https://wiki.raptorcs.com/w/api.php?action=feedcontributions&user=Peter+Easton&feedformat=atomRCS Wiki - User contributions [en]2024-03-28T19:53:26ZUser contributionsMediaWiki 1.33.1https://wiki.raptorcs.com/w/index.php?title=User:Peter_Easton&diff=2405User:Peter Easton2019-04-30T02:37:41Z<p>Peter Easton: </p>
<hr />
<div>Ahoy matey!<br />
<br />
Yarr-har! I be a plunderin', rum-swillin' salty sea dog of the Internet! Ye can find me sailin' the seas with me shipmates at yon IRC channel '''#Talos-Workstation''', flyin the flag ''TheJollyRoger!''<br />
<br />
==''The Morgan's Revenge''==<br />
[[File:Morgans-revenge-starboard.jpeg|thumb|right|alt=The Good Ship Morgan's Revenge!|The ''Morgan's Revenge'', starboard view]]<br />
[[File:Morgans-revenge-starboard-below.jpg|thumb|right|alt=The Good Ship Morgan's Revenge!|The ''Morgan's Revenge'' from below]]<br />
<br />
===Specifications===<br />
Hull:<br />
* Talos II Motherboard<br />
* Seasonic PRIME 1300W 80+ Platinum Power Supply<br />
* Thermaltake W100 Chassis<br />
<br />
Sails:<br />
* 2x 8-core IBM POWER9 CPUs<br />
* 2x Samsung 32 GB Registered ECC DDR4-21333 M393A4K40BB2-CTD8Q<br />
* PowerColor AMD Rx Vega 64<br />
* 4x HP24es Monitors<br />
<br />
Holds:<br />
* Samsung PRO 970 1TB NVMe (Not Pictured) <br />
* Samsung PRO 960 500GB NVMe <br />
* Marvell 88SE9215 4-Port SATA PCIe SATA Controller Card<br />
* Western Digital SATA Hard Drives<br />
<br />
Extras:<br />
* Creative USB Soundblaster <br />
* Lots of chassis lights<br />
* Kraken Dark Rum<br />
* Pirate Flag<br />
* Treasure Map<br />
* A love for adventure! <br />
<br />
[[Category:User Systems]]</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II_Beginner%27s_Quick_Start_Guide&diff=1909Talos II Beginner's Quick Start Guide2019-02-11T00:22:43Z<p>Peter Easton: /* Connecting to the BMC */</p>
<hr />
<div>Congratulations on your purchase of a new Raptor Computing Systems Talos II(TM) Secure Workstation!<br />
<br />
You're just a couple steps away from being able to get up and on your new secure system. This is a tutorial intended for novices to ease the transition from the x86 to the Talos II. This tutorial is primarily intended to be targeted toward non-technical users that just wish to get their Talos II up and running fast, and prefer documentation to be presented in as non-intimidating a manner as possible.<br />
<br />
The laptop used in this tutorial for access and provisioning of the Open [[BMC|Baseboard Management Controller]] (which is referred to as the "[[OpenBMC]]," or simply the "BMC") was a Lenovo Thinkpad X200 running OpenBSD. Your setup will likely differ from the one used to create this tutorial, so please remember to check your commands prior to entering them, as some of them may be different.<br />
<br />
=Changing The Default Factory Password=<br />
The Talos II comes with a remote management password set default from the factory. As the [[BMC|Baseboard Management Controller]] is used to control the computer out of band, it is important to change the Baseboard Management Controller's default factory password as quickly as possible to ensure security.<br />
<br />
In this tutorial, we will do the following:<br />
<br />
* Power on the Talos II and load Petitboot, which is analogous to a PC's BIOS or EFI.<br />
* Connect a computer to the Talos II via Ethernet cable.<br />
* Configure a static IP address on the networking interface.<br />
* Configure the second computer to use a static IP address.<br />
* Connect the Talos II's Open Baseboard Management Controller from the other computer via Secure SHell, or ssh.<br />
* Generate, Record, and Change the default factory password, to prevent unauthorized remote access to the BMC.<br />
* Log out and reboot the Talos II.<br />
* Take our first steps into the territory of computing freedom!<br />
<br />
'''STOP!'''<br />
''The Talos comes with a factory password of '0penBmc' which is set by default from the factory and is publicly posted and available everywhere that the Talos manual is hosted. The Baseboard Management Controller, which is used to provision and control the mainboard, is always running whenever there is any power connected to the mainboard. NEVER IN ANY CIRCUMSTANCES connect the Talos II to any network you cannot trust absolutely without first changing the factory password! Doing so may result in a compromise of the BMC root account and allow an adversary on the network to install malicious firmware onto the Talos, which can be used as a backdoor.''<br />
<br />
''If you have connected your Talos II to any untrusted network, no matter how briefly, stop immediately and refer to the section "Flashing The Firmware." (To Be Added at a later date)''<br />
<br />
==Before you begin...==<br />
In addition to a functioning Talos II system, you will need the following items:<br />
* A computer that you consider trustworthy, with an ethernet connection. This computer is going to handle the password for the Talos' OpenBMC. Remember that the OpenBMC guards the keys to the kingdom. Protect it well!<br />
* An Ethernet or Crossover cable. Crossover cables are preferred, but not necessary as the Talos II supports automatic negotiation.<br />
* A VGA computer monitor and cable.<br />
* A keyboard and mouse for the Talos.<br />
==First Steps==<br />
The Talos II's OpenBMC (Open Baseboard Management Controller) has a factory password, with the explicit expectation that the user change the password immediately prior to using the device. The BMC is not normally accessible from the Petitboot, and so must be configured over the network.<br />
<br />
'''STOP!'''<br />
''There is a difference between something that is 'trusted' and something that is 'trustworthy.' Remember, if something is 'trusted' that means if it fails, it can undo all of the security you have worked so hard to build up. Ensure that the system used to provision the BMC does not capture, exfiltrate or store the password used to provision the OpenBMC. The safety of your Talos II depends on it!''<br />
<br />
Plug in the power to the Talos II and turn the switch on the power supply unit to "On." The BMC Heartbeat indicator (a small green light in the lower left corner of the motherboard, when viewed from above) will flash and begin to blink. It may take several minutes for the BMC to initialize from cold power on, so give it time. Once the BMC is initialized, open a terminal on your second, trustworthy computer. Connect one end of the Crossover or Ethernet cable to your trustworthy computer, then connect the other end to the Ethernet port on the Talos II adjacent to the USB ports on the back. This port is allowed to communicate directly to the BMC; the other cannot.<br />
<br />
After allowing enough time for the BMC to initialize, press the Power button on the Talos. The system should start. If not, release the power button, wait a minute and attempt again. If it still does not start, check to ensure you have connected the power button between the correct pins on the front panel interface. Please note that the Talos may take a long time to initialize after initial power on. During this time, the fans on the CPU will run at full capacity for approximately one minute, and the screen will remain blank. After a minute or so, the Talos should beep and the fans should spin down. If this does not occur after several minutes, see Troubleshooting (To Be Added at a later date).<br />
<br />
'''Heads Up!'''<br />
By default, the Talos assumes that you are booting the computer remotely via the BMC, rather than standing at the computer pushing the button. This is a use case that is typical for when the Talos is operating in a secured environment like a datacenter or a physically locked and secured server rack, and you cannot simply walk in and plug a monitor into it to see it boot. The first time you boot it, the screen will be completely black until the Petitboot loads. If you would like to see the boot log on startup displayed on the monitor plugged into the integrated Video Graphics Adapter (as would be the case typical of a home use or desktop use machine), rather than sent to a serial console, you can change this option under the '''System configuration''' menu in the next section.<br />
<br />
===Preparing the Talos===<br />
Normally, the BMC will request an IP address from a DHCP server. Due to the state of router security (or rather, the lack of it), this should be best avoided for security reasons until the BMC has a password. The next step is to configure the Talos with a Static IP address.<br />
<br />
'''Heads Up!'''<br />
''If you do not see the Petitboot screen come up after several minutes, and you have ensured your display is functioning properly, ensure you have not disabled the integrated VGA via the jumper. By default, the integrated VGA adapter comes enabled from the factory. See the manual for reference.''<br />
<br />
You should see a screen that resembles this:<br />
<pre><br />
<br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Use the arrow keys to navigate to "Exit to Shell" to bring up the command shell on the Petitboot. From here, we'll configure the network interface to use a static IP.<br />
<br />
'''Stop!'''<br />
''Both the OpenBMC and the Petitboot are very much full fledged operating systems. The BMC is essentially a small computer, within your computer, and has its own persistent storage. Changes you make in the OpenBMC remain set until you either unset them, reset the BMC, or flash the BMC. Carelessly abusing the BMC or the Petitboot can result in damage to the firmware files of your computer and necessitate a re-flash to restore damaged files. Double check each command as you enter it, and be careful.''<br />
<br />
Once you leave the petitboot to escape to a shell, you'll be presented with a prompt.<br />
<pre><br />
Exiting petitboot. Type 'exit' to return.<br />
You may now run 'pb-sos' to gather diagnostic data<br />
/#</pre><br />
<br />
Welcome to the command shell of hostboot! The Talos is now ready to be set up.<br />
<br />
The BMC comes with ipmitool, a utility for managing networking. First, we're going to see which local area network interfaces are available to the BMC, with "lan print" and "1" to signify the interface "1". The BMC only has one network-enabled interface. <br />
<br />
Please note that older releases of BMC firmware had an issue where the IP could not be set. If you run the commands listed below but the IP information does not change (and you cannot work with the factory defaults), upgrade your BMC as explained in https://wiki.raptorcs.com/wiki/Talos_II/Firmware.<br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: ███.███.███.███<br />
Subnet Mask: ███.███.███.███<br />
Default Gateway IP: ███.███.███.███<br />
</pre><br />
You will also see some information below for VLAN ID, Cipher Suite, and Bad Password threshold. We will not be using these for now. <br />
<br />
This should return some diagnostics information about the interface itself. Take note of the field marked "IP Address Source" We will first change it to set the computer to use a static IP using ipmitool.<br />
<pre><br />
/# ipmitool lan set 1 ipsrc static</pre><br />
<br />
Normally, when the IP address source is set to DHCP, a DHCP server (many home routers will fill this role automatically) will provide it with an IP address. However, because your secondary computer will (most likely) not be running a DHCP server, we will then change LAN 1's IP address to a static IP. This way, it already will have its own address on the network and will not need to rely on DHCP to auto-configure one.<br />
<br />
Next, we provide it with the IP address we would like it to use. In this case, we're going to use 192.168.0.43 for the secondary computer, and 192.168.0.42 for the Talos BMC. <br />
<pre><br />
/# ipmitool lan set 1 ipaddr 192.168.0.42<br />
Setting LAN IP address to 192.168.0.42</pre><br />
<br />
From here, we set the Subnet mask. Both computers must be on the same subnet, so we'll pick 255.255.255.0. Keep these numbers in mind, as we will be setting them on the secondary computer later. <br />
<pre><br />
/# ipmitool lan set 1 netmask 255.255.255.0<br />
Setting LAN Subnet Mask to 255.255.255.0</pre><br />
<br />
Next, we set the default gateway. Under normal circumstances, this would be your router. There are two ways this can be done, either by the mac address of your router, or your IP address. In this case, we're going to use 192.168.1.1. <br />
<pre><br />
/# ipmitool lan set 1 defgw ipaddr 192.168.1.1<br />
Setting Default Gateway IP to 192.168.1.1<br />
</pre><br />
If you decide to use your router's MAC address, then substitute "ipaddr" with "macaddr" after which you will need to enter the mac address instead of the IP address. Lastly, check to ensure that the computer recognized your settings with "ipmitool lan print 1" <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: 192.168.0.42<br />
Subnet Mask: 255.255.255.0<br />
Default Gateway IP: 192.168.1.1<br />
</pre><br />
<br />
The OpenBMC is now ready to be connected to via Secure Shell.<br />
<br />
===Preparing The Client===<br />
Return to the trustworthy computer that you wish to use to set the BMC Password. If you are unfamiliar with the networking interfaces on your computer, you can try to list them by entering ifconfig without any other arguments. Since configuration of the network interfaces is capable of affecting the whole computer, we must first "substitute user" to root and try the "ifconfig" command without any arguments to list all of the network interfaces the computer can utilize, and look for the one labelled "Ethernet." <br />
<pre><br />
root@laptop:~# ifconfig<br />
<br />
em0: flags=█████████<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONFIG>, mtu 1500<br />
lladdr ██:██:██:██:██:██<br />
index 1 priority 0 llprio 3 <br />
media: Ethernet autoselect (████████████████████████)<br />
status: active<br />
inet6: ████::████::████::████:████%em0 prefixlen 64 scopeid 0x1<br />
inet 192.168.█.██ netmask █x█████████ broadcast 192.168.█.███<br />
<br />
root@laptop:~#<br />
</pre><br />
<br />
You may see other entries, such as iwn0 for wireless, or lo0, for loopback. We will not be using these. Take note of the interface named in the upper left corner that lists "Ethernet." In this example, em0 will be the interface we will<br />
configure to use a static IP address, to reach the Talos.<br />
<br />
From there, we need to use ifconfig to set the network address to something easily memorable. In this case, we will set the laptop's Local Area Network IP address to be 192.168.0.42, and use a netmask of 255.255.255.0. For this, we will use ifconfig, point it to em0, and supply our desired IP address and network mask. On an x200 laptop running OpenBSD, the command looks like this:<br />
<pre><br />
root@laptop:~# ifconfig em0 inet 192.168.0.43 netmask 255.255.255.0<br />
root@laptop:~#<br />
</pre><br />
<br />
The command should immediately return to a prompt once complete. Once we're done, we can leave the root account on the laptop and return to a regular user account.<br />
<pre><br />
root@laptop:~# exit<br />
user@laptop:~$<br />
</pre><br />
<br />
We will now connect to the BMC using your laptop. Most Linux distributions come with ssh installed. If yours does not, stop now and consult your operating system's documentation on how to install the SSH client. Package names may be something like "openssh", "openssh-client", "ssh2", or "dropbear".<br />
<br />
==Connecting to the BMC==<br />
You're now ready to remotely manage your Talos II, and set the default password. SSH, with the right practices, allows a user to securely establish a confidential and authenticated encrypted channel between a pair of computers and control the host remotely. There are several ways to authenticate yourself to the computer that you will be running the commands on, including using a password which is then sent to the server through the encrypted tunnel, or through the use of cryptography. Using cryptography is stronger, safer, and more convenient, but requires that the user first transfer the digital certificates and keys to the computer being accessed. <br />
<br />
Bring up the terminal on your secondary computer and recall that the IP address of the Talos is 192.168.0.42. We want to log in as the root user, so we pass that onto the ssh command using -l to let it know that we have a specific login username that we would like to authenticate as (hence, the -l is for "login"), the name of the login, and the destination. <br />
<pre><br />
user@laptop:~$ ssh -l root 192.168.0.42<br />
</pre><br />
<br />
The following error message will be produced the first time. <br />
<pre><br />
The authenticity of host `192.168.0.42' can't be established. ECDSA key fingerprint is SHA256:[.......] <br />
Are you sure you want to continue connecting? (yes/no)?<br />
</pre><br />
<br />
This tutorial assumes that we are using SSH over a network that consists of a relatively short Ethernet cable we can see the entirety of, between two computers that are both in a physically trustworthy environment such as your private home. However, the majority of uses for SSH normally assume that the two computers are not in this comfortably convenient and safe arrangement. They could be located away, potentially in other countries, and connected only over the untrusted Internet. SSH uses cryptography, but because the keys and certificates themselves cannot be encrypted, how do we know that the keys and certificates themselves are the genuine ones, and not replaced by an attacker (such as a misconfigured ISP's router that is configured to intercept, decrypt, inspect and then re-encrypt and transparently pass on SSL traffic as an antispam measure) which could capture, store, then possibly leak the password?<br />
<br />
In a situation where the computer would be located on the other side of the Internet, to ensure that the password is not stolen by an attacker impersonating the computer to us, we would first verify that this is the computer's real and genuine key fingerprint. This could be as simple as making a phone call to the system administrator working at the place where the computer is installed, or physically travelling to the location to compare the digital fingerprint with our own eyes. If the codes match exactly, it is mathematical proof that the certificate is real, and has not been tampered with or replaced during delivery by an active adversary that will impersonate the client to the server, and vice versa, an attack commonly known as a "man in the middle" attack. <br />
<br />
However, since we are physically at the location of the computer and the two computers are physically plugged into each other over a cable, with no middleman between, it is unlikely that the certificate will be counterfeit. So, we will simply trust the certificate by typing in "yes." <br />
<br />
You will then be prompted for the password. In this case, it is simply "0penBmc" exactly as typed (without quotes).<br />
<pre><br />
root@192.168.0.42's password: *******<br />
</pre><br />
<br />
If all goes well, you'll find a familiar screen!<br />
<br />
<pre><br />
root@talos:~#<br />
</pre><br />
<br />
You are now ready to change the password.<br />
<br />
If you are greeted by the Petitboot, this is the BMC Console Client and you may escape to a shell by selecting the "Exit To Shell." If you later wish to return to the Petitboot to select an operating system to boot, you may type in "obmc-console-client" at the prompt and press return.<br />
<br />
==Changing The Password==<br />
Recall the golden rules of password safety:<br />
* Passwords should never be shared with anyone except between the two owners of the mutually agreed-upon secret password. In this case, the password will be shared between you and the BMC, and should never be disclosed to anything else, and only used from a computer you ''absolutely'' trust not to capture or steal it.<br />
* Passwords must never be reused even between parties you trust, as that trust relationship can change with no warning and often, without your knowledge.<br />
* Spent passwords must be disposed of carefully. <br />
* If the password is ever exposed (such as typing the wrong password into the wrong computer or the into the wrong form), change the password immediately by starting over. ''When in doubt, change it out.'' Never wait for a compromise to occur before taking action if you suspect the password has been compromised.<br />
* It is much safer and more convenient to have a cryptographically strong long-term password that you can memorize, than a short one that you will need to change every 90 days. <br />
* Complexity and randomness of the password is important. Never use a password that was derived from a previous one or any other by any 'clever' algorithm or obscure scheme. You do not know the flaws in your own scheme and will very likely be the last person to learn of them when they are found. <br />
<br />
Ideally, stop thinking of a password, and start to think of a pass ''phrase.'' Remember that in terms of password strength, although there are only 52 characters you can type from a keyboard, there are more than 51,000 words in the pocket edition of the Oxford English Dictionary. Thus, if we assume the use of a 10-digit, "perfectly random" password (please note that simply closing your eyes and mashing keys is not "perfectly random" as the locations of the keys are predictable based on the fact their positions are known, and the patterns your hands can take are statistically predictable to someone with a copy of Microsoft Excel, a bit of time, and basic math), this gives us a password strength of 52^10, or roughly 1.4E17 combinations. However, a six-word passphrase consisting of six "perfectly random" words chosen from the compact edition of the Oxford English dictionary will yield 51000^6, or roughly 1.8E28 combinations, more than ten orders of magnitude more difficult to guess, much easier to type, and easier to record and check for typographical errors. Backronyms or memory aids may help with the memorization.<br />
<br />
You may wish to write down the password on a sheet of cardboard you will keep on your person until it has been fully committed to memory, then once it has, either place the ticket in a physically secured area only you have access to, or destroy it. <br />
<br />
To change the password, at the prompt, type:<br />
<pre><br />
root@talos:~# passwd</pre><br />
<br />
You will be prompted by the system to enter a password, then confirm it. Once that is done, you will be returned to the prompt. <br />
<br />
'''STOP!'''<br />
