Skip to content

Instantly share code, notes, and snippets.

Avatar
⚔️

Andrew Bradford bradfa

⚔️
45 followers · 7 following
View GitHub Profile
@bradfa
bradfa / dual-yubikey-gpg-idea.md
Created November 15, 2022 13:00
Using 2 Yubikey for GPG Idea
View dual-yubikey-gpg-idea.md

I have 2 Yubikeys which support the OpenPGP card capability. I want to have a robust GnuPG solution which allows me to store one of the keys in a safe place and to carry the other key with me daily on my physical keychain. I want to be able to fairly easily survive having the daily carry Yubikey be stolen, lost, or simply fail, by revoking those keys. I also want to be able to survive having the safely stored key fail by revoking those keys.

My original plan was to create a main key pair and 2 sets of encryption and authentication subkeys (4 total, 2 enc and 2 auth). The main key pair and one set of the encryption and authentication keys would be transferred to each Yubikey, so each Yubikey would share the common main key pair but have a different set of encryption and authentication subkeys. This turns out to be quite difficult to implement in a secure way due to how GnuPG's key-to-card functionality works. GnuPG expects if you transfer a key to a card that you want that key to only live on that card an

@bradfa
bradfa / initramfs-hook-script-to-copy-kernel-and-initrd-to-esp.md
Created December 22, 2021 18:10 — forked from benjaminblack/initramfs-hook-script-to-copy-kernel-and-initrd-to-esp.md
Initramfs hook script to copy kernel and initrd.img to EFI System Partition
View initramfs-hook-script-to-copy-kernel-and-initrd-to-esp.md

If the Linux kernel is compiled with the EFI stub loader (grep CONFIG_EFI_STUB /boot/config-*), then an EFI BIOS can boot the kernel directly, without the need for a bootloader like GRUB. This only requires that the kernel and the initrd exist on the EFI partition. The EFI boot menu and boot order can be managed with the command-line utility efibootmgr.

Copying the kernel image and initrd onto the EFI partition the first time is simple; the problem is keeping them up-to-date as the system is updated. In particular, lots of software packages can trigger the initrd to be rebuilt. The most recent kernel image and initrd need to be copied to the EFI partition every time they are updated.

The Debian Linux Kernel Handbook documents initramfs hooks, stating that "Packages for boot loaders that need to be updated whenever the files they load are modified must also install hook scripts in /etc/initramfs/post-update.d

@bradfa
bradfa / rpi4-uefi-serial.log
Created December 14, 2021 16:57
Raspberry Pi 4 UEFI boot serial console
View rpi4-uefi-serial.log
Read start4.elf bytes 2243232 hnd 0x0000021d
Read fixup4.dat bytes 5351 hnd 0x0000021b
Firmware: 0403e22018aafab833d0a16374ac773f66fd7be9 Oct 19 2021 11:50:10
0x00d03114 0x00000000 0x00000fff
MEM GPU: 76 ARM: 947 TOTAL: 1023
Starting start4.elf @ 0xfeb00200 partition 0
+
MESS:00:00:04.964546:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:04.967336:0: brfs: File read: 206 bytes
@bradfa
bradfa / antlion-modmic-business.md
Created July 7, 2020 14:07
Antlion ModMic Business Review
View antlion-modmic-business.md

I'm speaking into the Antlion ModMic Business connected to a Schiit Audio Fulla 3 USB sound interface and recorded by Audacity. I've set the mic input level about 3dB down which is about 89%. The microphone is 2 fingers width away from my face.

Now I'll toggle the in-line mute on and repeat the first 3 sentences of my review.

And now I've turned the mute back off. Hope this is helpful!

@bradfa
bradfa / pgp-bootable-usb-flash-drive.md
Last active July 21, 2021 10:49
PGP Bootable USB Flash Drive
View pgp-bootable-usb-flash-drive.md

PGP Bootable USB Flash Drive Creation and Operation

Create a bootable USB flash drive for generating and managing PGP keys. The keys will be generated and stored, encrypted, on the drive but then also transferred to Yubikeys for general use. Unless a Yubikey is lost or damaged, use of the flash drive should be extremely limited, if it is used at all.

