604:1380:40b0:1a00::1
Connecting to www.kernel.org (www.kernel.org)|136.144.49.103|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.4.51.tar.sign [following]
--2020-09-22 12:18:15--  https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.4.51.tar.sign
Resolving mirrors.edge.kernel.org (mirrors.edge.kernel.org)... 147.75.101.1, 2604:1380:2001:3900::1
Connecting to mirrors.edge.kernel.org (mirrors.edge.kernel.org)|147.75.101.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 989 [text/plain]
Saving to: 'linux-5.4.51.tar.sign'

linux-5.4.51.tar.sign                                              100%[===============================================================================================================================================================>]     989  --.-KB/s    in 0.002s

2020-09-22 12:18:15 (408 KB/s) - 'linux-5.4.51.tar.sign' saved [989/989]

gpg: assuming signed data in 'linux-5.4.51.tar'
gpg: Signature made Thu Jul  9 07:39:22 2020 UTC
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman <[email protected]>" [unknown]
gpg:                 aka "Greg Kroah-Hartman <[email protected]>" [unknown]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E
tar: linux-5.4.51/Documentation/Changes: Cannot utime: No such file or directory
tar: linux-5.4.51/arch/arm/boot/dts/sun8i-a23-ippo-q8h-v1.2.dts: Cannot utime: No such file or directory
tar: linux-5.4.51/arch/arm/boot/dts/sun8i-a23-ippo-q8h-v5.dts: Cannot utime: No such file or directory
tar: linux-5.4.51/arch/arm/boot/dts/sun8i-a33-et-q8-v1.6.dts: Cannot utime: No such file or directory
tar: linux-5.4.51/arch/arm/boot/dts/sun8i-a33-ippo-q8h-v1.2.dts: Cannot utime: No such file or directory
tar: Exiting with failure status due to previous errors
make: *** [Makefile:124: linux-5.4.51/arch/arm/boot/zImage] Error 2
root@88fa4924a1dc:/opt/armory#

Release and document build for the differnet versions of MKII and for MKI

I suggest that we could probably work on retesting it to release and document a version of Debian for all both the MKII platforms and as well for the MKI. This would help users to experiment and before producing their own image. I will try to provide my feedback and support for the retesting on your official repository.

I discovered in fact while testing a board with the packaging of GlobaLeaks that at least two different version of the MKII exists (globaleaks/GlobaLeaks#2803) and that the two requires different build flags and kernel options.

Failure when calling `losetup -f` on Debian Buster, seems related to module autoloading

Summary

I came across what seemed like a very strange issue when building an image on a Debian Buster system. The system is admittedly a bit out of date- the kernel package and most of the system/userland is from ~June of 2020. It's possible this issue has been fixed in the most recent release of Debian Buster. This is the environment I encountered the issue on:

8:49:34 › lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
8:49:36 › uname -a
Linux host 5.6.0-0.bpo.2-amd64 #1 SMP Debian 5.6.14-2~bpo10+1 (2020-06-09) x86_64 GNU/Linux
8:49:38 › /sbin/losetup -V
losetup from util-linux 2.33.1

Symptoms / Reproduce

When using make to build an image as an unprivileged user on a freshly booted system, the losetup command used to create a loopback device fails, causing a build failure

$ make V=mark-two IMX=imx6ulz BOOT=uSD 
...
sudo /sbin/losetup  usbarmory-mark-two-usd-debian_buster-base_image-20210424.raw -o 5242880 --sizelimit 3500MiB
losetup: usbarmory-mark-two-usd-debian_buster-base_image-20210424.raw: failed to use device: No such device
make: *** [Makefile:83: usbarmory-mark-two-usd-debian_buster-base_image-20210424.raw] Error 1

This command in the Makefile looks like this:

	sudo /sbin/losetup $(LOSETUP_DEV) usbarmory-${IMG_VERSION}.raw -o 5242880 --sizelimit 3500MiB

Clearly the LOSETUP_DEV variable is not set. This confused me, because on line 24, it is very clearly set:

LOSETUP_DEV=$(shell /sbin/losetup -f)

Cause

The root cause is that the loop module is not loaded until losetup is invoked as a privileged user (explicitly or via sudo) or until modprobe loop is explicitly invoked. It's arguable whether this is a bug or not, but because the losetup -f command fails silently, I think it is a bug

One could also say that the cause is that losetup -f is not invoked with sudo. I say that because of the following behavior, and the fact that adding sudo fixes the problem. Here's the behavior that initially baffled me. Note this is an unprivileged user (authorized for sudo)

Unprivileged:

9:37:56 › /sbin/losetup -f
losetup: cannot find an unused loop device: Permission denied