''Do not log out yet. Ensure that the password change worked successfully and that you have not managed to mistype the same password twice. Open up another terminal window on your client machine and ssh back into your Talos II by repeating step 4, in a different instance. Make sure that the password is tested and verified to be working. If you mistype the password, the BMC will be permanently locked and must be flashed to reset it or the BMC chip replaced entirely. If the password to the BMC is lost, forgotten, or mis-set, the BMC will be rendered inaccessible to you until it is reprovisioned.''<br />
<br />
When you are finished, the password is verified to be working and the old password no longer works, you may continue to explore the Talos II's OpenBMC and Petitboot at your leisure, or leave the secure shell with the exit command, which is: <br />
<br />
<pre><br />
root@talos:~# exit</pre><br />
<br />
If you wish to restart the Talos II via the BMC, simply type "reboot." The Talos II will power its CPUs down, and restart them. The BMC will remain functioning so long as there is power going to the mainboard even when the CPUs are off, so you should not be worried about being disconnected from the server. <br />
<br />
Congratulations. You are now ready to connect the Talos II to an untrusted network, and begin installing your operating system!<br />
<br />
=Installing The Operating System=<br />
[To Be Added]<br />
<br />
=Patching, Compiling, and Installing Your Kernel=<br />
[To Be Added]<br />
<br />
=Virtual Machines=<br />
[To Be Added]</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II_Beginner%27s_Quick_Start_Guide&diff=1908Talos II Beginner's Quick Start Guide2019-02-11T00:17:07Z<p>Peter Easton: </p>
<hr />
<div>Congratulations on your purchase of a new Raptor Computing Systems Talos II(TM) Secure Workstation!<br />
<br />
You're just a couple steps away from being able to get up and on your new secure system. This is a tutorial intended for novices to ease the transition from the x86 to the Talos II. This tutorial is primarily intended to be targeted toward non-technical users that just wish to get their Talos II up and running fast, and prefer documentation to be presented in as non-intimidating a manner as possible.<br />
<br />
The laptop used in this tutorial for access and provisioning of the Open [[BMC|Baseboard Management Controller]] (which is referred to as the "[[OpenBMC]]," or simply the "BMC") was a Lenovo Thinkpad X200 running OpenBSD. Your setup will likely differ from the one used to create this tutorial, so please remember to check your commands prior to entering them, as some of them may be different.<br />
<br />
=Changing The Default Factory Password=<br />
The Talos II comes with a remote management password set default from the factory. As the [[BMC|Baseboard Management Controller]] is used to control the computer out of band, it is important to change the Baseboard Management Controller's default factory password as quickly as possible to ensure security.<br />
<br />
In this tutorial, we will do the following:<br />
<br />
* Power on the Talos II and load Petitboot, which is analogous to a PC's BIOS or EFI.<br />
* Connect a computer to the Talos II via Ethernet cable.<br />
* Configure a static IP address on the networking interface.<br />
* Configure the second computer to use a static IP address.<br />
* Connect the Talos II's Open Baseboard Management Controller from the other computer via Secure SHell, or ssh.<br />
* Generate, Record, and Change the default factory password, to prevent unauthorized remote access to the BMC.<br />
* Log out and reboot the Talos II.<br />
* Take our first steps into the territory of computing freedom!<br />
<br />
'''STOP!'''<br />
''The Talos comes with a factory password of '0penBmc' which is set by default from the factory and is publicly posted and available everywhere that the Talos manual is hosted. The Baseboard Management Controller, which is used to provision and control the mainboard, is always running whenever there is any power connected to the mainboard. NEVER IN ANY CIRCUMSTANCES connect the Talos II to any network you cannot trust absolutely without first changing the factory password! Doing so may result in a compromise of the BMC root account and allow an adversary on the network to install malicious firmware onto the Talos, which can be used as a backdoor.''<br />
<br />
''If you have connected your Talos II to any untrusted network, no matter how briefly, stop immediately and refer to the section "Flashing The Firmware." (To Be Added at a later date)''<br />
<br />
==Before you begin...==<br />
In addition to a functioning Talos II system, you will need the following items:<br />
* A computer that you consider trustworthy, with an ethernet connection. This computer is going to handle the password for the Talos' OpenBMC. Remember that the OpenBMC guards the keys to the kingdom. Protect it well!<br />
* An Ethernet or Crossover cable. Crossover cables are preferred, but not necessary as the Talos II supports automatic negotiation.<br />
* A VGA computer monitor and cable.<br />
* A keyboard and mouse for the Talos.<br />
==First Steps==<br />
The Talos II's OpenBMC (Open Baseboard Management Controller) has a factory password, with the explicit expectation that the user change the password immediately prior to using the device. The BMC is not normally accessible from the Petitboot, and so must be configured over the network.<br />
<br />
'''STOP!'''<br />
''There is a difference between something that is 'trusted' and something that is 'trustworthy.' Remember, if something is 'trusted' that means if it fails, it can undo all of the security you have worked so hard to build up. Ensure that the system used to provision the BMC does not capture, exfiltrate or store the password used to provision the OpenBMC. The safety of your Talos II depends on it!''<br />
<br />
Plug in the power to the Talos II and turn the switch on the power supply unit to "On." The BMC Heartbeat indicator (a small green light in the lower left corner of the motherboard, when viewed from above) will flash and begin to blink. It may take several minutes for the BMC to initialize from cold power on, so give it time. Once the BMC is initialized, open a terminal on your second, trustworthy computer. Connect one end of the Crossover or Ethernet cable to your trustworthy computer, then connect the other end to the Ethernet port on the Talos II adjacent to the USB ports on the back. This port is allowed to communicate directly to the BMC; the other cannot.<br />
<br />
After allowing enough time for the BMC to initialize, press the Power button on the Talos. The system should start. If not, release the power button, wait a minute and attempt again. If it still does not start, check to ensure you have connected the power button between the correct pins on the front panel interface. Please note that the Talos may take a long time to initialize after initial power on. During this time, the fans on the CPU will run at full capacity for approximately one minute, and the screen will remain blank. After a minute or so, the Talos should beep and the fans should spin down. If this does not occur after several minutes, see Troubleshooting (To Be Added at a later date).<br />
<br />
'''Heads Up!'''<br />
By default, the Talos assumes that you are booting the computer remotely via the BMC, rather than standing at the computer pushing the button. This is a use case that is typical for when the Talos is operating in a secured environment like a datacenter or a physically locked and secured server rack, and you cannot simply walk in and plug a monitor into it to see it boot. The first time you boot it, the screen will be completely black until the Petitboot loads. If you would like to see the boot log on startup displayed on the monitor plugged into the integrated Video Graphics Adapter (as would be the case typical of a home use or desktop use machine), rather than sent to a serial console, you can change this option under the '''System configuration''' menu in the next section.<br />
<br />
===Preparing the Talos===<br />
Normally, the BMC will request an IP address from a DHCP server. Due to the state of router security (or rather, the lack of it), this should be best avoided for security reasons until the BMC has a password. The next step is to configure the Talos with a Static IP address.<br />
<br />
'''Heads Up!'''<br />
''If you do not see the Petitboot screen come up after several minutes, and you have ensured your display is functioning properly, ensure you have not disabled the integrated VGA via the jumper. By default, the integrated VGA adapter comes enabled from the factory. See the manual for reference.''<br />
<br />
You should see a screen that resembles this:<br />
<pre><br />
<br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Use the arrow keys to navigate to "Exit to Shell" to bring up the command shell on the Petitboot. From here, we'll configure the network interface to use a static IP.<br />
<br />
'''Stop!'''<br />
''Both the OpenBMC and the Petitboot are very much full fledged operating systems. The BMC is essentially a small computer, within your computer, and has its own persistent storage. Changes you make in the OpenBMC remain set until you either unset them, reset the BMC, or flash the BMC. Carelessly abusing the BMC or the Petitboot can result in damage to the firmware files of your computer and necessitate a re-flash to restore damaged files. Double check each command as you enter it, and be careful.''<br />
<br />
Once you leave the petitboot to escape to a shell, you'll be presented with a prompt.<br />
<pre><br />
Exiting petitboot. Type 'exit' to return.<br />
You may now run 'pb-sos' to gather diagnostic data<br />
/#</pre><br />
<br />
Welcome to the command shell of hostboot! The Talos is now ready to be set up.<br />
<br />
The BMC comes with ipmitool, a utility for managing networking. First, we're going to see which local area network interfaces are available to the BMC, with "lan print" and "1" to signify the interface "1". The BMC only has one network-enabled interface. <br />
<br />
Please note that older releases of BMC firmware had an issue where the IP could not be set. If you run the commands listed below but the IP information does not change (and you cannot work with the factory defaults), upgrade your BMC as explained in https://wiki.raptorcs.com/wiki/Talos_II/Firmware.<br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: ███.███.███.███<br />
Subnet Mask: ███.███.███.███<br />
Default Gateway IP: ███.███.███.███<br />
</pre><br />
You will also see some information below for VLAN ID, Cipher Suite, and Bad Password threshold. We will not be using these for now. <br />
<br />
This should return some diagnostics information about the interface itself. Take note of the field marked "IP Address Source" We will first change it to set the computer to use a static IP using ipmitool.<br />
<pre><br />
/# ipmitool lan set 1 ipsrc static</pre><br />
<br />
Normally, when the IP address source is set to DHCP, a DHCP server (many home routers will fill this role automatically) will provide it with an IP address. However, because your secondary computer will (most likely) not be running a DHCP server, we will then change LAN 1's IP address to a static IP. This way, it already will have its own address on the network and will not need to rely on DHCP to auto-configure one.<br />
<br />
Next, we provide it with the IP address we would like it to use. In this case, we're going to use 192.168.0.43 for the secondary computer, and 192.168.0.42 for the Talos BMC. <br />
<pre><br />
/# ipmitool lan set 1 ipaddr 192.168.0.42<br />
Setting LAN IP address to 192.168.0.42</pre><br />
<br />
From here, we set the Subnet mask. Both computers must be on the same subnet, so we'll pick 255.255.255.0. Keep these numbers in mind, as we will be setting them on the secondary computer later. <br />
<pre><br />
/# ipmitool lan set 1 netmask 255.255.255.0<br />
Setting LAN Subnet Mask to 255.255.255.0</pre><br />
<br />
Next, we set the default gateway. Under normal circumstances, this would be your router. There are two ways this can be done, either by the mac address of your router, or your IP address. In this case, we're going to use 192.168.1.1. <br />
<pre><br />
/# ipmitool lan set 1 defgw ipaddr 192.168.1.1<br />
Setting Default Gateway IP to 192.168.1.1<br />
</pre><br />
If you decide to use your router's MAC address, then substitute "ipaddr" with "macaddr" after which you will need to enter the mac address instead of the IP address. Lastly, check to ensure that the computer recognized your settings with "ipmitool lan print 1" <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: 192.168.0.42<br />
Subnet Mask: 255.255.255.0<br />
Default Gateway IP: 192.168.1.1<br />
</pre><br />
<br />
The OpenBMC is now ready to be connected to via Secure Shell.<br />
<br />
===Preparing The Client===<br />
Return to the trustworthy computer that you wish to use to set the BMC Password. If you are unfamiliar with the networking interfaces on your computer, you can try to list them by entering ifconfig without any other arguments. Since configuration of the network interfaces is capable of affecting the whole computer, we must first "substitute user" to root and try the "ifconfig" command without any arguments to list all of the network interfaces the computer can utilize, and look for the one labelled "Ethernet." <br />
<pre><br />
root@laptop:~# ifconfig<br />
<br />
em0: flags=█████████<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONFIG>, mtu 1500<br />
lladdr ██:██:██:██:██:██<br />
index 1 priority 0 llprio 3 <br />
media: Ethernet autoselect (████████████████████████)<br />
status: active<br />
inet6: ████::████::████::████:████%em0 prefixlen 64 scopeid 0x1<br />
inet 192.168.█.██ netmask █x█████████ broadcast 192.168.█.███<br />
<br />
root@laptop:~#<br />
</pre><br />
<br />
You may see other entries, such as iwn0 for wireless, or lo0, for loopback. We will not be using these. Take note of the interface named in the upper left corner that lists "Ethernet." In this example, em0 will be the interface we will<br />
configure to use a static IP address, to reach the Talos.<br />
<br />
From there, we need to use ifconfig to set the network address to something easily memorable. In this case, we will set the laptop's Local Area Network IP address to be 192.168.0.42, and use a netmask of 255.255.255.0. For this, we will use ifconfig, point it to em0, and supply our desired IP address and network mask. On an x200 laptop running OpenBSD, the command looks like this:<br />
<pre><br />
root@laptop:~# ifconfig em0 inet 192.168.0.43 netmask 255.255.255.0<br />
root@laptop:~#<br />
</pre><br />
<br />
The command should immediately return to a prompt once complete. Once we're done, we can leave the root account on the laptop and return to a regular user account.<br />
<pre><br />
root@laptop:~# exit<br />
user@laptop:~$<br />
</pre><br />
<br />
We will now connect to the BMC using your laptop. Most Linux distributions come with ssh installed. If yours does not, stop now and consult your operating system's documentation on how to install the SSH client. Package names may be something like "openssh", "openssh-client", "ssh2", or "dropbear".<br />
<br />
==Connecting to the BMC==<br />
You're now ready to remotely manage your Talos II, and set the default password. SSH, with the right practices, allows a user to securely establish a confidential and authenticated encrypted channel between a pair of computers and control the host remotely. There are several ways to authenticate yourself to the computer that you will be running the commands on, including using a password which is then sent to the server through the encrypted tunnel, or through the use of cryptography. Using cryptography is stronger, safer, and more convenient, but requires that the user first transfer the digital certificates and keys to the computer being accessed. <br />
<br />
Bring up the terminal on your secondary computer and recall that the IP address of the Talos is 192.168.0.42. We want to log in as the root user, so we pass that onto the ssh command using -l to let it know that we have a specific login username that we would like to authenticate as (hence, the -l is for "login"), the name of the login, and the destination. <br />
<pre><br />
user@laptop:~$ ssh -l root 192.168.0.42<br />
</pre><br />
<br />
The following error message will be produced the first time. <br />
<pre><br />
The authenticity of host `192.168.0.42' can't be established. ECDSA key fingerprint is SHA256:[.......] <br />
Are you sure you want to continue connecting? (yes/no)?<br />
</pre><br />
<br />
This tutorial assumes that we are using SSH over a network that consists of a relatively short Ethernet cable we can see the entirety of, between two computers that are both in a physically trustworthy environment such as your private home. However, the majority of uses for SSH normally assume that the two computers are not in this comfortably convenient and safe arrangement. They could be located away, potentially in other countries, and connected only over the untrusted Internet. SSH uses cryptography, but because the keys and certificates themselves cannot be encrypted, how do we know that the keys and certificates themselves are the genuine ones, and not replaced by an attacker (such as a misconfigured ISP's router that is configured to intercept, decrypt, inspect and then re-encrypt and transparently pass on SSL traffic as an antispam measure) which could capture, store, then possibly leak the password?<br />
<br />
In a situation where the computer would be located on the other side of the Internet, to ensure that the password is not stolen by an attacker impersonating the computer to us, we would first verify that this is the computer's real and genuine key fingerprint. This could be as simple as making a phone call to the system administrator working at the place where the computer is installed, or physically travelling to the location to compare the digital fingerprint with our own eyes. If the codes match exactly, it is mathematical proof that the certificate is real, and has not been tampered with or replaced during delivery by an active adversary that will impersonate the client to the server, and vice versa, an attack commonly known as a "man in the middle" attack. <br />
<br />
However, since we are physically at the location of the computer and the two computers are physically plugged into each other over a cable, with no middleman between, it is unlikely that the certificate will be counterfeit. So, we will simply trust the certificate by typing in "yes." <br />
<br />
You will then be prompted for the password. In this case, it is simply "0penBmc" exactly as typed (without quotes).<br />
<pre><br />
root@192.168.0.42's password: *******<br />
</pre><br />
<br />
If all goes well, you'll find a familiar screen!<br />
<br />
<pre><br />
root@talos:~#<br />
</pre><br />
<br />
You are now ready to change the password.<br />
<br />
If instead of petitboot screen you are greeted by a command line prompt "root@talos:~#", then run "passwd" from there directly (and do not run "obmc-console-client").<br />
<br />
==Changing The Password==<br />
Recall the golden rules of password safety:<br />
* Passwords should never be shared with anyone except between the two owners of the mutually agreed-upon secret password. In this case, the password will be shared between you and the BMC, and should never be disclosed to anything else, and only used from a computer you ''absolutely'' trust not to capture or steal it.<br />
* Passwords must never be reused even between parties you trust, as that trust relationship can change with no warning and often, without your knowledge.<br />
* Spent passwords must be disposed of carefully. <br />
* If the password is ever exposed (such as typing the wrong password into the wrong computer or the into the wrong form), change the password immediately by starting over. ''When in doubt, change it out.'' Never wait for a compromise to occur before taking action if you suspect the password has been compromised.<br />
* It is much safer and more convenient to have a cryptographically strong long-term password that you can memorize, than a short one that you will need to change every 90 days. <br />
* Complexity and randomness of the password is important. Never use a password that was derived from a previous one or any other by any 'clever' algorithm or obscure scheme. You do not know the flaws in your own scheme and will very likely be the last person to learn of them when they are found. <br />
<br />
Ideally, stop thinking of a password, and start to think of a pass ''phrase.'' Remember that in terms of password strength, although there are only 52 characters you can type from a keyboard, there are more than 51,000 words in the pocket edition of the Oxford English Dictionary. Thus, if we assume the use of a 10-digit, "perfectly random" password (please note that simply closing your eyes and mashing keys is not "perfectly random" as the locations of the keys are predictable based on the fact their positions are known, and the patterns your hands can take are statistically predictable to someone with a copy of Microsoft Excel, a bit of time, and basic math), this gives us a password strength of 52^10, or roughly 1.4E17 combinations. However, a six-word passphrase consisting of six "perfectly random" words chosen from the compact edition of the Oxford English dictionary will yield 51000^6, or roughly 1.8E28 combinations, more than ten orders of magnitude more difficult to guess, much easier to type, and easier to record and check for typographical errors. Backronyms or memory aids may help with the memorization.<br />
<br />
You may wish to write down the password on a sheet of cardboard you will keep on your person until it has been fully committed to memory, then once it has, either place the ticket in a physically secured area only you have access to, or destroy it. <br />
<br />
To change the password, at the prompt, type:<br />
<pre><br />
root@talos:~# passwd</pre><br />
<br />
You will be prompted by the system to enter a password, then confirm it. Once that is done, you will be returned to the prompt. <br />
<br />
'''STOP!'''<br />
''Do not log out yet. Ensure that the password change worked successfully and that you have not managed to mistype the same password twice. Open up another terminal window on your client machine and ssh back into your Talos II by repeating step 4, in a different instance. Make sure that the password is tested and verified to be working. If you mistype the password, the BMC will be permanently locked and must be flashed to reset it or the BMC chip replaced entirely. If the password to the BMC is lost, forgotten, or mis-set, the BMC will be rendered inaccessible to you until it is reprovisioned.''<br />