A master certifying and signing (CS) key will be created, then sub-key signing (S), encrypting (E), and authenticating (A) keys will be created and signed by the C key. The C key will be archived with a password to the flash drive as well as transferred to a Yubikey 4. The SE&A sub keys will also be archived to the flash drive as part of the C key

@bradfa
bradfa / clfs.org move more to github.md
Created April 22, 2019 11:53
View clfs.org move more to github.md

In the longer term, I could see us having the possibility of leveraging Github more. Currently the trac.clfs.org web page has a perception of lacking in functionality, for instance it's very hard to tell someone how to go from the front page of trac to reading the current development version of the books online. Migrating everything from trac onto Github is an option in order to reduce maintenance burden of the trac instance. Additionally, instead of relying on the existing git hooks and existing clfs.org book building infrastructure, we could host the built books on Github pages and use something like Travis to do the building of that. Github pages can also be setup for the cross-lfs group on Github to take the place of what the trac instance has been used for in the past, mainly as a presence on the web and directing visitors on how to read/contribute to the books. The only aspect which I don't feel Github could serve all of the project's needs is with mailing lists.

I don't want to push for moving ev

@bradfa
bradfa / yubikey-setup-notes.md
Last active January 18, 2020 01:26
Setting up YubiKeys Notes
View yubikey-setup-notes.md

Setting up YubiKeys Notes

Goal

To setup a YubiKey 4 and YubiKey 5 NFC to both authenticate myself for the following services:

  1. U2F for Google Advanced Protection, GitHub, etc.
  2. OpenPGP smart card (using same private key on both devices) for signing, encrypting, and auth (including SSH)
  3. Yubico OTP (for some legacy services, etc)
@bradfa
bradfa / AMD ring 0 stalled.md
Last active January 8, 2019 17:15
View AMD ring 0 stalled.md

Errors cause graphics output to lock up but mouse still moves, keyboard is dead, libvirt guests are OK, SSH access is OK. Can't shutdown cleanly over SSH, keyboard input doesn't work. Requires hard power-off via power button hold.

syslog looks like:

Dec 19 08:10:48 kaim-eeyore kernel: [88492.249393] radeon 0000:03:00.0: ring 0 stalled for more than 10248msec
Dec 19 08:10:48 kaim-eeyore kernel: [88492.249395] radeon 0000:03:00.0: ring 3 stalled for more than 10248msec
Dec 19 08:10:48 kaim-eeyore kernel: [88492.249398] radeon 0000:03:00.0: GPU lockup (current fence id 0x000000000007de00 last fence id 0x000000000007df67 on ring 3)
Dec 19 08:10:48 kaim-eeyore kernel: [88492.249402] radeon 0000:03:00.0: GPU lockup (current fence id 0x0000000000035dda last fence id 0x0000000000035e12 on ring 0)
@bradfa
bradfa / network-slowdown-latency-sim.md
Last active November 21, 2018 14:34
Network slowdown/latency simulation
View network-slowdown-latency-sim.md

Lots of good info with examples: https://wiki.linuxfoundation.org/networking/netem

Can induce a reduction in throughput for a network interface like:

sudo tc qdisc add dev br0 root tbf rate 5mbit burst 8096 latency 100ms

Set the "rate" to your desired outbound throughput for the interface. The "burst" and "latency" numbers coordinate some underlying configurations which aren't critical to really understand so long as they're big enough.

@bradfa
bradfa / mips64el-debian-qemu-exact-steps.md
Last active February 6, 2023 13:04
mips64el Debian QEMU install
View mips64el-debian-qemu-exact-steps.md

Installing Debian Stretch mips64el Using QEMU

We're going to emulate the mips64el "malta" machine and install Debian Stretch using QEMU on a amd64 Debian Buster host.

Likely you need your user to be in the "libvirt" group and have installed these packages (or a subset of such):

sudo apt install qemu-system-mips virt-manager libguestfs-tools