Via sudo:

9:38:00 › sudo /sbin/losetup -f
/dev/loop0

Again, unprivileged:

9:38:04 › /sbin/losetup -f     
/dev/loop0

The first command fails as the loop module is not loaded by default and is not autoloaded
The second command, presumably because it is running with root privileges, causes the loop module to load implicitly/automatically.
Retrying losetup -f as an unprivileged user after that works

The permission denied message is a result of access("/dev/loop-control", W_OK), which returns EACCES when the loop module isn't loaded. Very deceiving behavior, but probably documented somewhere

Fix

Invoke sudo losetup -f instead of losetup -f in the Makefile. This fixes the issue and makes the losetup invocation consistent with the others in the Makefile

Another option is failing the build when the losetup -f fails, but I think it's better to just avoid the issue entirely by adding sudo

Notes

I am guessing that this is not "broken" in all distributions and probably worked on older versions of Debian, and still works on other distributions. My guess is this was caused by one or more of the following:

The module auto-loading behavior was changed
The way losetup behaves was changed
Previous versions of Debian explicitly loaded loop on boot
Previous versions of Debian did not build loop support as a module

I will send a PR for this as it's a very simple fix- assuming this is considered a bug. I think it's a better solution then letting users figure out the silent failure of losetup -f is what caused the failure in losetup later on- it took me a good 10-15 minutes to track this down, despite being very simple. It's not intuitive at all and the Permission Denied error from losetup contributes to the confusion

Latest image needs ca-certificates for the Inverse Path repo to work

Without ca-certificates, the latest pre-compiled base image (20180222) is unable to use the Inverse Path repository and cannot update the kernel.

Routing Internet access into Debian

I'm trying to provide internet access to my USB Armory (Debian) from my Ubuntu host.
I'm able to get an SSH shell just fine.

I'm running the commands from the wiki, however I can't ping 8.8.8.8 from the Armory.

cc @nothingismagick

Image cannot be built: old golang version

The go version that is installed in the docker container is very old (go version go1.7.4 linux/amd64) and there is not support for go mod. For this reason armoryctl cannot be built and it is not possible to create an image.

Makefile cannot get kernel_conf/usbarmory_4.14.config

There was tyding going on in the other repo and now the config files for 4.14 are under
https://github.com/inversepath/usbarmory/tree/master/software/kernel_conf/mark-one

so mark-one has to be added everywhere in the Makefile to ${USBARMORY_REPO}/software/kernel_conf/

(7 appearances)

e2fsprogs 1.42.12 in Jessie doesn't support metadata_csum feature

There could be similar case with e2fsprogs on Debian (Jessie: 1.42.12-2+b1; Stretch: 1.43.4-2 and metadata_csum enabled in /etc/mke2fs.conf) as I found in tuxlifan#1 unless I missed something.

Would you like an C.I. to test the builds?

With the addition of the Dockerfile in #21 , I can put together a Travis or maybe even a Github Tasks build environment to test for and report the state of master, and all PRs.

I have GitHub Actions enabled in my account; however, I think everyone has to request enrollment with Github.

Let me know and I will try to whip it up. Most likely will test all 3 build targets of the Makefile, and test that the files exists with no build errors.

Note: an Administrator will have to setup the tasks and join it to Travis or alike. I'll try to keep the instructions short and simple for the Assignee here to minimize the work.

HSM kernel modules release

Would be nice to have a precompiled release that has SCC2/DCP/CAAM modules built and enabled for MKII

Latest release (buster) still has stretch sources.list

Update to Debian Stretch (9)

The tatest stable release of Debian is Stretch. Is there any reason blocking update to the latest release?

Makefile: where does 'u-boot-dtb.imx' come from?

I'm currently writing a new Makefile that instead of needing to do network fetches each time uses locally git clone-d repositories. In reading through the current file to ensure I understand what build products are required and I see:

usbarmory-${IMG_VERSION}.raw.xz: usbarmory-${IMG_VERSION}.raw u-boot-${UBOOT_VER}/u-boot.bin
  sudo dd if=u-boot-${UBOOT_VER}/u-boot-dtb.imx of=usbarmory-${IMG_VERSION}.raw bs=512 seek=2 conv=fsync conv=notrunc
  xz -k usbarmory-${IMG_VERSION}.raw

But I cannot see where or how u-boot-dtb.imx is obtained or created. There is no mention of it elsewhere in the project or in any of the other repositories save one related to Secure Boot:

$ grep -rn u-boot-dtb
usbarmory-debian-base_image/Makefile:176:       sudo dd if=u-boot-${UBOOT_VER}/u-boot-dtb.imx of=usbarmory-${IMG_VERSION}.raw bs=512 seek=2 conv=fsync conv=notrunc
usbarmory/software/secure_boot/mark-one/hab4.csf:41:  Blocks = 0x777FF400 0x0 0x49C00 "/tmp/u-boot-dtb.imx"

CONFIG_BINFMT_MISC not set for Kernel

Hello,

I would like to be able to use qemu-user to emulate other CPU-architectures on my USB Armory - but for that to be nice and easy to work with binfmt_misc needs to be supported by the host kernel.