<br />
When you are finished, the password is verified to be working and the old password no longer works, you may continue to explore the Talos II's OpenBMC and Petitboot at your leisure, or leave the secure shell with the exit command, which is: <br />
<br />
<pre><br />
root@talos:~# exit</pre><br />
<br />
If you wish to restart the Talos II via the BMC, simply type "reboot." The Talos II will power its CPUs down, and restart them. The BMC will remain functioning so long as there is power going to the mainboard even when the CPUs are off, so you should not be worried about being disconnected from the server. <br />
<br />
Congratulations. You are now ready to connect the Talos II to an untrusted network, and begin installing your operating system!<br />
<br />
=Installing The Operating System=<br />
[To Be Added]<br />
<br />
=Patching, Compiling, and Installing Your Kernel=<br />
[To Be Added]<br />
<br />
=Virtual Machines=<br />
[To Be Added]</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Desktop_Roadmap&diff=1866Desktop Roadmap2018-12-16T22:15:46Z<p>Peter Easton: /* Done */</p>
<hr />
<div>This page is currently a very hasty list of the roadmap needed to make the Talos an "everyday common user's" machine.<br />
<br />
For convenience, unfinished tasks have been grouped into three categories: "Urgently Needed", "Somewhat Needed", and "Would Be Nice" in descending order of importance. <br />
<br />
="Urgently Needed"=<br />
* "Safe By Default" Randomly generated BMC Passphrase with password written down on a sheet of cardboard in the package. <br />
''Rationale:'' even some of our users have had trouble with this. The default insecure password with the BMC could result in an instant compromise of the machine and require full flashing of all persistent firmware components in the event the computer is accidentally plugged into the network and the power at the same time. This completely innocent mistake could be fatal and recovering from it difficult. The threat model of a randomly determined BMC Passphrase would be if the user accidentally plugs the computer into the untrusted internet against a passive adversary that will simply try the default passwords, similar to how the Mirai Botnet operated. <br />
* "[[Talos II Beginner's Quick Start Guide]]" in Talos User's Manual<br />
''Rationale:'' nontechnical users may have difficulty with the complicated procedure to remotely access and set the BMC password from a trustworthy system.<br />
* "Hole Pattern Template" <br />
''Rationale:'' A reusable cardboard or a fold-out paper template in the manual for seeing which standoffs to install and not to install would be really helpful to avoid the "scraped resistor" problem that have plagued a couple builders.<br />
<br />
="Somewhat Needed"=<br />
* Tor Browser Bundle with safe configuration defaults<br />
<br />
=Would Be Nice=<br />
* "Easy Build" Script for building Unreal Tournament 4 for nontechnical users? <br />
* Android Builder for building smartphone OSes? <br />
* Cryptsetup (dm-crypt) and verity in Petitboot for firmware-based full disk encryption?<br />
* FreeCAD? (May or may not be upstreamed yet?)<br />
* Maybe open up a discussion on the feasibility of allowing the changing of the default BMC password through the petitboot? Is this even possible?<br />
<br />
=Done=<br />
* Chromium With Just In Time JavaScript<br />
* Electron with Just In Time JavaScript <br />
* AMDGPU Kernel DMA Patches (Possibly upstreamed?)<br />
* Firefox Quantum running stably (Not upstreamed yet)<br />
* Office Suite (LibreOffice, TeXStudio<br />
* Libre Games (SuperTuxKart, Chromium BSU, Super Tux, Tux Racer, Blob Wars, Open Transit Tycoon, Open Roller Coaster Tycoon, etc)<br />
* Unreal Tournament 4 Tested and working and demonstrated. <br />
* OBS (Needs to be upstreamed?)<br />
* Firefox Just in Time compiler for Javascript (still hasn't made it to some distros, keep posted)<br />
* Thunderbird Stable (still hasn't made it to some distros yet, stay posted.)</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Desktop_Roadmap&diff=1865Desktop Roadmap2018-12-16T22:15:09Z<p>Peter Easton: /* "Somewhat Needed" */</p>
<hr />
<div>This page is currently a very hasty list of the roadmap needed to make the Talos an "everyday common user's" machine.<br />
<br />
For convenience, unfinished tasks have been grouped into three categories: "Urgently Needed", "Somewhat Needed", and "Would Be Nice" in descending order of importance. <br />
<br />
="Urgently Needed"=<br />
* "Safe By Default" Randomly generated BMC Passphrase with password written down on a sheet of cardboard in the package. <br />
''Rationale:'' even some of our users have had trouble with this. The default insecure password with the BMC could result in an instant compromise of the machine and require full flashing of all persistent firmware components in the event the computer is accidentally plugged into the network and the power at the same time. This completely innocent mistake could be fatal and recovering from it difficult. The threat model of a randomly determined BMC Passphrase would be if the user accidentally plugs the computer into the untrusted internet against a passive adversary that will simply try the default passwords, similar to how the Mirai Botnet operated. <br />
* "[[Talos II Beginner's Quick Start Guide]]" in Talos User's Manual<br />
''Rationale:'' nontechnical users may have difficulty with the complicated procedure to remotely access and set the BMC password from a trustworthy system.<br />
* "Hole Pattern Template" <br />
''Rationale:'' A reusable cardboard or a fold-out paper template in the manual for seeing which standoffs to install and not to install would be really helpful to avoid the "scraped resistor" problem that have plagued a couple builders.<br />
<br />
="Somewhat Needed"=<br />
* Tor Browser Bundle with safe configuration defaults<br />
<br />
=Would Be Nice=<br />
* "Easy Build" Script for building Unreal Tournament 4 for nontechnical users? <br />
* Android Builder for building smartphone OSes? <br />
* Cryptsetup (dm-crypt) and verity in Petitboot for firmware-based full disk encryption?<br />
* FreeCAD? (May or may not be upstreamed yet?)<br />
* Maybe open up a discussion on the feasibility of allowing the changing of the default BMC password through the petitboot? Is this even possible?<br />
<br />
=Done=<br />
* Chromium With Just In Time JavaScript<br />
* Electron with Just In Time JavaScript <br />
* AMDGPU Kernel DMA Patches (Possibly upstreamed?)<br />
* Firefox Quantum running stably (Not upstreamed yet)<br />
* Office Suite (LibreOffice, TeXStudio<br />
* Libre Games (SuperTuxKart, Chromium BSU, Super Tux, Tux Racer, Blob Wars, Open Transit Tycoon, Open Roller Coaster Tycoon, etc)<br />
* Unreal Tournament 4 Tested and working and demonstrated. <br />
* OBS (Needs to be upstreamed?)</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Desktop_Roadmap&diff=1864Desktop Roadmap2018-12-16T21:18:26Z<p>Peter Easton: /* Would Be Nice */</p>
<hr />
<div>This page is currently a very hasty list of the roadmap needed to make the Talos an "everyday common user's" machine.<br />
<br />
For convenience, unfinished tasks have been grouped into three categories: "Urgently Needed", "Somewhat Needed", and "Would Be Nice" in descending order of importance. <br />
<br />
="Urgently Needed"=<br />
* "Safe By Default" Randomly generated BMC Passphrase with password written down on a sheet of cardboard in the package. <br />
''Rationale:'' even some of our users have had trouble with this. The default insecure password with the BMC could result in an instant compromise of the machine and require full flashing of all persistent firmware components in the event the computer is accidentally plugged into the network and the power at the same time. This completely innocent mistake could be fatal and recovering from it difficult. The threat model of a randomly determined BMC Passphrase would be if the user accidentally plugs the computer into the untrusted internet against a passive adversary that will simply try the default passwords, similar to how the Mirai Botnet operated. <br />
* "[[Talos II Beginner's Quick Start Guide]]" in Talos User's Manual<br />
''Rationale:'' nontechnical users may have difficulty with the complicated procedure to remotely access and set the BMC password from a trustworthy system.<br />
* "Hole Pattern Template" <br />
''Rationale:'' A reusable cardboard or a fold-out paper template in the manual for seeing which standoffs to install and not to install would be really helpful to avoid the "scraped resistor" problem that have plagued a couple builders.<br />
<br />
="Somewhat Needed"=<br />
* Firefox Just In Time Javascript (Segmentation Fault Error?)<br />
* Thunderbird Stable (Segmentation Fault Error?)<br />
* Tor Browser Bundle with safe configuration defaults <br />
<br />
=Would Be Nice=<br />
* "Easy Build" Script for building Unreal Tournament 4 for nontechnical users? <br />
* Android Builder for building smartphone OSes? <br />
* Cryptsetup (dm-crypt) and verity in Petitboot for firmware-based full disk encryption?<br />
* FreeCAD? (May or may not be upstreamed yet?)<br />
* Maybe open up a discussion on the feasibility of allowing the changing of the default BMC password through the petitboot? Is this even possible?<br />
<br />
=Done=<br />
* Chromium With Just In Time JavaScript<br />
* Electron with Just In Time JavaScript <br />
* AMDGPU Kernel DMA Patches (Possibly upstreamed?)<br />
* Firefox Quantum running stably (Not upstreamed yet)<br />
* Office Suite (LibreOffice, TeXStudio<br />
* Libre Games (SuperTuxKart, Chromium BSU, Super Tux, Tux Racer, Blob Wars, Open Transit Tycoon, Open Roller Coaster Tycoon, etc)<br />
* Unreal Tournament 4 Tested and working and demonstrated. <br />
* OBS (Needs to be upstreamed?)</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Desktop_Roadmap&diff=1863Desktop Roadmap2018-12-16T21:17:55Z<p>Peter Easton: /* "Urgently Needed" */</p>
<hr />
<div>This page is currently a very hasty list of the roadmap needed to make the Talos an "everyday common user's" machine.<br />
<br />
For convenience, unfinished tasks have been grouped into three categories: "Urgently Needed", "Somewhat Needed", and "Would Be Nice" in descending order of importance. <br />
<br />
="Urgently Needed"=<br />
* "Safe By Default" Randomly generated BMC Passphrase with password written down on a sheet of cardboard in the package. <br />
''Rationale:'' even some of our users have had trouble with this. The default insecure password with the BMC could result in an instant compromise of the machine and require full flashing of all persistent firmware components in the event the computer is accidentally plugged into the network and the power at the same time. This completely innocent mistake could be fatal and recovering from it difficult. The threat model of a randomly determined BMC Passphrase would be if the user accidentally plugs the computer into the untrusted internet against a passive adversary that will simply try the default passwords, similar to how the Mirai Botnet operated. <br />
* "[[Talos II Beginner's Quick Start Guide]]" in Talos User's Manual<br />
''Rationale:'' nontechnical users may have difficulty with the complicated procedure to remotely access and set the BMC password from a trustworthy system.<br />
* "Hole Pattern Template" <br />
''Rationale:'' A reusable cardboard or a fold-out paper template in the manual for seeing which standoffs to install and not to install would be really helpful to avoid the "scraped resistor" problem that have plagued a couple builders.<br />
<br />
="Somewhat Needed"=<br />
* Firefox Just In Time Javascript (Segmentation Fault Error?)<br />
* Thunderbird Stable (Segmentation Fault Error?)<br />
* Tor Browser Bundle with safe configuration defaults <br />
<br />
=Would Be Nice=<br />
* "Easy Build" Script for building Unreal Tournament 4 for nontechnical users? <br />
* Android Builder for building smartphone OSes? <br />
* Cryptsetup (dm-crypt) and verity in Petitboot for firmware-based full disk encryption?<br />
* FreeCAD? (May or may not be upstreamed yet?)<br />
<br />
=Done=<br />
* Chromium With Just In Time JavaScript<br />
* Electron with Just In Time JavaScript <br />
* AMDGPU Kernel DMA Patches (Possibly upstreamed?)<br />
* Firefox Quantum running stably (Not upstreamed yet)<br />
* Office Suite (LibreOffice, TeXStudio<br />
* Libre Games (SuperTuxKart, Chromium BSU, Super Tux, Tux Racer, Blob Wars, Open Transit Tycoon, Open Roller Coaster Tycoon, etc)<br />
* Unreal Tournament 4 Tested and working and demonstrated. <br />
* OBS (Needs to be upstreamed?)</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II_Beginner%27s_Quick_Start_Guide&diff=1862Talos II Beginner's Quick Start Guide2018-12-16T21:16:16Z<p>Peter Easton: Changed an erroneously set number.</p>
<hr />
<div>Congratulations on your purchase of a new Raptor Computing Systems Talos II(TM) Secure Workstation!<br />
<br />
You're just a couple steps away from being able to get up and on your new secure system. This is a tutorial intended for novices to ease the transition from the x86 to the Talos II. This tutorial is primarily intended to be targeted toward non-technical users that just wish to get their Talos II up and running fast, and prefer documentation to be presented in as non-intimidating a manner as possible.<br />
<br />
The laptop used in this tutorial for access and provisioning of the Open [[BMC|Baseboard Management Controller]] (which is referred to as the "[[OpenBMC]]," or simply the "BMC") was a Lenovo Thinkpad X200 running OpenBSD. Your setup will likely differ from the one used to create this tutorial, so please remember to check your commands prior to entering them, as some of them may be different.<br />
<br />
=Changing The Default Factory Password=<br />
The Talos II comes with a remote management password set default from the factory. As the [[BMC|Baseboard Management Controller]] is used to control the computer out of band, it is important to change the Baseboard Management Controller's default factory password as quickly as possible to ensure security.<br />
<br />
In this tutorial, we will do the following:<br />
<br />
* Power on the Talos II and load Petitboot, which is analogous to a PC's BIOS or EFI.<br />
* Connect a computer to the Talos II via Ethernet cable.<br />
* Configure a static IP address on the networking interface.<br />
* Configure the second computer to use a static IP address.<br />
* Connect the Talos II's Open Baseboard Management Controller from the other computer via Secure SHell, or ssh.<br />
* Generate, Record, and Change the default factory password, to prevent unauthorized remote access to the BMC.<br />
* Log out and reboot the Talos II.<br />
* Take our first steps into the territory of computing freedom!<br />
<br />
'''STOP!'''<br />
''The Talos comes with a factory password of '0penBmc' which is set by default from the factory and is publicly posted and available everywhere that the Talos manual is hosted. The Baseboard Management Controller, which is used to provision and control the mainboard, is always running whenever there is any power connected to the mainboard. NEVER IN ANY CIRCUMSTANCES connect the Talos II to any network you cannot trust absolutely without first changing the factory password! Doing so may result in a compromise of the BMC root account and allow an adversary on the network to install malicious firmware onto the Talos, which can be used as a backdoor.''<br />
<br />
''If you have connected your Talos II to any untrusted network, no matter how briefly, stop immediately and refer to the section "Flashing The Firmware." (To Be Added at a later date)''<br />
<br />
==Before you begin...==<br />
In addition to a functioning Talos II system, you will need the following items:<br />
* A computer that you consider trustworthy, with an ethernet connection. This computer is going to handle the password for the Talos' OpenBMC. Remember that the OpenBMC guards the keys to the kingdom. Protect it well!<br />
* An Ethernet or Crossover cable. Crossover cables are preferred, but not necessary as the Talos II supports automatic negotiation.<br />
* A VGA computer monitor and cable.<br />
* A keyboard and mouse for the Talos.<br />
==First Steps==<br />
The Talos II's OpenBMC (Open Baseboard Management Controller) has a factory password, with the explicit expectation that the user change the password immediately prior to using the device. The BMC is not normally accessible from the Petitboot, and so must be configured over the network.<br />
<br />
'''STOP!'''<br />
''There is a difference between something that is 'trusted' and something that is 'trustworthy.' Remember, if something is 'trusted' that means if it fails, it can undo all of the security you have worked so hard to build up. Ensure that the system used to provision the BMC does not capture, exfiltrate or store the password used to provision the OpenBMC. The safety of your Talos II depends on it!''<br />
<br />
Plug in the power to the Talos II and turn the switch on the power supply unit to "On." The BMC Heartbeat indicator (a small green light in the lower left corner of the motherboard, when viewed from above) will flash and begin to blink. It may take several minutes for the BMC to initialize from cold power on, so give it time. Once the BMC is initialized, open a terminal on your second, trustworthy computer. Connect one end of the Crossover or Ethernet cable to your trustworthy computer, then connect the other end to the Ethernet port on the Talos II adjacent to the USB ports on the back. This port is allowed to communicate directly to the BMC; the other cannot.<br />
<br />
After allowing enough time for the BMC to initialize, press the Power button on the Talos. The system should start. If not, release the power button, wait a minute and attempt again. If it still does not start, check to ensure you have connected the power button between the correct pins on the front panel interface. Please note that the Talos may take a long time to initialize after initial power on. During this time, the fans on the CPU will run at full capacity for approximately one minute, and the screen will remain blank. After a minute or so, the Talos should beep and the fans should spin down. If this does not occur after several minutes, see Troubleshooting (To Be Added at a later date).<br />
<br />
'''Heads Up!'''<br />
By default, the Talos assumes that you are booting the computer remotely via the BMC, rather than standing at the computer pushing the button. This is a use case that is typical for when the Talos is operating in a secured environment like a datacenter or a physically locked and secured server rack, and you cannot simply walk in and plug a monitor into it to see it boot. The first time you boot it, the screen will be completely black until the Petitboot loads. If you would like to see the boot log on startup displayed on the monitor plugged into the integrated Video Graphics Adapter (as would be the case typical of a home use or desktop use machine), rather than sent to a serial console, you can change this option under the '''System configuration''' menu in the next section.<br />
<br />
===Preparing the Talos===<br />
Normally, the BMC will request an IP address from a DHCP server. Due to the state of router security (or rather, the lack of it), this should be best avoided for security reasons until the BMC has a password. The next step is to configure the Talos with a Static IP address.<br />
<br />
'''Heads Up!'''<br />
''If you do not see the Petitboot screen come up after several minutes, and you have ensured your display is functioning properly, ensure you have not disabled the integrated VGA via the jumper. By default, the integrated VGA adapter comes enabled from the factory. See the manual for reference.''<br />
<br />
You should see a screen that resembles this:<br />
<pre><br />
<br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Use the arrow keys to navigate to "Exit to Shell" to bring up the command shell on the Petitboot. From here, we'll configure the network interface to use a static IP.<br />
<br />
'''Stop!'''<br />
''Both the OpenBMC and the Petitboot are very much full fledged operating systems. The BMC is essentially a small computer, within your computer, and has its own persistent storage. Changes you make in the OpenBMC remain set until you either unset them, reset the BMC, or flash the BMC. Carelessly abusing the BMC or the Petitboot can result in damage to the firmware files of your computer and necessitate a re-flash to restore damaged files. Double check each command as you enter it, and be careful.''<br />
<br />
Once you leave the petitboot to escape to a shell, you'll be presented with a prompt.<br />
<pre><br />
Exiting petitboot. Type 'exit' to return.<br />
You may now run 'pb-sos' to gather diagnostic data<br />
/#</pre><br />
<br />
Welcome to the command shell of hostboot! The Talos is now ready to be set up.<br />
<br />
The BMC comes with ipmitool, a utility for managing networking. First, we're going to see which local area network interfaces are available to the BMC, with "lan print" and "1" to signify the interface "1". The BMC only has one network-enabled interface. <br />
<br />
Please note that older releases of BMC firmware had an issue where the IP could not be set. If you run the commands listed below but the IP information does not change (and you cannot work with the factory defaults), upgrade your BMC as explained in https://wiki.raptorcs.com/wiki/Talos_II/Firmware.<br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: ███.███.███.███<br />
Subnet Mask: ███.███.███.███<br />
Default Gateway IP: ███.███.███.███<br />
</pre><br />
You will also see some information below for VLAN ID, Cipher Suite, and Bad Password threshold. We will not be using these for now. <br />
<br />
This should return some diagnostics information about the interface itself. Take note of the field marked "IP Address Source" We will first change it to set the computer to use a static IP using ipmitool.<br />
<pre><br />
/# ipmitool lan set 1 ipsrc static</pre><br />
<br />
Normally, when the IP address source is set to DHCP, a DHCP server (many home routers will fill this role automatically) will provide it with an IP address. However, because your secondary computer will (most likely) not be running a DHCP server, we will then change LAN 1's IP address to a static IP. This way, it already will have its own address on the network and will not need to rely on DHCP to auto-configure one.<br />
<br />
Next, we provide it with the IP address we would like it to use. In this case, we're going to use 192.168.0.43 for the secondary computer, and 192.168.0.42 for the Talos BMC. <br />
<pre><br />
/# ipmitool lan set 1 ipaddr 192.168.0.42<br />
Setting LAN IP address to 192.168.0.42</pre><br />
<br />
From here, we set the Subnet mask. Both computers must be on the same subnet, so we'll pick 255.255.255.0. Keep these numbers in mind, as we will be setting them on the secondary computer later. <br />
<pre><br />
/# ipmitool lan set 1 netmask 255.255.255.0<br />
Setting LAN Subnet Mask to 255.255.255.0</pre><br />
<br />
Next, we set the default gateway. Under normal circumstances, this would be your router. There are two ways this can be done, either by the mac address of your router, or your IP address. In this case, we're going to use 192.168.1.1. <br />
<pre><br />
/# ipmitool lan set 1 defgw ipaddr 192.168.1.1<br />
Setting Default Gateway IP to 192.168.1.1<br />
</pre><br />
If you decide to use your router's MAC address, then substitute "ipaddr" with "macaddr" after which you will need to enter the mac address instead of the IP address. Lastly, check to ensure that the computer recognized your settings with "ipmitool lan print 1" <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: 192.168.0.42<br />
Subnet Mask: 255.255.255.0<br />
Default Gateway IP: 192.168.1.1<br />
</pre><br />
<br />
The OpenBMC is now ready to be connected to via Secure Shell.<br />
<br />
===Preparing The Client===<br />
Return to the trustworthy computer that you wish to use to set the BMC Password. If you are unfamiliar with the networking interfaces on your computer, you can try to list them by entering ifconfig without any other arguments. Since configuration of the network interfaces is capable of affecting the whole computer, we must first "substitute user" to root and try the "ifconfig" command without any arguments to list all of the network interfaces the computer can utilize, and look for the one labelled "Ethernet." <br />
<pre><br />
root@laptop:~# ifconfig<br />
<br />
em0: flags=█████████<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONFIG>, mtu 1500<br />
lladdr ██:██:██:██:██:██<br />
index 1 priority 0 llprio 3 <br />
media: Ethernet autoselect (████████████████████████)<br />
status: active<br />
inet6: ████::████::████::████:████%em0 prefixlen 64 scopeid 0x1<br />
inet 192.168.█.██ netmask █x█████████ broadcast 192.168.█.███<br />
<br />
root@laptop:~#<br />
</pre><br />
<br />
You may see other entries, such as iwn0 for wireless, or lo0, for loopback. We will not be using these. Take note of the interface named in the upper left corner that lists "Ethernet." In this example, em0 will be the interface we will<br />
configure to use a static IP address, to reach the Talos.<br />
<br />
From there, we need to use ifconfig to set the network address to something easily memorable. In this case, we will set the laptop's Local Area Network IP address to be 192.168.0.42, and use a netmask of 255.255.255.0. For this, we will use ifconfig, point it to em0, and supply our desired IP address and network mask. On an x200 laptop running OpenBSD, the command looks like this:<br />
<pre><br />
root@laptop:~# ifconfig em0 inet 192.168.0.43 netmask 255.255.255.0<br />
root@laptop:~#<br />
</pre><br />
<br />
The command should immediately return to a prompt once complete. Once we're done, we can leave the root account on the laptop and return to a regular user account.<br />
<pre><br />
root@laptop:~# exit<br />
user@laptop:~$<br />
</pre><br />
<br />
We will now connect to the BMC using your laptop. Most Linux distributions come with ssh installed. If yours does not, stop now and consult your operating system's documentation on how to install the SSH client. Package names may be something like "openssh", "openssh-client", "ssh2", or "dropbear".<br />
<br />
==Connecting to the BMC==<br />
You're now ready to remotely manage your Talos II, and set the default password. SSH, with the right practices, allows a user to securely establish a confidential and authenticated encrypted channel between a pair of computers and control the host remotely. There are several ways to authenticate yourself to the computer that you will be running the commands on, including using a password which is then sent to the server through the encrypted tunnel, or through the use of cryptography. Using cryptography is stronger, safer, and more convenient, but requires that the user first transfer the digital certificates and keys to the computer being accessed. <br />
<br />
Bring up the terminal on your secondary computer and recall that the IP address of the Talos is 192.168.0.42. We want to log in as the root user, so we pass that onto the ssh command using -l to let it know that we have a specific login username that we would like to authenticate as (hence, the -l is for "login"), the name of the login, and the destination. <br />
<pre><br />
user@laptop:~$ ssh -l root 192.168.0.42<br />
</pre><br />
<br />
The following error message will be produced the first time. <br />
<pre><br />
The authenticity of host `192.168.0.42' can't be established. ECDSA key fingerprint is SHA256:[.......] <br />
Are you sure you want to continue connecting? (yes/no)?<br />
</pre><br />
<br />
This tutorial assumes that we are using SSH over a network that consists of a relatively short Ethernet cable we can see the entirety of, between two computers that are both in a physically trustworthy environment such as your private home. However, the majority of uses for SSH normally assume that the two computers are not in this comfortably convenient and safe arrangement. They could be located away, potentially in other countries, and connected only over the untrusted Internet. SSH uses cryptography, but because the keys and certificates themselves cannot be encrypted, how do we know that the keys and certificates themselves are the genuine ones, and not replaced by an attacker (such as a misconfigured ISP's router that is configured to intercept, decrypt, inspect and then re-encrypt and transparently pass on SSL traffic as an antispam measure) which could capture, store, then possibly leak the password?<br />
<br />
In a situation where the computer would be located on the other side of the Internet, to ensure that the password is not stolen by an attacker impersonating the computer to us, we would first verify that this is the computer's real and genuine key fingerprint. This could be as simple as making a phone call to the system administrator working at the place where the computer is installed, or physically travelling to the location to compare the digital fingerprint with our own eyes. If the codes match exactly, it is mathematical proof that the certificate is real, and has not been tampered with or replaced during delivery by an active adversary that will impersonate the client to the server, and vice versa, an attack commonly known as a "man in the middle" attack. <br />
<br />
However, since we are physically at the location of the computer and the two computers are physically plugged into each other over a cable, with no middleman between, it is unlikely that the certificate will be counterfeit. So, we will simply trust the certificate by typing in "yes." <br />
<br />
You will then be prompted for the password. In this case, it is simply "0penBmc" exactly as typed (without quotes).<br />
<pre><br />
root@192.168.0.42's password: *******<br />
</pre><br />
<br />
If all goes well, you'll find a familiar screen!<br />
<br />
<pre><br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Welcome back to Petitboot! Here, we will now set the password. Scroll down to "Exit to Shell" or press and release "x" to escape back to the commandline. <br />
<pre><br />
/#</pre><br />
<br />
You are now ready to change the password.<br />
<br />
If instead of petitboot screen you are greeted by a command line prompt "root@talos:~#", then run "passwd" from there directly (and do not run "obmc-console-client").<br />
<br />
==Changing The Password==<br />
Recall the golden rules of password safety:<br />
* Passwords should never be shared with anyone except between the two owners of the mutually agreed-upon secret password. In this case, the password will be shared between you and the BMC, and should never be disclosed to anything else, and only used from a computer you ''absolutely'' trust not to capture or steal it.<br />
* Passwords must never be reused even between parties you trust, as that trust relationship can change with no warning and often, without your knowledge.<br />
* Spent passwords must be disposed of carefully. <br />
* If the password is ever exposed (such as typing the wrong password into the wrong computer or the into the wrong form), change the password immediately by starting over. ''When in doubt, change it out.'' Never wait for a compromise to occur before taking action if you suspect the password has been compromised.<br />
* It is much safer and more convenient to have a cryptographically strong long-term password that you can memorize, than a short one that you will need to change every 90 days. <br />
* Complexity and randomness of the password is important. Never use a password that was derived from a previous one or any other by any 'clever' algorithm or obscure scheme. You do not know the flaws in your own scheme and will very likely be the last person to learn of them when they are found. <br />
<br />
Ideally, stop thinking of a password, and start to think of a pass ''phrase.'' Remember that in terms of password strength, although there are only 52 characters you can type from a keyboard, there are more than 51,000 words in the pocket edition of the Oxford English Dictionary. Thus, if we assume the use of a 10-digit, "perfectly random" password (please note that simply closing your eyes and mashing keys is not "perfectly random" as the locations of the keys are predictable based on the fact their positions are known, and the patterns your hands can take are statistically predictable to someone with a copy of Microsoft Excel, a bit of time, and basic math), this gives us a password strength of 52^10, or roughly 1.4E17 combinations. However, a six-word passphrase consisting of six "perfectly random" words chosen from the compact edition of the Oxford English dictionary will yield 51000^6, or roughly 1.8E28 combinations, more than ten orders of magnitude more difficult to guess, much easier to type, and easier to record and check for typographical errors. Backronyms or memory aids may help with the memorization.<br />
<br />
You may wish to write down the password on a sheet of cardboard you will keep on your person until it has been fully committed to memory, then once it has, either place the ticket in a physically secured area only you have access to, or destroy it. <br />
<br />
To change the password, at the prompt, type:<br />
<pre><br />
/# passwd</pre><br />
<br />
You will be prompted by the system to enter a password, then confirm it. Once that is done, you will be returned to the prompt. <br />
<br />
'''STOP!'''<br />
''Do not log out yet. Ensure that the password change worked successfully and that you have not managed to mistype the same password twice. Open up another terminal window on your client machine and ssh back into your Talos II by repeating step 4, in a different instance. Make sure that the password is tested and verified to be working. If you mistype the password, the BMC will be permanently locked and must be flashed to reset it or the BMC chip replaced entirely. If the password to the BMC is lost, forgotten, or mis-set, the BMC will be rendered inaccessible to you until it is reprovisioned.''<br />
<br />
When you are finished, the password is verified to be working and the old password no longer works, you may continue to explore the Talos II's OpenBMC and Petitboot at your leisure, or leave the secure shell with the exit command, which is: <br />
<br />
<pre> /# exit</pre><br />
<br />
If you wish to restart the Talos II via the BMC, simply type "reboot." The Talos II will power its CPUs down, and restart them. The BMC will remain functioning so long as there is power going to the mainboard even when the CPUs are off, so you should not be worried about being disconnected from the server. <br />
<br />
Congratulations. You are now ready to connect the Talos II to an untrusted network, and begin installing your operating system!<br />
<br />
=Installing The Operating System=<br />
[To Be Added]<br />
<br />
=Patching, Compiling, and Installing Your Kernel=<br />
[To Be Added]<br />
<br />
=Virtual Machines=<br />
[To Be Added]</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Desktop_Roadmap&diff=1861Desktop Roadmap2018-12-16T21:14:34Z<p>Peter Easton: /* "Urgently Needed" */</p>
<hr />
<div>This page is currently a very hasty list of the roadmap needed to make the Talos an "everyday common user's" machine.<br />
<br />
For convenience, unfinished tasks have been grouped into three categories: "Urgently Needed", "Somewhat Needed", and "Would Be Nice" in descending order of importance. <br />
<br />
="Urgently Needed"=<br />
* "Safe By Default" Randomly generated BMC Passphrase with password written down on a sheet of cardboard in the package. <br />
''Rationale:'' even some of our users have had trouble with this. The default insecure password with the BMC could result in an instant compromise of the machine and require full flashing of all persistent firmware components in the event the computer is accidentally plugged into the network and the power at the same time. This completely innocent mistake could be fatal and recovering from it difficult. The threat model of a randomly determined BMC Passphrase would be if the user accidentally plugs the computer into the untrusted internet against a passive adversary that will simply try the default passwords, similar to how the Mirai Botnet operated. <br />
* "Easy Start Guide" in Talos User's Manual<br />
''Rationale:'' nontechnical users may have difficulty with the complicated procedure to remotely access and set the BMC password from a trustworthy system.<br />
* "Hole Pattern Template" <br />
''Rationale:'' A reusable cardboard or a fold-out paper template in the manual for seeing which standoffs to install and not to install would be really helpful to avoid the "scraped resistor" problem that have plagued a couple builders.<br />
<br />
="Somewhat Needed"=<br />
* Firefox Just In Time Javascript (Segmentation Fault Error?)<br />
* Thunderbird Stable (Segmentation Fault Error?)<br />
* Tor Browser Bundle with safe configuration defaults <br />
<br />
=Would Be Nice=<br />
* "Easy Build" Script for building Unreal Tournament 4 for nontechnical users? <br />
* Android Builder for building smartphone OSes? <br />
* Cryptsetup (dm-crypt) and verity in Petitboot for firmware-based full disk encryption?<br />
* FreeCAD? (May or may not be upstreamed yet?)<br />
<br />
=Done=<br />
* Chromium With Just In Time JavaScript<br />
* Electron with Just In Time JavaScript <br />
* AMDGPU Kernel DMA Patches (Possibly upstreamed?)<br />
* Firefox Quantum running stably (Not upstreamed yet)<br />
* Office Suite (LibreOffice, TeXStudio<br />
* Libre Games (SuperTuxKart, Chromium BSU, Super Tux, Tux Racer, Blob Wars, Open Transit Tycoon, Open Roller Coaster Tycoon, etc)<br />
* Unreal Tournament 4 Tested and working and demonstrated. <br />
* OBS (Needs to be upstreamed?)</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Desktop_Roadmap&diff=1860Desktop Roadmap2018-12-16T21:14:24Z<p>Peter Easton: /* "Urgently Needed" */</p>
<hr />
<div>This page is currently a very hasty list of the roadmap needed to make the Talos an "everyday common user's" machine.<br />
<br />
For convenience, unfinished tasks have been grouped into three categories: "Urgently Needed", "Somewhat Needed", and "Would Be Nice" in descending order of importance. <br />
<br />
="Urgently Needed"=<br />
* "Safe By Default" Randomly generated BMC Passphrase with password written down on a sheet of cardboard in the package. <br />
''Rationale:'' even some of our users have had trouble with this. The default insecure password with the BMC could result in an instant compromise of the machine and require full flashing of all persistent firmware components in the event the computer is accidentally plugged into the network and the power at the same time. This completely innocent mistake could be fatal and recovering from it difficult. The threat model of a randomly determined BMC Passphrase would be if the user accidentally plugs the computer into the untrusted internet against a passive adversary that will simply try the default passwords, similar to how the Mirai Botnet operated. <br />
* "Easy Start Guide" in Talos User's Manual<br />
''Rationale:'' nontechnical users may have difficulty with the complicated procedure to remotely access and set the BMC password from a trustworthy system.<br />
* "Hole Pattern Template" <br />
''Rationale:'' A reusable cardboard or a fold-out paper template in the manual for seeing which standoffs to install and not to install would be really helpful to avoid the "scraped resistor" problem that have plagued a couple builder.s<br />
<br />
="Somewhat Needed"=<br />
* Firefox Just In Time Javascript (Segmentation Fault Error?)<br />
* Thunderbird Stable (Segmentation Fault Error?)<br />
* Tor Browser Bundle with safe configuration defaults <br />
<br />
=Would Be Nice=<br />
* "Easy Build" Script for building Unreal Tournament 4 for nontechnical users? <br />
* Android Builder for building smartphone OSes? <br />
* Cryptsetup (dm-crypt) and verity in Petitboot for firmware-based full disk encryption?<br />
* FreeCAD? (May or may not be upstreamed yet?)<br />
<br />
=Done=<br />
* Chromium With Just In Time JavaScript<br />
* Electron with Just In Time JavaScript <br />
* AMDGPU Kernel DMA Patches (Possibly upstreamed?)<br />
* Firefox Quantum running stably (Not upstreamed yet)<br />
* Office Suite (LibreOffice, TeXStudio<br />
* Libre Games (SuperTuxKart, Chromium BSU, Super Tux, Tux Racer, Blob Wars, Open Transit Tycoon, Open Roller Coaster Tycoon, etc)<br />
* Unreal Tournament 4 Tested and working and demonstrated. <br />
* OBS (Needs to be upstreamed?)</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Desktop_Roadmap&diff=1859Desktop Roadmap2018-12-16T21:10:50Z<p>Peter Easton: Needed to fix the bullet points.</p>
<hr />
<div>This page is currently a very hasty list of the roadmap needed to make the Talos an "everyday common user's" machine.<br />
<br />
For convenience, unfinished tasks have been grouped into three categories: "Urgently Needed", "Somewhat Needed", and "Would Be Nice" in descending order of importance. <br />
<br />
="Urgently Needed"=<br />
* "Safe By Default" Randomly generated BMC Passphrase with password written down on a sheet of cardboard in the package. <br />
''Rationale:'' even some of our users have had trouble with this. The default insecure password with the BMC could result in an instant compromise of the machine and require full flashing of all persistent firmware components in the event the computer is accidentally plugged into the network and the power at the same time. This completely innocent mistake could be fatal and recovering from it difficult. The threat model of a randomly determined BMC Passphrase would be if the user accidentally plugs the computer into the untrusted internet against a passive adversary that will simply try the default passwords, similar to how the Mirai Botnet operated. <br />
* "Easy Start Guide" in Talos User's Manual<br />
''Rationale:'' nontechnical users may have difficulty with the complicated procedure to remotely access and set the BMC password from a trustworthy system. <br />
<br />
="Somewhat Needed"=<br />
* Firefox Just In Time Javascript (Segmentation Fault Error?)<br />
* Thunderbird Stable (Segmentation Fault Error?)<br />
* Tor Browser Bundle with safe configuration defaults <br />
<br />
=Would Be Nice=<br />
* "Easy Build" Script for building Unreal Tournament 4 for nontechnical users? <br />
* Android Builder for building smartphone OSes? <br />
* Cryptsetup (dm-crypt) and verity in Petitboot for firmware-based full disk encryption?<br />
* FreeCAD? (May or may not be upstreamed yet?)<br />
<br />
=Done=<br />
* Chromium With Just In Time JavaScript<br />
* Electron with Just In Time JavaScript <br />
* AMDGPU Kernel DMA Patches (Possibly upstreamed?)<br />
* Firefox Quantum running stably (Not upstreamed yet)<br />
* Office Suite (LibreOffice, TeXStudio<br />
* Libre Games (SuperTuxKart, Chromium BSU, Super Tux, Tux Racer, Blob Wars, Open Transit Tycoon, Open Roller Coaster Tycoon, etc)<br />
* Unreal Tournament 4 Tested and working and demonstrated. <br />
* OBS (Needs to be upstreamed?)</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Desktop_Roadmap&diff=1858Desktop Roadmap2018-12-16T21:09:33Z<p>Peter Easton: Initial commit.</p>
<hr />
<div>This page is currently a very hasty list of the roadmap needed to make the Talos an "everyday common user's" machine.<br />
<br />
For convenience, unfinished tasks have been grouped into three categories: "Urgently Needed", "Somewhat Needed", and "Would Be Nice" in descending order of importance. <br />
<br />
="Urgently Needed"=<br />
* "Safe By Default" Randomly generated BMC Passphrase with password written down on a sheet of cardboard in the package. <br />
''Rationale:'' even some of our users have had trouble with this. The default insecure password with the BMC could result in an instant compromise of the machine and require full flashing of all persistent firmware components in the event the computer is accidentally plugged into the network and the power at the same time. This completely innocent mistake could be fatal and recovering from it difficult. The threat model of a randomly determined BMC Passphrase would be if the user accidentally plugs the computer into the untrusted internet against a passive adversary that will simply try the default passwords, similar to how the Mirai Botnet operated. <br />
* "Easy Start Guide" in Talos User's Manual<br />
''Rationale:'' nontechnical users may have difficulty with the complicated procedure to remotely access and set the BMC password from a trustworthy system. <br />
<br />
="Somewhat Needed"=<br />
Firefox Just In Time Javascript (Segmentation Fault Error?)<br />
Thunderbird Stable (Segmentation Fault Error?)<br />
Tor Browser Bundle with safe configuration defaults <br />
<br />
=Would Be Nice=<br />
"Easy Build" Script for building Unreal Tournament 4 for nontechnical users? <br />
Android Builder for building smartphone OSes? <br />
Cryptsetup (dm-crypt) and verity in Petitboot for firmware-based full disk encryption?<br />
FreeCAD? (May or may not be upstreamed yet?)<br />
<br />
=Done=<br />
Chromium With Just In Time JavaScript<br />
Electron with Just In Time JavaScript <br />
AMDGPU Kernel DMA Patches (Possibly upstreamed?)<br />