See:

usbarmory@usbarmory:~$ sudo update-binfmts --enable qemu-x86_64
mount: /proc/sys/fs/binfmt_misc: mount point does not exist.
update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc.
usbarmory@usbarmory:~$ grep BINFMT_MISC /boot/config-5.15.78-0-usbarmory 
# CONFIG_BINFMT_MISC is not set

Would you consider enabling this as a module?

xt_conntrack.ko kernel module missing from usbarmory-debian-base_image

Good day,

Would it be possible to have the xt_conntrack.ko module added to the usbarmory-debian-base_image? I find ip_tables difficult to manage without certain modules. Or if there is an easy way to add these? Thank you!

modprobe: FATAL: Module xt_conntrack not found in directory /lib/modules/5.4.82-0

usbarmory@usbarmory:~$ find /lib/modules -type f -name "*conntrack*"
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_snmp.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_h323.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_irc.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_netbios_ns.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_netlink.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_sane.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_tftp.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_sip.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_pptp.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_broadcast.ko
/lib/modules/5.4.82-0/kernel/net/netfilter/nf_conntrack_ftp.ko```

scc2 device-tree and modules don't seem to work

I have a Mk 1, running the 2022-07-06 Debian base image, and I'm trying to use the scc feature. Following the wiki, I boot with the scc2 device tree active (ln -sf /boot/imx53-usbarmory-scc2.dtb /boot/imx53-usbarmory.dtb), and then try and load the modules (modprobe scc2; modprobe scc2_aes). scc2 seems to load correctly but scc2_aes fails with modprobe: ERROR: could not insert 'scc2_aes': Operation not permitted. Looking at the logs I see:

[ 4536.459961] scc2: loading out-of-tree module taints kernel.
[ 4536.497320] scc2: SCC declared UNIMPLEMENTED
[ 4536.506058] scc2: failed to set up interrupt handlers
[ 4536.529426] scc2: Driver Status is UNIMPLEMENTED
[ 4536.550834] scc2_aes: cannot read scm_version, aborting

which suggests that the device tree is not loading or working correctly. I've tried compiling the scc2.dts file, but this doesn't work either. Curiously, when I first tried to compile the dts file I got the following errors, which disappear on subsequent tries:

  DTC     arch/arm/boot/dts/imx53-usbarmory-scc2.dtb
arch/arm/boot/dts/imx53-usbarmory-scc2.dts:54.5-55.31: Warning (reg_format): /soc/aips@60000000/scc2@63fb4000:reg: property has invalid length (16 bytes) (#address-cells == 2, #size-cells == 1)
arch/arm/boot/dts/imx53-usbarmory-scc2.dtb: Warning (pci_device_reg): Failed prerequisite 'reg_format'
arch/arm/boot/dts/imx53-usbarmory-scc2.dtb: Warning (pci_device_bus_num): Failed prerequisite 'reg_format'
arch/arm/boot/dts/imx53-usbarmory-scc2.dtb: Warning (i2c_bus_reg): Failed prerequisite 'reg_format'
arch/arm/boot/dts/imx53-usbarmory-scc2.dtb: Warning (spi_bus_reg): Failed prerequisite 'reg_format'
arch/arm/boot/dts/imx53-usbarmory-scc2.dts:52.24-57.6: Warning (avoid_default_addr_size): /soc/aips@60000000/scc2@63fb4000: Relying on default #address-cells value
arch/arm/boot/dts/imx53-usbarmory-scc2.dts:52.24-57.6: Warning (avoid_default_addr_size): /soc/aips@60000000/scc2@63fb4000: Relying on default #size-cells value

Is there any way to confirm that the scc2 device tree is loading correctly, or could there be something else wrong?

20180115 image contains sources.list from jessie instead of stretch

Installing packages was not working right until /etc/apt/sources.list was updated to use the stretch repos.

$  cat /etc/apt/sources.list
#deb http://ftp.debian.org/debian jessie main
#deb http://ftp.debian.org/debian jessie-updates main
#deb http://security.debian.org jessie/updates main

deb http://ftp.debian.org/debian stretch main
deb http://ftp.debian.org/debian stretch-updates main
deb http://security.debian.org stretch/updates main