Firefox Quantum running stably (Not upstreamed yet)<br />
Office Suite (LibreOffice, TeXStudio<br />
Libre Games (SuperTuxKart, Chromium BSU, Super Tux, Tux Racer, Blob Wars, Open Transit Tycoon, Open Roller Coaster Tycoon, etc)<br />
Unreal Tournament 4<br />
OBS (Needs to be upstreamed?)</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Main_Page&diff=1857Main Page2018-12-16T21:00:32Z<p>Peter Easton: /* News */</p>
<hr />
<div>'''Welcome to the Raptor Computing Systems Wiki!'''<br />
<br />
Community provided information about [[Raptor Computing Systems|Raptor Computing Systems]]' Talos™ systems and software, along with application and software level information concerning [[OpenPOWER|OpenPOWER]] / [[PowerNV|PowerNV]] and [[POWER9|POWER9]], is welcome here.<br />
<br />
Please consult the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents User's Guide] for information on using the wiki software.<br />
<br />
== Getting started ==<br />
<br />
* Platforms:<br />
** [[Talos II|Talos II]]<br />
** [[Blackbird]]<br />
* [[Hardware Compatibility List|Hardware Compatibility List]]<br />
* [[Operating System Compatibility List|Operating System Compatibility List]]<br />
** [[Fixes in Progress]]<br />
** [[Porting|Software Porting Efforts]]<br />
* [[Talos II Beginner's Quick Start Guide]]<br />
* [[Verifying DVDs]]<br />
* [[Talos_II/Compiling_Firmware|Compiling Firmware]]<br />
* [[Platform Comparison]]<br />
* [[:Category:Gallery|Gallery of assembled systems]]<br />
* [[:Category:Documentation|POWER9 Documentation]]<br />
* [[OpenPOWER Firmware|OpenPOWER Firmware]]<br />
<br />
== News ==<br />
<br />
* A [[Talos II/Building FAQ|Building FAQ]] has been started<br />
* Initial [[Hardware Compatibility List#Memory|RAM compatibility]] lists are now available<br />
* [[Power ISA/Privilege States#Ultravisor State|Ultravisor State]] is still not very well understood<br />
* [[Speculative Execution Vulnerabilities of 2018|Speculative Execution Vulnerabilities of 2018]]<br />
* A [[Desktop Roadmap]] has been started.<br />
<br />
== Public Appearances by Raptor Computing Systems ==<br />
<br />
* [[Raptor Computing Systems|RCS]] to show [https://raptorcs.com/TALOSII/ Talos II] Server, Desktop and Workstation products at the [https://openpowerfoundation.org/summit-2018-03-us/ 2018 OpenPower Summit] in Las Vegas, NV per [https://twitter.com/RaptorCompSys/status/974451109585670150 1] and [https://twitter.com/RaptorCompSys/status/973259137139269633 2].<br />
<br />
== External Links ==<br />
<br />
* [https://raptorcs.com/TALOSII/ Talos II] on the Raptor Computing Systems website<br />
* [https://openpowerfoundation.org/ OpenPOWER Foundation] homepage<br />
__NOTOC__</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=File:Morgans-Revenge-Bridge.jpeg&diff=1597File:Morgans-Revenge-Bridge.jpeg2018-09-16T05:24:27Z<p>Peter Easton: The desktop!</p>
<hr />
<div>The desktop!</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II/Hardware_Compatibility_List&diff=1507Talos II/Hardware Compatibility List2018-08-28T03:49:58Z<p>Peter Easton: /* Good Cases */</p>
<hr />
<div>This is a collection of components known to work with the [[Talos_II|Talos™ II]]-based solutions. It's maintained by both [[Raptor Computing Systems|Raptor CS]] and community members.<br />
<br />
== Cases ==<br />
<br />
=== Good Cases ===<br />
<br />
These cases were successfully used by someone.<br />
<br />
* '''SuperMicro SC732i-500B'''<br />
** Not recommended for 12 core and higher CPUs<br />
<br />
* '''SuperMicro SC732D3-903B'''<br />
** No NIC 2 LED on front panel<br />
** Needed [https://www.startech.com/Cables/Computer-Power/Internal/12in-4-Pin-Fan-Power-Extension-Cable~FAN4EXT12 four pin extension cable] for main chassis fan<br />
<br />
* '''SuperMicro SC732D4-903B'''<br />
** Add-on sound card recommended<br />
** Add-on USB 2.0 card or USB 3.0 hub recommended<br />
<br />
* '''SuperMicro SC747TQ-R1400B or SC747TG-R1400B-SQ'''<br />
** Hot swap drive capable; SAS recommended<br />
** Recommended for use with one or more high-end GPUs<br />
** Listed as EoL by Supermicro, replaced with 1620 versions. Same fan modules and PDU used in newer, higher watt, version. ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** [[:File:TalosII_SystemAssembly_nashimus_v3.mp4|System Assembly Video - SC747TG-R1400B-SQ]]<br />
<br />
* '''Rosewill RSV-L4500'''<br />
** Fans are two wire and use molex connectors<br />
<br />
* '''Thermaltake Core W100''' (See the ''[https://wiki.raptorcs.com/wiki/Category:Gallery Morgan's Revenge]'', by [[User:Peter Easton|JollyRoger]])<br />
** The positions of some standoffs are under components mounted on the back of the board. Careful measurement and attachment of only the standoffs that fit prior to installation of the motherboard is ''a necessity'' to avoid damaging the motherboard upon installation.<br />
** An add-on internal USB header is necessary to activate the extra 2 USB3 ports on the front panel.<br />
** The case is very spacious, with plenty of room and lots of space for many fans. Works well to provide necessary airflow and pressure within the case. <br />
** It is extremely important to have a good quality, powerful fan capable of withstanding high temperatures is required for the rear exhaust fan, which is very close to the rear CPU exhaust. A low quality fan in the rear exhaust port may hinder cooling.<br />
<br />
=== Problematic Cases ===<br />
<br />
* '''BeQuiet Dark Base 900''' ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** Claims to support E-ATX on the BeQuiet website<br />
** Infographic showing the motherboard space to only be 322mm deep, which is 8.2mm short of the full-size E-ATX. <br />
** Emailed them for clarification, but no response. Can't confirm either way.<br />
<br />
* '''SuperMicro SC822'''<br />
** Low speed fans provide insufficient airflow over CPU0, leading to overheating if more than one 4-core CPU is installed.<br />
<br />
* '''Athena Power RM-3U8G1043'''<br />
** Some motherboard standoffs needed to be removed, and others needed additional hight.<br />
**There was no standoff hole for the top right. <br />
**The support beam across the top of the case interferes with CPU2 heatsink, but can be easily removed.<br />
<br />
==== Standoff Issues ====<br />
<br />
Stand off issues appear to be a very common problem. In many cases mitigation may be possible.<br />
<br />
* '''Fractal Design Define XL R2'''<br />
** Missing standoff holes for the top-left and top-middle positions.<br />
** Some alternative standoff in at least the top-middle position may be required to prevent too much bending of the motherboard while inserting RAM.<br />
<br />
* '''BitFenix Aurora'''<br />
** [[User:MarcusC/BitFenix_Aurora|Multiple missing standoff holes]], some mitigation possible.<br />
<br />
* '''Thermaltake Core W200'''<br />
** Heavy, expensive, massive.<br />
** Compatible ''with caveats''<br />
*** Talos™ II mainboard will fit in E-ATX compatible side only (when viewed from rear of case, the right side) if the dual system case.<br />
*** Missing standoff holes for the top-left and top-middle positions. (non-essential but ensure proper support when inserting and removing RAM to avoid bending mainboard)<br />
*** Must remove wire-hole rubber grommets present under Talos™ II mainboard on right lower side for proper fit<br />
<br />
* '''Nanoxia Deep Silence2''' ([[User:Sharkcz|Sharkcz]])<br />
** missing top-middle standoff hole, but I've used a plastic "flat" standoff instead<br />
** Power LED - red goes to pin 15, black to pin 16<br />
<br />
* '''RAIJINTEK ASTERION PLUS (Model 0R200049)''' ([[User:cyrozap|cyrozap]])<br />
** Missing standoff holes for the top-left and top-middle positions.<br />
*** As a workaround the standoffs can be unscrewed and placed upside-down (screw threads facing up) under the motherboard holes.<br />
*** This actually works surprisingly well, and thanks to the other screw points the motherboard is rigid enough that I don't worry too much about the weight of the HSFs flexing it.<br />
*** That said, it's probably a good idea to always transport the system on its side and avoid bumping it if possible.<br />
** The hinged panels that open with handles are much nicer than fiddling with thumb screws, but annoying since it makes it slightly trickier to do things that involve both the inside and back panel of the case (e.g., inserting PCI-e cards).<br />
** The PSU is at the very bottom of the case, while all the motherboard power connectors are at the very top of the case, so this can cause some issues if your PSU's cables aren't long enough.<br />
*** The EPS12V cables on my power supply had a few inches left over, but the main motherboard power cable was just barely able to reach from the other side of the case to the power connector.<br />
** The front of the case is sheet metal stuck to plastic using some double-sided adhesive tape, which doesn't seem to work very well.<br />
*** When I received the case the front metal was starting to peel off a few inches (several cm) at the top and bottom.<br />
*** It sticks back in place when I press on it, but I may need to get some better adhesive and re-apply it later.<br />
** For $170, I was hoping for something a little more robust, but at least it's pretty.<br />
<br />
* possible mitigation is plastic standoff like [https://www.kangyang-europe.com/product/pc-board-hardware/ass-10/ ASS-10]<br />
<br />
* '''Corsair 760T''' ([[User:mosst|mosst]])<br />
** Reasonably cheap.<br />
** Unusually tasteful aesthetics for a consumer/gaming case. Looks like something Aperture Science would come up with.<br />
** E-ATX boards fit, but the top-left and top-middle standoffs are missing, however this isn't much of a problem as the I/O panel helps hold the board in place.<br />
** Cable management may be difficult, as E-ATX boards cover most of the cable holes.<br />
<br />
=== Candidate Cases ===<br />
<br />
These cases claim E-ATX support and are planned to be used, or were considered, by someone.<br />
<br />
* '''Lian Li PC-V1000L''' ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** Similar price point to the Supermicros with high power PSU. <br />
** Very "Apple" brushed aluminium aesthetic. <br />
** Couldn't confirm E-ATX was fullsize.<br />
** Passed over in favour of the SuperMicro SC747TQ-R1400B<br />
<br />
<br />
== Power Supplies ==<br />
When planning to run with both CPU sockets populated keep in mind that the power-supply should support also 2 8-pin EPS connectors.<br />
<br />
* Seasonic PRIME 1300W<br />
* Seasonic PRIME Ultra 850W Gold<br />
* Seasonic PRIME Ultra 650W<br />
* Seasonic PRIME Ultra Titanium 1000W (SSR-1000TR)<br />
* FSP Group Twins ATX 1+1 Dual Module 700W 80 PLUS GOLD Hot Swappable Redundant Digital Power Supply ([[User:ebrasca|ebrasca]])<br />
** Customer reported good build quality and proper functionality<br />
* Corsair TX550M 80+ GOLD ([[User:MarcusC|MarcusC]])<br />
** 2nd EPS power cable sold separately<br />
* Corsair AX860 <br />
* EVGA SuperNova 1200P2 1200W Platinum([[User:mosst|mosst]])<br />
** Works well, but the included ATX power cables may be too short if your PSU is mounted on the bottom of the case.<br />
<br />
== Memory ==<br />
<br />
The criteria are basically "is it ECC, is it registered, is it NOT LRDIMM"<br />
<br />
From the manual:<br />
<br />
{| class="wikitable"<br />
|-<br />
|Total Slots<br />
|16 (4 channels per CPU)<br />
|-<br />
|Capacity<br />
|2TB maximum<br />
|-<br />
|Memory Type<br />
|DDR4 1600/1866/2133/2400/2666<br />
|-<br />
|Memory Features<br />
|ECC<br />
|-<br />
|Module Sizes<br />
|8GB, 16GB, 32GB, 64GB, 128GB (RDIMM)<br />
|-<br />
|}<br />
<br />
=== Tested Memory ===<br />
<br />
==== Good Memory ====<br />
<br />
{| class="wikitable sortable"<br />
!colspan="6"|Module<br />
!colspan="4"|Validation<br />
|-<br />
!Manufacturer<br />
!Model<br />
!Size<br />
!Speed<br />
!Type<br />
!ECC<br />
!Stepping<br />
!Firmware<br />
!Source<br />
!Notes<br />
|-<br />
|Pacific Sun<br />
|X10723042S<br />
|8GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Hynix<br />
|HMA82GR7AFR8N-UH<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot e36ec63<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A1G40DB0-CPB<br />
|8GB<br />
|PC4-17000<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 30dfd3b<br />
|meklort<br />
|Requires [[Talos_II/Firmware|System Package v1.02]]<br />
|-<br />
|Kingston<br />
|KTH-PL424/16G<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PZ-2G3B1<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 28927a7<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PDZ-2G3D1<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PDZ-2G6D1<br />
|16GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 884b60b<br />
|[[User:Smaeul|smaeul]]<br />
|<br />
|-<br />
|Micron<br />
|MTA36ASF4G72PZ-2G6D1<br />
|32GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 6ffaeb4<br />
|[[User:cyrozap|cyrozap]]<br />
|<br />
|-<br />
|Samsung<br />
|M393A4K40BB1-CRC<br />
|32GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot 1e2221d<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A8K40B22-CWD<br />
|64GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 884b60b<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A2K40BB2-CTD<br />
|16GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 0c8fa110<br />
|meklort<br />
|Will run at 2400MT/s with [[Talos_II/Firmware|System Package v1.00]]<br />
|-<br />
|Samsung<br />
|M393A4K40BB2-CTD8Q<br />
|32GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 28927a7<br />
|luke-jr<br />
|<br />
|-<br />
|Samsung<br />
|M393A2G40EB2-CTD<br />
|16GB <br />
|PC4-21300V-R<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 30dfd3b<br />
|JSharp<br />
|Tested extensively with [[Talos_II/Firmware|System Package v1.02]] but does boot on v1.00, Dual 8-Core POWER9, x8 DIMM Modules (RCS Recommended Slot Configuration)<br />
|-<br />
|Samsung<br />
|M393A4K40CB2-CTD6Q<br />
|32GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|hostboot-884b60b<br />
|kev009<br />
|8 DIMMs working well<br />
|-<br />
|Kingston<br />
|KVR24R17S8K4/32<br />
|8GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|1.04, PNOR d286337d<br />
|sharkcz<br />
| kit 4x 8GB, got 1 stick faulty, but 3x 8GB worked OK<br />
|-<br />
|Kingston<br />
|KVR24R17D8/16MA<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|1.04, PNOR d286337d<br />
|sharkcz<br />
|<br />
|-<br />
|Crucial<br />
|CT4G4RFS8266<br />
|4GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|<br />
|[[User:Robbieab|Robbieab]]<br />
|Purchased as the CT2K4G4RFS8266 8GB kit. Confirmed functional from the petitboot shell.<br />
|-<br />
|Crucial<br />
|CT8G4RFS8266<br />
|8GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|<br />
|<br />
|<br />
|CT2K8G4RFS8266 16GB kit (8GBx2). DDR4 PC4-21300 • CL=19 • Single Ranked • x8 based • Registered • ECC • DDR4-2666 • 1.2V • 1024Meg x 72. Confirmed with a working Debian GNU and Devuan GNU+Linux installation.<br />
|-<br />
|Ventura (Samsung)<br />
|D4-62JA402SV-15<br />
|16GB<br />
|PC4-17000<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|<br />
|mosst<br />
|<br />
|}<br />
<br />
==== Incompatible Memory ====<br />
<br />
NOTE: Memory may be removed from this table after firmware support has been added, or there may be a fundamental hardware incompatibility. If you have incompatible memory listed in the table below, you may want to bookmark and check this page from time to time to see if a firmware update has resolved the issue.<br />
<br />
{| class="wikitable sortable"<br />
!colspan="6"|Module<br />
!colspan="4"|Test Conditions<br />
|-<br />
!Manufacturer<br />
!Model<br />
!Size<br />
!Speed<br />
!Type<br />
!ECC<br />
!Stepping<br />
!Firmware<br />
!Last Test<br />
|-<br />
|Samsung<br />
|M386A8K40BMB-CRC<br />
|64GB<br />
|PC4-19200<br />
|Registered LRDIMM<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot 1e2221d<br />
|02/14/2018<br />
|-<br />
|}<br />
<br />
== SAS/SATA Storage Drives ==<br />
<br />
Connected via optional on-board [[PM8068]] controller, or via PCIe controller. NVMe cards are also [[#NVMe Storage Drives|supported]].<br />
<br />
Boards with onboard SAS have one Mini-SAS HD 4i (SFF-8643) port, and four standard SATA-III ports. Both support both SAS and SATA at the electrical level.<br />
<br />
Note: Microsemi Adaptec Series 8 RAID controllers [http://download.adaptec.com/pdfs/readme/microsemi_series-8-controller_readme_4_2018.pdf do not support ATAPI CD-ROM, DVD, or tape devices.]<br />
<br />
== PCIe Devices ==<br />
<br />
=== Storage Controllers ===<br />
<br />
* IOCrest SI-PEX40062 (Chipset: Marvell 88SE9235)<br />
* LSI 9300 SAS HBAs<br />
* [[PM8068]]-based SAS HBAs <br />
* Supermicro AOC-SLG3-4E2P 4-port OCuLink adapter<br />
<br />
=== NICs ===<br />
* Broadcom [[BCM5719]]<br />
* Chelsio T6225-SO-CR<br />
<br />
=== NVMe M.2 Adapters ===<br />
* [http://ableconn.com/products_2.php?gid=62 Ableconn PEXM2-SSD M.2 NGFF PCIe SSD to PCI Express 3.0 x4 Host Adapter Card (M.2 to PCIe adapter)]<br />
* [http://www.delock.com/produkte/G_89370/merkmale.html Delock PCI Express x4 Card > 1 x internal NVMe M.2 Key M 80 mm - Low Profile Form Factor]<br />
* [https://www.newegg.com/Product/Product.aspx?Item=9SIA4RE5AU2769 JEYI SK4 M.2 NVMe(M Key) SSD to PCI-E 3.0 x4 Adapter Converter Card]<br />
* [https://www.newegg.com/Product/Product.aspx?Item=N82E16815124167 SYBA SI-PEX40110 M.2 PCI-e To PCI-e 3.0 x4]<br />
<br />
=== NVMe Storage Drives ===<br />
* Samsung 950 PRO (with M.2 to PCIe adapter)<br />
* Samsung 960 EVO / PRO (with M.2 to PCIe adapter)<br />
* Samsung 970 PRO (with M.2 to PCIe adapter)<br />
* Intel Optane 900P NVMe XPoint PCIe<br />
* Intel Optane 905P NVMe XPoint PCIe AIC<br />
* WD Black PCIe (with M.2 to PCIe adapter)<br />
* MyDigitalSSD BPX 480GB (with M.2 to PCIe adapter)<br />
<br />
=== Graphics Cards ===<br />
<br />
No display? Check out the [[Troubleshooting/GPU|GPU Troubleshooting]] page.<br />
<br />
==== AMD ====<br />
<br />
All AMD GPUs currently have DMA issues (limited to 32-bit, which can cause crashes) with the current Talos II firmware.<br />
This is expected to be fixed in future firmware updates.<br />
<br />
* AMD Radeon HD 5850 - Must disable onboard VGA first. Currently has issues with only using 32-bit DMA.<br />
* AMD Radeon HD 7850 - Disabled onboard VGA. Using amdgpu is highly unstable, radeon driver is usable but has issues with only using 32-bit DMA.<br />
* AMD Radeon HD 7950 - Must disable onboard VGA first. Currently has issues with only using 32-bit DMA.<br />
* AMD Radeon R5 220<br />
* AMD Radeon R5 230 - Works in BE mode (use <code>Option "AccelMethod" "EXA"</code> for Xorg)<br />
* AMD Radeon R7 240<br />
* Radeon R9 290X<br />
* AMD Radeon Pro WX7100 (Polaris10 core) - Available pre-installed on Talos II workstation, server, and desktop configurations.<br />
* AMD Radeon Pro WX5100<br />
* AMD Radeon Pro WX4100 (Polaris11 core) - May need at least linux 4.16 in order to get Xorg to work.<br />
* AMD RX Vega 56 - Works with Debian Buster with amdgpu. Requires patches to work, somewhat unstable but usable. Cannot use AST Integrated VGA and AMDGPU at the same time without causing conflict. Not tested at this moment for use in petitboot or firmware. <br />
<br />
The core name is important when storing the firmware into the BOOTKERNFW partition in PNOR for use by skiroot.<br />
<br />
==== NVIDIA ====<br />
* NVIDIA Corporation G96 [GeForce 9500 GT] (rev a1) - Works in petitboot if onboard VGA is disabled. Currently has issues with only using 32-bit DMA. No firmware needed.<br />
<br />
=== Sound Cards ===<br />
<br />
* Creative Sound Blaster Audigy FX SB1570 PCIe 5.1 Sound Card<br />
* Creative Sound Blaster X-Fi Xtreme Fidelity PCIe Audio Sound Card (SB0880)<br />
* AMD Radeon HD 5850 and 7950 (HDMI audio)<br />
* [http://www.vantecusa.com/products_detail.php?p_id=156&p_name=+USB+Stereo+Audio+Adapter&pc_id=9&pc_name=Adapters&pt_id=3&pt_name=Audio+%2B++Video#tab-1 VANTEC NBA-120U (USB)]<br />
* [http://mackie.com/products/onyx-blackjack Mackie Onyx Blackjack (USB) Recording Interface]<br />
* RME HDSPe AIO (FreeBSD tested)<br />
<br />
=== USB controllers ===<br />
==== Working ====<br />
* Insignia USB 3.0 PCI-e NS-PCCUP53 V1.0 (NEC D720202 chipset)<br />
* Terminus Technology Inc. FE 2.1 7-port Hub<br />
<br />
==== non-working ====<br />
* AXAGON PCEU-43V - chipset Via VL805 - PCI id 1106/3483<br />
<br />
== CAPI Devices ==<br />
<br />
* Mellanox ConnectX-6 EN 200Gb/s Adapter Card<br />
<br />
== Serial Adapters for J7701 Header ==<br />
* [http://pinoutguide.com/Motherboard/rs232_header_pinout.shtml Pinout Details]<br />
=== DTK/INTEL (compatible) ===<br />
* CablesToGo 09480 (unverified)<br />
* Assmann Serial Slot Bracket AK-610300-003-E, sold under PremiumCord brand (used by [[User:Sharkcz|Sharkcz]])<br />
* E-ITX ACC3100[https://www.amazon.com/dp/B00DSTTDQW/] (tested by [[User:Bdragon|Bdragon]])<br />
<br />
=== AT/EVEREX (not compatible) ===<br />
* StarTech PLATE9M16<br />
* Gigabyte COM port</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II/Hardware_Compatibility_List&diff=1506Talos II/Hardware Compatibility List2018-08-28T03:48:11Z<p>Peter Easton: /* Good Cases */</p>
<hr />
<div>This is a collection of components known to work with the [[Talos_II|Talos™ II]]-based solutions. It's maintained by both [[Raptor Computing Systems|Raptor CS]] and community members.<br />
<br />
== Cases ==<br />
<br />
=== Good Cases ===<br />
<br />
These cases were successfully used by someone.<br />
<br />
* '''SuperMicro SC732i-500B'''<br />
** Not recommended for 12 core and higher CPUs<br />
<br />
* '''SuperMicro SC732D3-903B'''<br />
** No NIC 2 LED on front panel<br />
** Needed [https://www.startech.com/Cables/Computer-Power/Internal/12in-4-Pin-Fan-Power-Extension-Cable~FAN4EXT12 four pin extension cable] for main chassis fan<br />
<br />
* '''SuperMicro SC732D4-903B'''<br />
** Add-on sound card recommended<br />
** Add-on USB 2.0 card or USB 3.0 hub recommended<br />
<br />
* '''SuperMicro SC747TQ-R1400B or SC747TG-R1400B-SQ'''<br />
** Hot swap drive capable; SAS recommended<br />
** Recommended for use with one or more high-end GPUs<br />
** Listed as EoL by Supermicro, replaced with 1620 versions. Same fan modules and PDU used in newer, higher watt, version. ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** [[:File:TalosII_SystemAssembly_nashimus_v3.mp4|System Assembly Video - SC747TG-R1400B-SQ]]<br />
<br />
* '''Rosewill RSV-L4500'''<br />
** Fans are two wire and use molex connectors<br />
<br />
* '''[https://wiki.raptorcs.com/wiki/Category:Gallery| Thermaltake Core W100]''' (See the ''Morgan's Revenge'', by [[User:Peter Easton|JollyRoger]])<br />
** The positions of some standoffs are under components mounted on the back of the board. Careful measurement and attachment of only the standoffs that fit prior to installation of the motherboard is ''a necessity'' to avoid damaging the motherboard upon installation.<br />
** An add-on internal USB header is necessary to activate the extra 2 USB3 ports on the front panel.<br />
** The case is very spacious, with plenty of room and lots of space for many fans. Works well to provide necessary airflow and pressure within the case. <br />
** It is extremely important to have a good quality, powerful fan capable of withstanding high temperatures is required for the rear exhaust fan, which is very close to the rear CPU exhaust. A low quality fan in the rear exhaust port may hinder cooling.<br />
<br />
=== Problematic Cases ===<br />
<br />
* '''BeQuiet Dark Base 900''' ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** Claims to support E-ATX on the BeQuiet website<br />
** Infographic showing the motherboard space to only be 322mm deep, which is 8.2mm short of the full-size E-ATX. <br />
** Emailed them for clarification, but no response. Can't confirm either way.<br />
<br />
* '''SuperMicro SC822'''<br />
** Low speed fans provide insufficient airflow over CPU0, leading to overheating if more than one 4-core CPU is installed.<br />
<br />
* '''Athena Power RM-3U8G1043'''<br />
** Some motherboard standoffs needed to be removed, and others needed additional hight.<br />
**There was no standoff hole for the top right. <br />
**The support beam across the top of the case interferes with CPU2 heatsink, but can be easily removed.<br />
<br />
==== Standoff Issues ====<br />
<br />
Stand off issues appear to be a very common problem. In many cases mitigation may be possible.<br />
<br />
* '''Fractal Design Define XL R2'''<br />
** Missing standoff holes for the top-left and top-middle positions.<br />
** Some alternative standoff in at least the top-middle position may be required to prevent too much bending of the motherboard while inserting RAM.<br />
<br />
* '''BitFenix Aurora'''<br />
** [[User:MarcusC/BitFenix_Aurora|Multiple missing standoff holes]], some mitigation possible.<br />
<br />
* '''Thermaltake Core W200'''<br />
** Heavy, expensive, massive.<br />
** Compatible ''with caveats''<br />
*** Talos™ II mainboard will fit in E-ATX compatible side only (when viewed from rear of case, the right side) if the dual system case.<br />
*** Missing standoff holes for the top-left and top-middle positions. (non-essential but ensure proper support when inserting and removing RAM to avoid bending mainboard)<br />
*** Must remove wire-hole rubber grommets present under Talos™ II mainboard on right lower side for proper fit<br />
<br />
* '''Nanoxia Deep Silence2''' ([[User:Sharkcz|Sharkcz]])<br />
** missing top-middle standoff hole, but I've used a plastic "flat" standoff instead<br />
** Power LED - red goes to pin 15, black to pin 16<br />
<br />
* '''RAIJINTEK ASTERION PLUS (Model 0R200049)''' ([[User:cyrozap|cyrozap]])<br />
** Missing standoff holes for the top-left and top-middle positions.<br />
*** As a workaround the standoffs can be unscrewed and placed upside-down (screw threads facing up) under the motherboard holes.<br />
*** This actually works surprisingly well, and thanks to the other screw points the motherboard is rigid enough that I don't worry too much about the weight of the HSFs flexing it.<br />
*** That said, it's probably a good idea to always transport the system on its side and avoid bumping it if possible.<br />
** The hinged panels that open with handles are much nicer than fiddling with thumb screws, but annoying since it makes it slightly trickier to do things that involve both the inside and back panel of the case (e.g., inserting PCI-e cards).<br />
** The PSU is at the very bottom of the case, while all the motherboard power connectors are at the very top of the case, so this can cause some issues if your PSU's cables aren't long enough.<br />
*** The EPS12V cables on my power supply had a few inches left over, but the main motherboard power cable was just barely able to reach from the other side of the case to the power connector.<br />
** The front of the case is sheet metal stuck to plastic using some double-sided adhesive tape, which doesn't seem to work very well.<br />
*** When I received the case the front metal was starting to peel off a few inches (several cm) at the top and bottom.<br />
*** It sticks back in place when I press on it, but I may need to get some better adhesive and re-apply it later.<br />
** For $170, I was hoping for something a little more robust, but at least it's pretty.<br />
<br />
* possible mitigation is plastic standoff like [https://www.kangyang-europe.com/product/pc-board-hardware/ass-10/ ASS-10]<br />
<br />
* '''Corsair 760T''' ([[User:mosst|mosst]])<br />
** Reasonably cheap.<br />
** Unusually tasteful aesthetics for a consumer/gaming case. Looks like something Aperture Science would come up with.<br />
** E-ATX boards fit, but the top-left and top-middle standoffs are missing, however this isn't much of a problem as the I/O panel helps hold the board in place.<br />
** Cable management may be difficult, as E-ATX boards cover most of the cable holes.<br />
<br />
=== Candidate Cases ===<br />
<br />
These cases claim E-ATX support and are planned to be used, or were considered, by someone.<br />
<br />
* '''Lian Li PC-V1000L''' ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** Similar price point to the Supermicros with high power PSU. <br />
** Very "Apple" brushed aluminium aesthetic. <br />
** Couldn't confirm E-ATX was fullsize.<br />
** Passed over in favour of the SuperMicro SC747TQ-R1400B<br />
<br />
<br />
== Power Supplies ==<br />
When planning to run with both CPU sockets populated keep in mind that the power-supply should support also 2 8-pin EPS connectors.<br />
<br />
* Seasonic PRIME 1300W<br />
* Seasonic PRIME Ultra 850W Gold<br />
* Seasonic PRIME Ultra 650W<br />
* Seasonic PRIME Ultra Titanium 1000W (SSR-1000TR)<br />
* FSP Group Twins ATX 1+1 Dual Module 700W 80 PLUS GOLD Hot Swappable Redundant Digital Power Supply ([[User:ebrasca|ebrasca]])<br />
** Customer reported good build quality and proper functionality<br />
* Corsair TX550M 80+ GOLD ([[User:MarcusC|MarcusC]])<br />
** 2nd EPS power cable sold separately<br />
* Corsair AX860 <br />
* EVGA SuperNova 1200P2 1200W Platinum([[User:mosst|mosst]])<br />
** Works well, but the included ATX power cables may be too short if your PSU is mounted on the bottom of the case.<br />
<br />
== Memory ==<br />
<br />
The criteria are basically "is it ECC, is it registered, is it NOT LRDIMM"<br />
<br />
From the manual:<br />
<br />
{| class="wikitable"<br />
|-<br />
|Total Slots<br />
|16 (4 channels per CPU)<br />
|-<br />
|Capacity<br />
|2TB maximum<br />
|-<br />
|Memory Type<br />
|DDR4 1600/1866/2133/2400/2666<br />
|-<br />
|Memory Features<br />
|ECC<br />
|-<br />
|Module Sizes<br />
|8GB, 16GB, 32GB, 64GB, 128GB (RDIMM)<br />
|-<br />
|}<br />
<br />
=== Tested Memory ===<br />
<br />
==== Good Memory ====<br />
<br />
{| class="wikitable sortable"<br />
!colspan="6"|Module<br />
!colspan="4"|Validation<br />
|-<br />
!Manufacturer<br />
!Model<br />
!Size<br />
!Speed<br />
!Type<br />
!ECC<br />
!Stepping<br />
!Firmware<br />
!Source<br />
!Notes<br />
|-<br />
|Pacific Sun<br />
|X10723042S<br />
|8GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Hynix<br />
|HMA82GR7AFR8N-UH<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot e36ec63<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A1G40DB0-CPB<br />
|8GB<br />
|PC4-17000<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 30dfd3b<br />
|meklort<br />
|Requires [[Talos_II/Firmware|System Package v1.02]]<br />
|-<br />
|Kingston<br />
|KTH-PL424/16G<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PZ-2G3B1<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 28927a7<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PDZ-2G3D1<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PDZ-2G6D1<br />
|16GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 884b60b<br />
|[[User:Smaeul|smaeul]]<br />
|<br />
|-<br />
|Micron<br />
|MTA36ASF4G72PZ-2G6D1<br />
|32GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 6ffaeb4<br />
|[[User:cyrozap|cyrozap]]<br />
|<br />
|-<br />
|Samsung<br />
|M393A4K40BB1-CRC<br />
|32GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot 1e2221d<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A8K40B22-CWD<br />
|64GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 884b60b<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A2K40BB2-CTD<br />
|16GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 0c8fa110<br />
|meklort<br />
|Will run at 2400MT/s with [[Talos_II/Firmware|System Package v1.00]]<br />
|-<br />
|Samsung<br />
|M393A4K40BB2-CTD8Q<br />
|32GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 28927a7<br />
|luke-jr<br />
|<br />
|-<br />
|Samsung<br />
|M393A2G40EB2-CTD<br />
|16GB <br />
|PC4-21300V-R<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 30dfd3b<br />
|JSharp<br />
|Tested extensively with [[Talos_II/Firmware|System Package v1.02]] but does boot on v1.00, Dual 8-Core POWER9, x8 DIMM Modules (RCS Recommended Slot Configuration)<br />
|-<br />
|Samsung<br />
|M393A4K40CB2-CTD6Q<br />
|32GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|hostboot-884b60b<br />
|kev009<br />
|8 DIMMs working well<br />
|-<br />
|Kingston<br />
|KVR24R17S8K4/32<br />
|8GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|1.04, PNOR d286337d<br />
|sharkcz<br />
| kit 4x 8GB, got 1 stick faulty, but 3x 8GB worked OK<br />
|-<br />
|Kingston<br />
|KVR24R17D8/16MA<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|1.04, PNOR d286337d<br />
|sharkcz<br />
|<br />
|-<br />
|Crucial<br />
|CT4G4RFS8266<br />
|4GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|<br />
|[[User:Robbieab|Robbieab]]<br />
|Purchased as the CT2K4G4RFS8266 8GB kit. Confirmed functional from the petitboot shell.<br />
|-<br />
|Crucial<br />
|CT8G4RFS8266<br />
|8GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|<br />
|<br />
|<br />
|CT2K8G4RFS8266 16GB kit (8GBx2). DDR4 PC4-21300 • CL=19 • Single Ranked • x8 based • Registered • ECC • DDR4-2666 • 1.2V • 1024Meg x 72. Confirmed with a working Debian GNU and Devuan GNU+Linux installation.<br />
|-<br />
|Ventura (Samsung)<br />
|D4-62JA402SV-15<br />
|16GB<br />
|PC4-17000<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|<br />
|mosst<br />
|<br />
|}<br />
<br />
==== Incompatible Memory ====<br />
<br />
NOTE: Memory may be removed from this table after firmware support has been added, or there may be a fundamental hardware incompatibility. If you have incompatible memory listed in the table below, you may want to bookmark and check this page from time to time to see if a firmware update has resolved the issue.<br />
<br />
{| class="wikitable sortable"<br />
!colspan="6"|Module<br />
!colspan="4"|Test Conditions<br />
|-<br />
!Manufacturer<br />
!Model<br />
!Size<br />
!Speed<br />
!Type<br />
!ECC<br />
!Stepping<br />
!Firmware<br />
!Last Test<br />
|-<br />
|Samsung<br />
|M386A8K40BMB-CRC<br />
|64GB<br />
|PC4-19200<br />
|Registered LRDIMM<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot 1e2221d<br />
|02/14/2018<br />
|-<br />
|}<br />
<br />
== SAS/SATA Storage Drives ==<br />
<br />
Connected via optional on-board [[PM8068]] controller, or via PCIe controller. NVMe cards are also [[#NVMe Storage Drives|supported]].<br />
<br />
Boards with onboard SAS have one Mini-SAS HD 4i (SFF-8643) port, and four standard SATA-III ports. Both support both SAS and SATA at the electrical level.<br />
<br />
Note: Microsemi Adaptec Series 8 RAID controllers [http://download.adaptec.com/pdfs/readme/microsemi_series-8-controller_readme_4_2018.pdf do not support ATAPI CD-ROM, DVD, or tape devices.]<br />
<br />
== PCIe Devices ==<br />
<br />
=== Storage Controllers ===<br />
<br />
* IOCrest SI-PEX40062 (Chipset: Marvell 88SE9235)<br />
* LSI 9300 SAS HBAs<br />
* [[PM8068]]-based SAS HBAs <br />
* Supermicro AOC-SLG3-4E2P 4-port OCuLink adapter<br />
<br />
=== NICs ===<br />
* Broadcom [[BCM5719]]<br />
* Chelsio T6225-SO-CR<br />
<br />
=== NVMe M.2 Adapters ===<br />
* [http://ableconn.com/products_2.php?gid=62 Ableconn PEXM2-SSD M.2 NGFF PCIe SSD to PCI Express 3.0 x4 Host Adapter Card (M.2 to PCIe adapter)]<br />
* [http://www.delock.com/produkte/G_89370/merkmale.html Delock PCI Express x4 Card > 1 x internal NVMe M.2 Key M 80 mm - Low Profile Form Factor]<br />
* [https://www.newegg.com/Product/Product.aspx?Item=9SIA4RE5AU2769 JEYI SK4 M.2 NVMe(M Key) SSD to PCI-E 3.0 x4 Adapter Converter Card]<br />
* [https://www.newegg.com/Product/Product.aspx?Item=N82E16815124167 SYBA SI-PEX40110 M.2 PCI-e To PCI-e 3.0 x4]<br />
<br />
=== NVMe Storage Drives ===<br />
* Samsung 950 PRO (with M.2 to PCIe adapter)<br />
* Samsung 960 EVO / PRO (with M.2 to PCIe adapter)<br />
* Samsung 970 PRO (with M.2 to PCIe adapter)<br />
* Intel Optane 900P NVMe XPoint PCIe<br />
* Intel Optane 905P NVMe XPoint PCIe AIC<br />
* WD Black PCIe (with M.2 to PCIe adapter)<br />
* MyDigitalSSD BPX 480GB (with M.2 to PCIe adapter)<br />
<br />
=== Graphics Cards ===<br />
<br />
No display? Check out the [[Troubleshooting/GPU|GPU Troubleshooting]] page.<br />
<br />
==== AMD ====<br />
<br />
All AMD GPUs currently have DMA issues (limited to 32-bit, which can cause crashes) with the current Talos II firmware.<br />
This is expected to be fixed in future firmware updates.<br />
<br />
* AMD Radeon HD 5850 - Must disable onboard VGA first. Currently has issues with only using 32-bit DMA.<br />
* AMD Radeon HD 7850 - Disabled onboard VGA. Using amdgpu is highly unstable, radeon driver is usable but has issues with only using 32-bit DMA.<br />
* AMD Radeon HD 7950 - Must disable onboard VGA first. Currently has issues with only using 32-bit DMA.<br />
* AMD Radeon R5 220<br />
* AMD Radeon R5 230 - Works in BE mode (use <code>Option "AccelMethod" "EXA"</code> for Xorg)<br />
* AMD Radeon R7 240<br />
* Radeon R9 290X<br />
* AMD Radeon Pro WX7100 (Polaris10 core) - Available pre-installed on Talos II workstation, server, and desktop configurations.<br />
* AMD Radeon Pro WX5100<br />
* AMD Radeon Pro WX4100 (Polaris11 core) - May need at least linux 4.16 in order to get Xorg to work.<br />
* AMD RX Vega 56 - Works with Debian Buster with amdgpu. Requires patches to work, somewhat unstable but usable. Cannot use AST Integrated VGA and AMDGPU at the same time without causing conflict. Not tested at this moment for use in petitboot or firmware. <br />
<br />
The core name is important when storing the firmware into the BOOTKERNFW partition in PNOR for use by skiroot.<br />
<br />
==== NVIDIA ====<br />
* NVIDIA Corporation G96 [GeForce 9500 GT] (rev a1) - Works in petitboot if onboard VGA is disabled. Currently has issues with only using 32-bit DMA. No firmware needed.<br />
<br />
=== Sound Cards ===<br />
<br />
* Creative Sound Blaster Audigy FX SB1570 PCIe 5.1 Sound Card<br />
* Creative Sound Blaster X-Fi Xtreme Fidelity PCIe Audio Sound Card (SB0880)<br />
* AMD Radeon HD 5850 and 7950 (HDMI audio)<br />
* [http://www.vantecusa.com/products_detail.php?p_id=156&p_name=+USB+Stereo+Audio+Adapter&pc_id=9&pc_name=Adapters&pt_id=3&pt_name=Audio+%2B++Video#tab-1 VANTEC NBA-120U (USB)]<br />
* [http://mackie.com/products/onyx-blackjack Mackie Onyx Blackjack (USB) Recording Interface]<br />
* RME HDSPe AIO (FreeBSD tested)<br />
<br />
=== USB controllers ===<br />
==== Working ====<br />
* Insignia USB 3.0 PCI-e NS-PCCUP53 V1.0 (NEC D720202 chipset)<br />
* Terminus Technology Inc. FE 2.1 7-port Hub<br />
<br />
==== non-working ====<br />
* AXAGON PCEU-43V - chipset Via VL805 - PCI id 1106/3483<br />
<br />
== CAPI Devices ==<br />
<br />
* Mellanox ConnectX-6 EN 200Gb/s Adapter Card<br />
<br />
== Serial Adapters for J7701 Header ==<br />
* [http://pinoutguide.com/Motherboard/rs232_header_pinout.shtml Pinout Details]<br />
=== DTK/INTEL (compatible) ===<br />
* CablesToGo 09480 (unverified)<br />
* Assmann Serial Slot Bracket AK-610300-003-E, sold under PremiumCord brand (used by [[User:Sharkcz|Sharkcz]])<br />
* E-ITX ACC3100[https://www.amazon.com/dp/B00DSTTDQW/] (tested by [[User:Bdragon|Bdragon]])<br />
<br />
=== AT/EVEREX (not compatible) ===<br />
* StarTech PLATE9M16<br />
* Gigabyte COM port</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II/Hardware_Compatibility_List&diff=1505Talos II/Hardware Compatibility List2018-08-28T03:38:52Z<p>Peter Easton: /* Good Cases */</p>
<hr />
<div>This is a collection of components known to work with the [[Talos_II|Talos™ II]]-based solutions. It's maintained by both [[Raptor Computing Systems|Raptor CS]] and community members.<br />
<br />
== Cases ==<br />
<br />
=== Good Cases ===<br />
<br />
These cases were successfully used by someone.<br />
<br />
* '''SuperMicro SC732i-500B'''<br />
** Not recommended for 12 core and higher CPUs<br />
<br />
* '''SuperMicro SC732D3-903B'''<br />
** No NIC 2 LED on front panel<br />
** Needed [https://www.startech.com/Cables/Computer-Power/Internal/12in-4-Pin-Fan-Power-Extension-Cable~FAN4EXT12 four pin extension cable] for main chassis fan<br />
<br />
* '''SuperMicro SC732D4-903B'''<br />
** Add-on sound card recommended<br />
** Add-on USB 2.0 card or USB 3.0 hub recommended<br />
<br />
* '''SuperMicro SC747TQ-R1400B or SC747TG-R1400B-SQ'''<br />
** Hot swap drive capable; SAS recommended<br />
** Recommended for use with one or more high-end GPUs<br />
** Listed as EoL by Supermicro, replaced with 1620 versions. Same fan modules and PDU used in newer, higher watt, version. ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** [[:File:TalosII_SystemAssembly_nashimus_v3.mp4|System Assembly Video - SC747TG-R1400B-SQ]]<br />
<br />
* '''Rosewill RSV-L4500'''<br />
** Fans are two wire and use molex connectors<br />
<br />
* '''Thermaltake Core W100'''<br />
** Not all the standoffs will fit. Careful measurement and installation of only the standoffs that fit prior to installation of the motherboard is ''a necessity'' to avoid damaging the motherboard upon installation.<br />
** Add-on internal USB controller recommended.<br />
** Very spacious, with plenty of room and lots of space for many fans. Works well to provide necessary airflow and pressure within the case. <br />
** A good quality, powerful fan capable of withstanding high temperatures is required for the rear exhaust fan, which is very close to the rear CPU exhaust. A low quality fan in the rear exhaust port may hinder cooling.<br />
<br />
=== Problematic Cases ===<br />
<br />
* '''BeQuiet Dark Base 900''' ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** Claims to support E-ATX on the BeQuiet website<br />
** Infographic showing the motherboard space to only be 322mm deep, which is 8.2mm short of the full-size E-ATX. <br />
** Emailed them for clarification, but no response. Can't confirm either way.<br />
<br />
* '''SuperMicro SC822'''<br />
** Low speed fans provide insufficient airflow over CPU0, leading to overheating if more than one 4-core CPU is installed.<br />
<br />
* '''Athena Power RM-3U8G1043'''<br />
** Some motherboard standoffs needed to be removed, and others needed additional hight.<br />
**There was no standoff hole for the top right. <br />
**The support beam across the top of the case interferes with CPU2 heatsink, but can be easily removed.<br />
<br />
==== Standoff Issues ====<br />
<br />
Stand off issues appear to be a very common problem. In many cases mitigation may be possible.<br />
<br />
* '''Fractal Design Define XL R2'''<br />
** Missing standoff holes for the top-left and top-middle positions.<br />
** Some alternative standoff in at least the top-middle position may be required to prevent too much bending of the motherboard while inserting RAM.<br />
<br />
* '''BitFenix Aurora'''<br />
** [[User:MarcusC/BitFenix_Aurora|Multiple missing standoff holes]], some mitigation possible.<br />
<br />
* '''Thermaltake Core W200'''<br />
** Heavy, expensive, massive.<br />
** Compatible ''with caveats''<br />
*** Talos™ II mainboard will fit in E-ATX compatible side only (when viewed from rear of case, the right side) if the dual system case.<br />
*** Missing standoff holes for the top-left and top-middle positions. (non-essential but ensure proper support when inserting and removing RAM to avoid bending mainboard)<br />
*** Must remove wire-hole rubber grommets present under Talos™ II mainboard on right lower side for proper fit<br />
<br />
* '''Nanoxia Deep Silence2''' ([[User:Sharkcz|Sharkcz]])<br />
** missing top-middle standoff hole, but I've used a plastic "flat" standoff instead<br />
** Power LED - red goes to pin 15, black to pin 16<br />
<br />
* '''RAIJINTEK ASTERION PLUS (Model 0R200049)''' ([[User:cyrozap|cyrozap]])<br />
** Missing standoff holes for the top-left and top-middle positions.<br />
*** As a workaround the standoffs can be unscrewed and placed upside-down (screw threads facing up) under the motherboard holes.<br />
*** This actually works surprisingly well, and thanks to the other screw points the motherboard is rigid enough that I don't worry too much about the weight of the HSFs flexing it.<br />
*** That said, it's probably a good idea to always transport the system on its side and avoid bumping it if possible.<br />
** The hinged panels that open with handles are much nicer than fiddling with thumb screws, but annoying since it makes it slightly trickier to do things that involve both the inside and back panel of the case (e.g., inserting PCI-e cards).<br />
** The PSU is at the very bottom of the case, while all the motherboard power connectors are at the very top of the case, so this can cause some issues if your PSU's cables aren't long enough.<br />
*** The EPS12V cables on my power supply had a few inches left over, but the main motherboard power cable was just barely able to reach from the other side of the case to the power connector.<br />
** The front of the case is sheet metal stuck to plastic using some double-sided adhesive tape, which doesn't seem to work very well.<br />
*** When I received the case the front metal was starting to peel off a few inches (several cm) at the top and bottom.<br />
*** It sticks back in place when I press on it, but I may need to get some better adhesive and re-apply it later.<br />
** For $170, I was hoping for something a little more robust, but at least it's pretty.<br />
<br />
* possible mitigation is plastic standoff like [https://www.kangyang-europe.com/product/pc-board-hardware/ass-10/ ASS-10]<br />
<br />
* '''Corsair 760T''' ([[User:mosst|mosst]])<br />
** Reasonably cheap.<br />
** Unusually tasteful aesthetics for a consumer/gaming case. Looks like something Aperture Science would come up with.<br />
** E-ATX boards fit, but the top-left and top-middle standoffs are missing, however this isn't much of a problem as the I/O panel helps hold the board in place.<br />
** Cable management may be difficult, as E-ATX boards cover most of the cable holes.<br />
<br />
=== Candidate Cases ===<br />
<br />
These cases claim E-ATX support and are planned to be used, or were considered, by someone.<br />
<br />
* '''Lian Li PC-V1000L''' ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** Similar price point to the Supermicros with high power PSU. <br />
** Very "Apple" brushed aluminium aesthetic. <br />
** Couldn't confirm E-ATX was fullsize.<br />
** Passed over in favour of the SuperMicro SC747TQ-R1400B<br />
<br />
<br />
== Power Supplies ==<br />
When planning to run with both CPU sockets populated keep in mind that the power-supply should support also 2 8-pin EPS connectors.<br />
<br />
* Seasonic PRIME 1300W<br />
* Seasonic PRIME Ultra 850W Gold<br />
* Seasonic PRIME Ultra 650W<br />
* Seasonic PRIME Ultra Titanium 1000W (SSR-1000TR)<br />
* FSP Group Twins ATX 1+1 Dual Module 700W 80 PLUS GOLD Hot Swappable Redundant Digital Power Supply ([[User:ebrasca|ebrasca]])<br />
** Customer reported good build quality and proper functionality<br />
* Corsair TX550M 80+ GOLD ([[User:MarcusC|MarcusC]])<br />
** 2nd EPS power cable sold separately<br />
* Corsair AX860 <br />
* EVGA SuperNova 1200P2 1200W Platinum([[User:mosst|mosst]])<br />
** Works well, but the included ATX power cables may be too short if your PSU is mounted on the bottom of the case.<br />
<br />
== Memory ==<br />
<br />
The criteria are basically "is it ECC, is it registered, is it NOT LRDIMM"<br />
<br />
From the manual:<br />
<br />
{| class="wikitable"<br />
|-<br />
|Total Slots<br />
|16 (4 channels per CPU)<br />
|-<br />
|Capacity<br />
|2TB maximum<br />
|-<br />
|Memory Type<br />
|DDR4 1600/1866/2133/2400/2666<br />
|-<br />
|Memory Features<br />
|ECC<br />
|-<br />
|Module Sizes<br />
|8GB, 16GB, 32GB, 64GB, 128GB (RDIMM)<br />
|-<br />
|}<br />
<br />
=== Tested Memory ===<br />
<br />
==== Good Memory ====<br />
<br />
{| class="wikitable sortable"<br />
!colspan="6"|Module<br />
!colspan="4"|Validation<br />
|-<br />
!Manufacturer<br />
!Model<br />
!Size<br />
!Speed<br />
!Type<br />
!ECC<br />
!Stepping<br />
!Firmware<br />
!Source<br />
!Notes<br />
|-<br />
|Pacific Sun<br />
|X10723042S<br />
|8GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Hynix<br />
|HMA82GR7AFR8N-UH<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot e36ec63<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A1G40DB0-CPB<br />
|8GB<br />
|PC4-17000<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 30dfd3b<br />
|meklort<br />
|Requires [[Talos_II/Firmware|System Package v1.02]]<br />
|-<br />
|Kingston<br />
|KTH-PL424/16G<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PZ-2G3B1<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 28927a7<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PDZ-2G3D1<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PDZ-2G6D1<br />
|16GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 884b60b<br />
|[[User:Smaeul|smaeul]]<br />
|<br />
|-<br />
|Micron<br />
|MTA36ASF4G72PZ-2G6D1<br />
|32GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 6ffaeb4<br />
|[[User:cyrozap|cyrozap]]<br />
|<br />
|-<br />
|Samsung<br />
|M393A4K40BB1-CRC<br />
|32GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot 1e2221d<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A8K40B22-CWD<br />
|64GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 884b60b<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A2K40BB2-CTD<br />
|16GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 0c8fa110<br />
|meklort<br />
|Will run at 2400MT/s with [[Talos_II/Firmware|System Package v1.00]]<br />
|-<br />
|Samsung<br />
|M393A4K40BB2-CTD8Q<br />
|32GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 28927a7<br />
|luke-jr<br />
|<br />
|-<br />
|Samsung<br />
|M393A2G40EB2-CTD<br />
|16GB <br />
|PC4-21300V-R<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 30dfd3b<br />
|JSharp<br />
|Tested extensively with [[Talos_II/Firmware|System Package v1.02]] but does boot on v1.00, Dual 8-Core POWER9, x8 DIMM Modules (RCS Recommended Slot Configuration)<br />
|-<br />
|Samsung<br />
|M393A4K40CB2-CTD6Q<br />
|32GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|hostboot-884b60b<br />
|kev009<br />
|8 DIMMs working well<br />
|-<br />
|Kingston<br />
|KVR24R17S8K4/32<br />
|8GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|1.04, PNOR d286337d<br />
|sharkcz<br />
| kit 4x 8GB, got 1 stick faulty, but 3x 8GB worked OK<br />
|-<br />
|Kingston<br />
|KVR24R17D8/16MA<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|1.04, PNOR d286337d<br />
|sharkcz<br />
|<br />
|-<br />
|Crucial<br />
|CT4G4RFS8266<br />
|4GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|<br />
|[[User:Robbieab|Robbieab]]<br />
|Purchased as the CT2K4G4RFS8266 8GB kit. Confirmed functional from the petitboot shell.<br />
|-<br />
|Crucial<br />
|CT8G4RFS8266<br />
|8GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|<br />
|<br />
|<br />
|CT2K8G4RFS8266 16GB kit (8GBx2). DDR4 PC4-21300 • CL=19 • Single Ranked • x8 based • Registered • ECC • DDR4-2666 • 1.2V • 1024Meg x 72. Confirmed with a working Debian GNU and Devuan GNU+Linux installation.<br />
|-<br />
|Ventura (Samsung)<br />
|D4-62JA402SV-15<br />
|16GB<br />
|PC4-17000<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|<br />
|mosst<br />
|<br />
|}<br />
<br />
==== Incompatible Memory ====<br />
<br />
NOTE: Memory may be removed from this table after firmware support has been added, or there may be a fundamental hardware incompatibility. If you have incompatible memory listed in the table below, you may want to bookmark and check this page from time to time to see if a firmware update has resolved the issue.<br />
<br />
{| class="wikitable sortable"<br />
!colspan="6"|Module<br />
!colspan="4"|Test Conditions<br />
|-<br />
!Manufacturer<br />
!Model<br />
!Size<br />
!Speed<br />
!Type<br />
!ECC<br />
!Stepping<br />
!Firmware<br />
!Last Test<br />
|-<br />
|Samsung<br />
|M386A8K40BMB-CRC<br />
|64GB<br />
|PC4-19200<br />
|Registered LRDIMM<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot 1e2221d<br />
|02/14/2018<br />
|-<br />
|}<br />
<br />
== SAS/SATA Storage Drives ==<br />
<br />
Connected via optional on-board [[PM8068]] controller, or via PCIe controller. NVMe cards are also [[#NVMe Storage Drives|supported]].<br />
<br />
Boards with onboard SAS have one Mini-SAS HD 4i (SFF-8643) port, and four standard SATA-III ports. Both support both SAS and SATA at the electrical level.<br />
<br />
Note: Microsemi Adaptec Series 8 RAID controllers [http://download.adaptec.com/pdfs/readme/microsemi_series-8-controller_readme_4_2018.pdf do not support ATAPI CD-ROM, DVD, or tape devices.]<br />
<br />
== PCIe Devices ==<br />
<br />
=== Storage Controllers ===<br />
<br />
* IOCrest SI-PEX40062 (Chipset: Marvell 88SE9235)<br />
* LSI 9300 SAS HBAs<br />
* [[PM8068]]-based SAS HBAs <br />
* Supermicro AOC-SLG3-4E2P 4-port OCuLink adapter<br />
<br />
=== NICs ===<br />
* Broadcom [[BCM5719]]<br />
* Chelsio T6225-SO-CR<br />
<br />
=== NVMe M.2 Adapters ===<br />
* [http://ableconn.com/products_2.php?gid=62 Ableconn PEXM2-SSD M.2 NGFF PCIe SSD to PCI Express 3.0 x4 Host Adapter Card (M.2 to PCIe adapter)]<br />
* [http://www.delock.com/produkte/G_89370/merkmale.html Delock PCI Express x4 Card > 1 x internal NVMe M.2 Key M 80 mm - Low Profile Form Factor]<br />
* [https://www.newegg.com/Product/Product.aspx?Item=9SIA4RE5AU2769 JEYI SK4 M.2 NVMe(M Key) SSD to PCI-E 3.0 x4 Adapter Converter Card]<br />
* [https://www.newegg.com/Product/Product.aspx?Item=N82E16815124167 SYBA SI-PEX40110 M.2 PCI-e To PCI-e 3.0 x4]<br />
<br />
=== NVMe Storage Drives ===<br />
* Samsung 950 PRO (with M.2 to PCIe adapter)<br />
* Samsung 960 EVO / PRO (with M.2 to PCIe adapter)<br />
* Samsung 970 PRO (with M.2 to PCIe adapter)<br />
* Intel Optane 900P NVMe XPoint PCIe<br />
* Intel Optane 905P NVMe XPoint PCIe AIC<br />
* WD Black PCIe (with M.2 to PCIe adapter)<br />
* MyDigitalSSD BPX 480GB (with M.2 to PCIe adapter)<br />
<br />
=== Graphics Cards ===<br />
<br />
No display? Check out the [[Troubleshooting/GPU|GPU Troubleshooting]] page.<br />
<br />
==== AMD ====<br />
<br />
All AMD GPUs currently have DMA issues (limited to 32-bit, which can cause crashes) with the current Talos II firmware.<br />
This is expected to be fixed in future firmware updates.<br />
<br />
* AMD Radeon HD 5850 - Must disable onboard VGA first. Currently has issues with only using 32-bit DMA.<br />
* AMD Radeon HD 7850 - Disabled onboard VGA. Using amdgpu is highly unstable, radeon driver is usable but has issues with only using 32-bit DMA.<br />
* AMD Radeon HD 7950 - Must disable onboard VGA first. Currently has issues with only using 32-bit DMA.<br />
* AMD Radeon R5 220<br />
* AMD Radeon R5 230 - Works in BE mode (use <code>Option "AccelMethod" "EXA"</code> for Xorg)<br />
* AMD Radeon R7 240<br />
* Radeon R9 290X<br />
* AMD Radeon Pro WX7100 (Polaris10 core) - Available pre-installed on Talos II workstation, server, and desktop configurations.<br />
* AMD Radeon Pro WX5100<br />
* AMD Radeon Pro WX4100 (Polaris11 core) - May need at least linux 4.16 in order to get Xorg to work.<br />
* AMD RX Vega 56 - Works with Debian Buster with amdgpu. Requires patches to work, somewhat unstable but usable. Cannot use AST Integrated VGA and AMDGPU at the same time without causing conflict. Not tested at this moment for use in petitboot or firmware. <br />
<br />
The core name is important when storing the firmware into the BOOTKERNFW partition in PNOR for use by skiroot.<br />
<br />
==== NVIDIA ====<br />
* NVIDIA Corporation G96 [GeForce 9500 GT] (rev a1) - Works in petitboot if onboard VGA is disabled. Currently has issues with only using 32-bit DMA. No firmware needed.<br />
<br />
=== Sound Cards ===<br />
<br />
* Creative Sound Blaster Audigy FX SB1570 PCIe 5.1 Sound Card<br />
* Creative Sound Blaster X-Fi Xtreme Fidelity PCIe Audio Sound Card (SB0880)<br />
* AMD Radeon HD 5850 and 7950 (HDMI audio)<br />
* [http://www.vantecusa.com/products_detail.php?p_id=156&p_name=+USB+Stereo+Audio+Adapter&pc_id=9&pc_name=Adapters&pt_id=3&pt_name=Audio+%2B++Video#tab-1 VANTEC NBA-120U (USB)]<br />
* [http://mackie.com/products/onyx-blackjack Mackie Onyx Blackjack (USB) Recording Interface]<br />
* RME HDSPe AIO (FreeBSD tested)<br />
<br />
=== USB controllers ===<br />
==== Working ====<br />
* Insignia USB 3.0 PCI-e NS-PCCUP53 V1.0 (NEC D720202 chipset)<br />
* Terminus Technology Inc. FE 2.1 7-port Hub<br />
<br />
==== non-working ====<br />
* AXAGON PCEU-43V - chipset Via VL805 - PCI id 1106/3483<br />
<br />
== CAPI Devices ==<br />
<br />
* Mellanox ConnectX-6 EN 200Gb/s Adapter Card<br />
<br />
== Serial Adapters for J7701 Header ==<br />
* [http://pinoutguide.com/Motherboard/rs232_header_pinout.shtml Pinout Details]<br />
=== DTK/INTEL (compatible) ===<br />
* CablesToGo 09480 (unverified)<br />
* Assmann Serial Slot Bracket AK-610300-003-E, sold under PremiumCord brand (used by [[User:Sharkcz|Sharkcz]])<br />
* E-ITX ACC3100[https://www.amazon.com/dp/B00DSTTDQW/] (tested by [[User:Bdragon|Bdragon]])<br />
<br />
=== AT/EVEREX (not compatible) ===<br />
* StarTech PLATE9M16<br />
* Gigabyte COM port</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II/Hardware_Compatibility_List&diff=1504Talos II/Hardware Compatibility List2018-08-28T03:32:21Z<p>Peter Easton: /* AMD */</p>
<hr />
<div>This is a collection of components known to work with the [[Talos_II|Talos™ II]]-based solutions. It's maintained by both [[Raptor Computing Systems|Raptor CS]] and community members.<br />
<br />
== Cases ==<br />
<br />
=== Good Cases ===<br />
<br />
These cases were successfully used by someone.<br />
<br />
* '''SuperMicro SC732i-500B'''<br />
** Not recommended for 12 core and higher CPUs<br />
<br />
* '''SuperMicro SC732D3-903B'''<br />
** No NIC 2 LED on front panel<br />
** Needed [https://www.startech.com/Cables/Computer-Power/Internal/12in-4-Pin-Fan-Power-Extension-Cable~FAN4EXT12 four pin extension cable] for main chassis fan<br />
<br />
* '''SuperMicro SC732D4-903B'''<br />
** Add-on sound card recommended<br />
** Add-on USB 2.0 card or USB 3.0 hub recommended<br />
<br />
* '''SuperMicro SC747TQ-R1400B or SC747TG-R1400B-SQ'''<br />
** Hot swap drive capable; SAS recommended<br />
** Recommended for use with one or more high-end GPUs<br />
** Listed as EoL by Supermicro, replaced with 1620 versions. Same fan modules and PDU used in newer, higher watt, version. ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** [[:File:TalosII_SystemAssembly_nashimus_v3.mp4|System Assembly Video - SC747TG-R1400B-SQ]]<br />
<br />
* '''Rosewill RSV-L4500'''<br />
** Fans are two wire and use molex connectors<br />
<br />
=== Problematic Cases ===<br />
<br />
* '''BeQuiet Dark Base 900''' ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** Claims to support E-ATX on the BeQuiet website<br />
** Infographic showing the motherboard space to only be 322mm deep, which is 8.2mm short of the full-size E-ATX. <br />
** Emailed them for clarification, but no response. Can't confirm either way.<br />
<br />
* '''SuperMicro SC822'''<br />
** Low speed fans provide insufficient airflow over CPU0, leading to overheating if more than one 4-core CPU is installed.<br />
<br />
* '''Athena Power RM-3U8G1043'''<br />
** Some motherboard standoffs needed to be removed, and others needed additional hight.<br />
**There was no standoff hole for the top right. <br />
**The support beam across the top of the case interferes with CPU2 heatsink, but can be easily removed.<br />
<br />
==== Standoff Issues ====<br />
<br />
Stand off issues appear to be a very common problem. In many cases mitigation may be possible.<br />
<br />
* '''Fractal Design Define XL R2'''<br />
** Missing standoff holes for the top-left and top-middle positions.<br />
** Some alternative standoff in at least the top-middle position may be required to prevent too much bending of the motherboard while inserting RAM.<br />
<br />
* '''BitFenix Aurora'''<br />
** [[User:MarcusC/BitFenix_Aurora|Multiple missing standoff holes]], some mitigation possible.<br />
<br />
* '''Thermaltake Core W200'''<br />
** Heavy, expensive, massive.<br />
** Compatible ''with caveats''<br />
*** Talos™ II mainboard will fit in E-ATX compatible side only (when viewed from rear of case, the right side) if the dual system case.<br />
*** Missing standoff holes for the top-left and top-middle positions. (non-essential but ensure proper support when inserting and removing RAM to avoid bending mainboard)<br />
*** Must remove wire-hole rubber grommets present under Talos™ II mainboard on right lower side for proper fit<br />
<br />
* '''Nanoxia Deep Silence2''' ([[User:Sharkcz|Sharkcz]])<br />
** missing top-middle standoff hole, but I've used a plastic "flat" standoff instead<br />
** Power LED - red goes to pin 15, black to pin 16<br />
<br />
* '''RAIJINTEK ASTERION PLUS (Model 0R200049)''' ([[User:cyrozap|cyrozap]])<br />
** Missing standoff holes for the top-left and top-middle positions.<br />
*** As a workaround the standoffs can be unscrewed and placed upside-down (screw threads facing up) under the motherboard holes.<br />
*** This actually works surprisingly well, and thanks to the other screw points the motherboard is rigid enough that I don't worry too much about the weight of the HSFs flexing it.<br />
*** That said, it's probably a good idea to always transport the system on its side and avoid bumping it if possible.<br />
** The hinged panels that open with handles are much nicer than fiddling with thumb screws, but annoying since it makes it slightly trickier to do things that involve both the inside and back panel of the case (e.g., inserting PCI-e cards).<br />
** The PSU is at the very bottom of the case, while all the motherboard power connectors are at the very top of the case, so this can cause some issues if your PSU's cables aren't long enough.<br />
*** The EPS12V cables on my power supply had a few inches left over, but the main motherboard power cable was just barely able to reach from the other side of the case to the power connector.<br />
** The front of the case is sheet metal stuck to plastic using some double-sided adhesive tape, which doesn't seem to work very well.<br />
*** When I received the case the front metal was starting to peel off a few inches (several cm) at the top and bottom.<br />
*** It sticks back in place when I press on it, but I may need to get some better adhesive and re-apply it later.<br />
** For $170, I was hoping for something a little more robust, but at least it's pretty.<br />
<br />
* possible mitigation is plastic standoff like [https://www.kangyang-europe.com/product/pc-board-hardware/ass-10/ ASS-10]<br />
<br />
* '''Corsair 760T''' ([[User:mosst|mosst]])<br />
** Reasonably cheap.<br />
** Unusually tasteful aesthetics for a consumer/gaming case. Looks like something Aperture Science would come up with.<br />
** E-ATX boards fit, but the top-left and top-middle standoffs are missing, however this isn't much of a problem as the I/O panel helps hold the board in place.<br />
** Cable management may be difficult, as E-ATX boards cover most of the cable holes.<br />
<br />
=== Candidate Cases ===<br />
<br />
These cases claim E-ATX support and are planned to be used, or were considered, by someone.<br />
<br />
* '''Lian Li PC-V1000L''' ([[User:Robbieab|Robbieab]] ([[User talk:Robbieab|talk]]))<br />
** Similar price point to the Supermicros with high power PSU. <br />
** Very "Apple" brushed aluminium aesthetic. <br />
** Couldn't confirm E-ATX was fullsize.<br />
** Passed over in favour of the SuperMicro SC747TQ-R1400B<br />
<br />
<br />
== Power Supplies ==<br />
When planning to run with both CPU sockets populated keep in mind that the power-supply should support also 2 8-pin EPS connectors.<br />
<br />
* Seasonic PRIME 1300W<br />
* Seasonic PRIME Ultra 850W Gold<br />
* Seasonic PRIME Ultra 650W<br />
* Seasonic PRIME Ultra Titanium 1000W (SSR-1000TR)<br />
* FSP Group Twins ATX 1+1 Dual Module 700W 80 PLUS GOLD Hot Swappable Redundant Digital Power Supply ([[User:ebrasca|ebrasca]])<br />
** Customer reported good build quality and proper functionality<br />
* Corsair TX550M 80+ GOLD ([[User:MarcusC|MarcusC]])<br />
** 2nd EPS power cable sold separately<br />
* Corsair AX860 <br />
* EVGA SuperNova 1200P2 1200W Platinum([[User:mosst|mosst]])<br />
** Works well, but the included ATX power cables may be too short if your PSU is mounted on the bottom of the case.<br />
<br />
== Memory ==<br />
<br />
The criteria are basically "is it ECC, is it registered, is it NOT LRDIMM"<br />
<br />
From the manual:<br />
<br />
{| class="wikitable"<br />
|-<br />
|Total Slots<br />
|16 (4 channels per CPU)<br />
|-<br />
|Capacity<br />
|2TB maximum<br />
|-<br />
|Memory Type<br />
|DDR4 1600/1866/2133/2400/2666<br />
|-<br />
|Memory Features<br />
|ECC<br />
|-<br />
|Module Sizes<br />
|8GB, 16GB, 32GB, 64GB, 128GB (RDIMM)<br />
|-<br />
|}<br />
<br />
=== Tested Memory ===<br />
<br />
==== Good Memory ====<br />
<br />
{| class="wikitable sortable"<br />
!colspan="6"|Module<br />
!colspan="4"|Validation<br />
|-<br />
!Manufacturer<br />
!Model<br />
!Size<br />
!Speed<br />
!Type<br />
!ECC<br />
!Stepping<br />
!Firmware<br />
!Source<br />
!Notes<br />
|-<br />
|Pacific Sun<br />
|X10723042S<br />
|8GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Hynix<br />
|HMA82GR7AFR8N-UH<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot e36ec63<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A1G40DB0-CPB<br />
|8GB<br />
|PC4-17000<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 30dfd3b<br />
|meklort<br />
|Requires [[Talos_II/Firmware|System Package v1.02]]<br />
|-<br />
|Kingston<br />
|KTH-PL424/16G<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PZ-2G3B1<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 28927a7<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PDZ-2G3D1<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot cc2d45a<br />
|Official<br />
|<br />
|-<br />
|Micron<br />
|MTA18ASF2G72PDZ-2G6D1<br />
|16GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 884b60b<br />
|[[User:Smaeul|smaeul]]<br />
|<br />
|-<br />
|Micron<br />
|MTA36ASF4G72PZ-2G6D1<br />
|32GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 6ffaeb4<br />
|[[User:cyrozap|cyrozap]]<br />
|<br />
|-<br />
|Samsung<br />
|M393A4K40BB1-CRC<br />
|32GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot 1e2221d<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A8K40B22-CWD<br />
|64GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 884b60b<br />
|Official<br />
|<br />
|-<br />
|Samsung<br />
|M393A2K40BB2-CTD<br />
|16GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 0c8fa110<br />
|meklort<br />
|Will run at 2400MT/s with [[Talos_II/Firmware|System Package v1.00]]<br />
|-<br />
|Samsung<br />
|M393A4K40BB2-CTD8Q<br />
|32GB<br />
|PC4-21333<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 28927a7<br />
|luke-jr<br />
|<br />
|-<br />
|Samsung<br />
|M393A2G40EB2-CTD<br />
|16GB <br />
|PC4-21300V-R<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|Hostboot 30dfd3b<br />
|JSharp<br />
|Tested extensively with [[Talos_II/Firmware|System Package v1.02]] but does boot on v1.00, Dual 8-Core POWER9, x8 DIMM Modules (RCS Recommended Slot Configuration)<br />
|-<br />
|Samsung<br />
|M393A4K40CB2-CTD6Q<br />
|32GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|hostboot-884b60b<br />
|kev009<br />
|8 DIMMs working well<br />
|-<br />
|Kingston<br />
|KVR24R17S8K4/32<br />
|8GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|1.04, PNOR d286337d<br />
|sharkcz<br />
| kit 4x 8GB, got 1 stick faulty, but 3x 8GB worked OK<br />
|-<br />
|Kingston<br />
|KVR24R17D8/16MA<br />
|16GB<br />
|PC4-19200<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|1.04, PNOR d286337d<br />
|sharkcz<br />
|<br />
|-<br />
|Crucial<br />
|CT4G4RFS8266<br />
|4GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|<br />
|[[User:Robbieab|Robbieab]]<br />
|Purchased as the CT2K4G4RFS8266 8GB kit. Confirmed functional from the petitboot shell.<br />
|-<br />
|Crucial<br />
|CT8G4RFS8266<br />
|8GB<br />
|PC4-21300<br />
|Registered<br />
|Yes<br />
|<br />
|<br />
|<br />
|CT2K8G4RFS8266 16GB kit (8GBx2). DDR4 PC4-21300 • CL=19 • Single Ranked • x8 based • Registered • ECC • DDR4-2666 • 1.2V • 1024Meg x 72. Confirmed with a working Debian GNU and Devuan GNU+Linux installation.<br />
|-<br />
|Ventura (Samsung)<br />
|D4-62JA402SV-15<br />
|16GB<br />
|PC4-17000<br />
|Registered<br />
|Yes<br />
|POWER9 DD2.2<br />
|<br />
|mosst<br />
|<br />
|}<br />
<br />
==== Incompatible Memory ====<br />
<br />
NOTE: Memory may be removed from this table after firmware support has been added, or there may be a fundamental hardware incompatibility. If you have incompatible memory listed in the table below, you may want to bookmark and check this page from time to time to see if a firmware update has resolved the issue.<br />
<br />
{| class="wikitable sortable"<br />
!colspan="6"|Module<br />
!colspan="4"|Test Conditions<br />
|-<br />
!Manufacturer<br />
!Model<br />
!Size<br />
!Speed<br />
!Type<br />
!ECC<br />
!Stepping<br />
!Firmware<br />
!Last Test<br />
|-<br />
|Samsung<br />
|M386A8K40BMB-CRC<br />
|64GB<br />
|PC4-19200<br />
|Registered LRDIMM<br />
|Yes<br />
|POWER9 DD2.1<br />
|Hostboot 1e2221d<br />
|02/14/2018<br />
|-<br />
|}<br />
<br />
== SAS/SATA Storage Drives ==<br />
<br />
Connected via optional on-board [[PM8068]] controller, or via PCIe controller. NVMe cards are also [[#NVMe Storage Drives|supported]].<br />
<br />
Boards with onboard SAS have one Mini-SAS HD 4i (SFF-8643) port, and four standard SATA-III ports. Both support both SAS and SATA at the electrical level.<br />
<br />
Note: Microsemi Adaptec Series 8 RAID controllers [http://download.adaptec.com/pdfs/readme/microsemi_series-8-controller_readme_4_2018.pdf do not support ATAPI CD-ROM, DVD, or tape devices.]<br />
<br />
== PCIe Devices ==<br />
<br />
=== Storage Controllers ===<br />
<br />
* IOCrest SI-PEX40062 (Chipset: Marvell 88SE9235)<br />
* LSI 9300 SAS HBAs<br />
* [[PM8068]]-based SAS HBAs <br />
* Supermicro AOC-SLG3-4E2P 4-port OCuLink adapter<br />
<br />
=== NICs ===<br />
* Broadcom [[BCM5719]]<br />
* Chelsio T6225-SO-CR<br />
<br />
=== NVMe M.2 Adapters ===<br />
* [http://ableconn.com/products_2.php?gid=62 Ableconn PEXM2-SSD M.2 NGFF PCIe SSD to PCI Express 3.0 x4 Host Adapter Card (M.2 to PCIe adapter)]<br />
* [http://www.delock.com/produkte/G_89370/merkmale.html Delock PCI Express x4 Card > 1 x internal NVMe M.2 Key M 80 mm - Low Profile Form Factor]<br />
* [https://www.newegg.com/Product/Product.aspx?Item=9SIA4RE5AU2769 JEYI SK4 M.2 NVMe(M Key) SSD to PCI-E 3.0 x4 Adapter Converter Card]<br />
* [https://www.newegg.com/Product/Product.aspx?Item=N82E16815124167 SYBA SI-PEX40110 M.2 PCI-e To PCI-e 3.0 x4]<br />
<br />
=== NVMe Storage Drives ===<br />
* Samsung 950 PRO (with M.2 to PCIe adapter)<br />
* Samsung 960 EVO / PRO (with M.2 to PCIe adapter)<br />
* Samsung 970 PRO (with M.2 to PCIe adapter)<br />
* Intel Optane 900P NVMe XPoint PCIe<br />
* Intel Optane 905P NVMe XPoint PCIe AIC<br />
* WD Black PCIe (with M.2 to PCIe adapter)<br />
* MyDigitalSSD BPX 480GB (with M.2 to PCIe adapter)<br />
<br />
=== Graphics Cards ===<br />
<br />
No display? Check out the [[Troubleshooting/GPU|GPU Troubleshooting]] page.<br />
<br />
==== AMD ====<br />
<br />
All AMD GPUs currently have DMA issues (limited to 32-bit, which can cause crashes) with the current Talos II firmware.<br />
This is expected to be fixed in future firmware updates.<br />
<br />
* AMD Radeon HD 5850 - Must disable onboard VGA first. Currently has issues with only using 32-bit DMA.<br />
* AMD Radeon HD 7850 - Disabled onboard VGA. Using amdgpu is highly unstable, radeon driver is usable but has issues with only using 32-bit DMA.<br />
* AMD Radeon HD 7950 - Must disable onboard VGA first. Currently has issues with only using 32-bit DMA.<br />
* AMD Radeon R5 220<br />
* AMD Radeon R5 230 - Works in BE mode (use <code>Option "AccelMethod" "EXA"</code> for Xorg)<br />
* AMD Radeon R7 240<br />
* Radeon R9 290X<br />
* AMD Radeon Pro WX7100 (Polaris10 core) - Available pre-installed on Talos II workstation, server, and desktop configurations.<br />
* AMD Radeon Pro WX5100<br />
* AMD Radeon Pro WX4100 (Polaris11 core) - May need at least linux 4.16 in order to get Xorg to work.<br />
* AMD RX Vega 56 - Works with Debian Buster with amdgpu. Requires patches to work, somewhat unstable but usable. Cannot use AST Integrated VGA and AMDGPU at the same time without causing conflict. Not tested at this moment for use in petitboot or firmware. <br />
<br />
The core name is important when storing the firmware into the BOOTKERNFW partition in PNOR for use by skiroot.<br />
<br />
==== NVIDIA ====<br />
* NVIDIA Corporation G96 [GeForce 9500 GT] (rev a1) - Works in petitboot if onboard VGA is disabled. Currently has issues with only using 32-bit DMA. No firmware needed.<br />
<br />
=== Sound Cards ===<br />
<br />
* Creative Sound Blaster Audigy FX SB1570 PCIe 5.1 Sound Card<br />
* Creative Sound Blaster X-Fi Xtreme Fidelity PCIe Audio Sound Card (SB0880)<br />
* AMD Radeon HD 5850 and 7950 (HDMI audio)<br />
* [http://www.vantecusa.com/products_detail.php?p_id=156&p_name=+USB+Stereo+Audio+Adapter&pc_id=9&pc_name=Adapters&pt_id=3&pt_name=Audio+%2B++Video#tab-1 VANTEC NBA-120U (USB)]<br />
* [http://mackie.com/products/onyx-blackjack Mackie Onyx Blackjack (USB) Recording Interface]<br />
* RME HDSPe AIO (FreeBSD tested)<br />
<br />
=== USB controllers ===<br />
==== Working ====<br />
* Insignia USB 3.0 PCI-e NS-PCCUP53 V1.0 (NEC D720202 chipset)<br />
* Terminus Technology Inc. FE 2.1 7-port Hub<br />
<br />
==== non-working ====<br />
* AXAGON PCEU-43V - chipset Via VL805 - PCI id 1106/3483<br />
<br />
== CAPI Devices ==<br />
<br />
* Mellanox ConnectX-6 EN 200Gb/s Adapter Card<br />
<br />
== Serial Adapters for J7701 Header ==<br />
* [http://pinoutguide.com/Motherboard/rs232_header_pinout.shtml Pinout Details]<br />
=== DTK/INTEL (compatible) ===<br />
* CablesToGo 09480 (unverified)<br />
* Assmann Serial Slot Bracket AK-610300-003-E, sold under PremiumCord brand (used by [[User:Sharkcz|Sharkcz]])<br />
* E-ITX ACC3100[https://www.amazon.com/dp/B00DSTTDQW/] (tested by [[User:Bdragon|Bdragon]])<br />
<br />
=== AT/EVEREX (not compatible) ===<br />
* StarTech PLATE9M16<br />
* Gigabyte COM port</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1503Verifying DVDs2018-08-28T03:04:58Z<p>Peter Easton: /* Verifying The Disk */</p>
<hr />
<div>= Verification of Recovery and Software DVDs =<br />
<br />
Raptor Computing Systems signs their source DVD images with a publicly available Firmware Signing GPG key. Verification of DVD contents is strongly recommended to ensure you have received an authentic copy of the software and information contained thereon. Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. <br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
==The Process Explained==<br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since.<br />
<br />
In order to do it, you will need the following tools: <br />
* The ''isoinfo'' software package. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* The ''curl'' software application is highly recommended, but not essential. This utility is used to retrieve files from the Internet, <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for maintaining the PGP Public Key Infrastructure. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer system that you can trust to verify the integrity of the Talos. This could range from a simple computer that you believe to be reasonably trustworthy, an X60 Thinkpad Laptop from 2005 running coreboot or an X200 Laptop running Libreboot, another Talos II, or an elabourate setup consisting of multiple trustworthy computers that are physically separate from each other, including one which may have been purchased from a randomly selected brick-and-mortar store anonymously, paid in cash, running its operating system from a LiveCD verified on multiple different computers and never connected to any network to perform the verification nor used prior to this point.<br />
* An Internet connection. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular and wifi antennas physically removed from the phone to prevent compromise of the phone's baseband.<br />
<br />
More information on GnuPG is available at the GnuPG Project Manual[https://www.gnupg.org/gph/en/manual.html].<br />
<br />
==The Steps Detailed==<br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@computer:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@computer:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
<br />
===Obtaining and Trusting the Umbrella Signer Public Key===<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
If you do not have curl, you may install it using the command <code>sudo apt install -y curl </code>.<br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this. (Please note that in this manual entry, the key fingerprint itself has been obscured to prevent confusion)<br />
<br />
<pre><br />
pub rsa4096/████████████ created: 2018-04-16 expires: never<br />
Key fingerprint = ████ ████ ████ ████ ████ ████ ████ ████ ████ ████<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. <br />
<br />
If you miss this information the first time around, you may view it again with the command:<br />
<br />
<pre> user@computer:~$ gpg -k authentication@raptorcs.com --with-fingerprint</pre><br />
<br />
First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> user@computer:~$ gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type <code>trust</code> and press return to bring up the trust dialogue, allowing you to tell the computer how much you trust the user of this key to cryptographically attest to the validity of other keys. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue. If we do not have a key of our own to validate to its ownership, we will need to take ownership of it ourselves and pretend it is ours for the moment by setting it to ultimate trust. <br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return, which should send you back to your terminal shell. We can verify that the command worked using <code> gpg -k --with-fingerprint authentication@raptorcs.com</code> to check. <br />
<br />
<pre>pub rsa4096/9B2BF5BD337BF51F 2018-04-16 [SC]<br />
Key fingerprint = 9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [ultimate] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096/366FA0E6B8EE80D8 2018-04-16 [E]<br />
Key fingerprint = 83DA 26B4 FAC2 2215 832B 8894 366F A0E6 B8EE 80D8</pre><br />
Notice next to UID, the <code>[ unknown]</code> marker has been replaced to <code>[ultimate]</code>. The computer now trusts this key and its owner to be valid to the point where it will consider ''any'' keys that this key has certified to be fully valid as being verified to belong to who they really say they belong to, as long as this key itself is. <br />
<br />
<br />
===Retrieving the Detached Digital Signature===<br />
Retrieving the detached digital signature is simple, by either visiting the url shown below the QR code on the ''front'' of the Important Information letter, or by simply using <code>curl</code> to retrieve the detached digital signature file in the same manner the public key was retrieved. The command to do so should be similar to the following. Note that the version number of the command has been obscured. '''To determine the version of your recovery disk, look at the url on the letter.''' <br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v████.iso.asc</pre><br />
<br />
This should download the detached signature file to your computer. <br />
<br />
===Retrieving The Firmware Signing Key===<br />
The digital signature file and the Root Umbrella key however are not everything we need to verify the integrity of the disk. Attempting to verify the disk (more on that later) will yield the following error:<br />
<br />
<pre>gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: key 101A7EF8EF283DDC: 1 signature not checked due to a missing key<br />
</pre><br />
<br />
This error message is simple: the signature was generated by an RSA key with the particular long key ID shown, but you do not have that public key in your keyring to verify the signature with. Two options present themselves:<br />
* If you have GnuPG configured to connect to the internet, you may get GnuPG to automatically connect to the Internet and fetch the missing key with the command below. '''If done without the aid of anonymizing proxy such as Tor, this approach may leak your IP address and your key request to the key server and possibly the rest of the Internet.'''<br />
<pre>user@computer:~$ gpg --recv-keys 101A7EF8EF283DDC</pre><br />
* If you do not have GnuPG configured for automatic key retrieval, you can go onto the PGP Key Server pool, such as to https://pgp.mit.edu and seach via the web user interface by searching for the Long Key ID, copy the text of the key beginning with <code>-----BEGIN PGP PUBLIC KEY BLOCK-----</code> and ending with <code>-----END PGP PUBLIC KEY BLOCK-----</code> into a text file, and import it into your GPG keyring with <code>gpg --import [path to file]</code>.<br />
* If you use a graphical frontend such as Gnu Privacy Assistant or Enigmail on your computer to manage keys, you may copy the keys from the clipboard. <br />
<br />
After the key is imported, you may see a screen similar to this:<br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
gpg: marginals needed: 3 completes needed: 1 trust model: pgp<br />
gpg: depth: 0 valid: 9 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 9u<br />
gpg: depth: 1 valid: 5 signed: 0 trust: 5-, 0q, 0n, 0m, 0f, 0u<br />
gpg: next trustdb check due at 2018-09-09<br />
</pre><br />
<br />
We may then check its validity. If all has gone right, since we chose to trust Raptor's Umbrella signing key "ultimately," should this be the real key, this key will immediately become fully valid thanks to Raptor's digital signature on it. We then check may the command with <code>gpg -k EF283DDC --with-fingerprint</code> and look for the trust level which should be indicated next to the symbol "uid". <br />
<br />
<pre><br />
user@computer:~$ gpg -k EF283DDC --with-fingerprint<br />
pub rsa4096/101A7EF8EF283DDC 2018-04-25 [SC] [expires: 2019-01-20]<br />
Key fingerprint = D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
uid [ full ] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sub rsa4096/CE591B3C94F3C9EE 2018-04-25 [E] [expires: 2019-01-20]</pre><br />
<br />
Note that it says <code>[ full ]</code> next to the User ID. This indicates that the computer has found the keys as being authentic, as it has verified the chain of trust back to an ultimately trusted key that in the previous steps, we verified to be provably unique and identitical to the one listed on Raptor's letter. Because of this, the computer now considers the firmware signing key to be fully valid. We may now attempt to verify the DVD image with GnuPG. <br />
<br />
'''WARNING!''' If the text in the brackets lists anything aside from <code>[ full ]</code>, '''STOP IMMEDIATELY''' as the key has not validated. A failure for the key to validate may signify something benign, such as either obtaining the wrong key, or worse, a counterfeit. Note that Raptor maintains several keys: some are used for different projects, some are used for customer correspondence, and some are used for signing their [[Warrant Canary]], all of which should be signed by the Umbrella Signer. Ensure you have gotten the one that is used for signing the firmware. <br />
<br />
===Verifying The Disk===<br />
With the chain of trust intact and the detached digital signature and a bitwise copy of the disk image, you may now verify the digital signature on the recovery and firmware disk. This tutorial assumes that you have saved both the recovery disk and detached digital signature file into your home directory, and named the image of the disk "raptordisk.iso" and the detached signature file "talos_recovery_disk_v████.iso.asc"<br />
<br />
The command syntax to verify a detached signature file is: <code> gpg --verify [path-to-signature-file] [path-to-file-being-verified]</code>. For the purpose of this tutorial, the command is shown below with the version numbers hidden. Since the disk image itself will be as large as the recovery disk is (approximately 8.5GB) this command may take several minutes to complete, and will not display a progress indicator during this time. <br />
<br />
<pre><br />
user@computer:~$ gpg --verify raptordisk.iso talos_recovery_disk_v████.iso.asc<br />
gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [full]<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
If you see <code>Good Signature</code>, congratulations. The chain of trust has been verified to an ultimately trusted key, which has been compared to a tracked and insured letter directly from Raptor. You may wish to further check the validity of the key in other ways, including asking other people you know and trust over an end-to-end authenticated and secure channel to attest to the key fingerprint of the Umbrella Signing Key. Your disk is verified to have come from Raptor, and not been modified since. <br />
<br />
==Troubleshooting==<br />
If you get a <code>Bad Signature</code> warning, this may signify that the disk is no longer in the original condition that Raptor sent it in (and could represent the work of tampering or damage) or may be resultant of much more benign causes, such as selecting the wrong file for validation, or that the disk was not copied properly (a single flipped or extra bit will cause the validation to fail). If you get a Bad Signature error, ensure you have checked the commands properly and copied the disk properly using dd with the exact bit size and count according to the disk properties. This is the most common cause of false positives.<br />
<br />
Prior to sounding an alarm, ensure the following conditions are met:<br />
* You have obtained the correct bit size for the disk and that the disk was copied with the correct bit size and count. <br />
* You have obtained the Firmware signing key, instead of a correspondence key or Canary signing key. <br />
* That the digital signature file is correct to the version of the disk you were supplied with. (Check the letter to be sure)<br />
* That the full 40-character fingerprint matches the one obtained.<br />
* The chain of trust is valid. Only the Umbrella signing key needs to be verified via the QR Code. All keys underneath it should validate automatically from being certified by the Umbrella key. <br />
<br />
If you continue to experience issues, contact the IRC channel on Freenode. The name of the IRC channel on the Freenode IRC network is listed on the bottom of the letter. As Freenode has been under attack by spam lately, you may be required to register a your nickname on Freenode as a part of an antispam measure utilizing an E-mail address.<br />
<br />
=Quick Verification Guide for Advanced Users=<br />
This section contains a quick reference guide for the commands, and omits the rationale and theory. <br />
<br />
'''Please note that this section is in progress and is incomplete.'''<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1502Verifying DVDs2018-08-28T02:57:59Z<p>Peter Easton: /* The Process Explained */</p>
<hr />
<div>= Verification of Recovery and Software DVDs =<br />
<br />
Raptor Computing Systems signs their source DVD images with a publicly available Firmware Signing GPG key. Verification of DVD contents is strongly recommended to ensure you have received an authentic copy of the software and information contained thereon. Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. <br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
==The Process Explained==<br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since.<br />
<br />
In order to do it, you will need the following tools: <br />
* The ''isoinfo'' software package. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* The ''curl'' software application is highly recommended, but not essential. This utility is used to retrieve files from the Internet, <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for maintaining the PGP Public Key Infrastructure. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer system that you can trust to verify the integrity of the Talos. This could range from a simple computer that you believe to be reasonably trustworthy, an X60 Thinkpad Laptop from 2005 running coreboot or an X200 Laptop running Libreboot, another Talos II, or an elabourate setup consisting of multiple trustworthy computers that are physically separate from each other, including one which may have been purchased from a randomly selected brick-and-mortar store anonymously, paid in cash, running its operating system from a LiveCD verified on multiple different computers and never connected to any network to perform the verification nor used prior to this point.<br />
* An Internet connection. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular and wifi antennas physically removed from the phone to prevent compromise of the phone's baseband.<br />
<br />
More information on GnuPG is available at the GnuPG Project Manual[https://www.gnupg.org/gph/en/manual.html].<br />
<br />
==The Steps Detailed==<br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@computer:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@computer:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
<br />
===Obtaining and Trusting the Umbrella Signer Public Key===<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
If you do not have curl, you may install it using the command <code>sudo apt install -y curl </code>.<br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this. (Please note that in this manual entry, the key fingerprint itself has been obscured to prevent confusion)<br />
<br />
<pre><br />
pub rsa4096/████████████ created: 2018-04-16 expires: never<br />
Key fingerprint = ████ ████ ████ ████ ████ ████ ████ ████ ████ ████<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. <br />
<br />
If you miss this information the first time around, you may view it again with the command:<br />
<br />
<pre> user@computer:~$ gpg -k authentication@raptorcs.com --with-fingerprint</pre><br />
<br />
First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> user@computer:~$ gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type <code>trust</code> and press return to bring up the trust dialogue, allowing you to tell the computer how much you trust the user of this key to cryptographically attest to the validity of other keys. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue. If we do not have a key of our own to validate to its ownership, we will need to take ownership of it ourselves and pretend it is ours for the moment by setting it to ultimate trust. <br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return, which should send you back to your terminal shell. We can verify that the command worked using <code> gpg -k --with-fingerprint authentication@raptorcs.com</code> to check. <br />
<br />
<pre>pub rsa4096/9B2BF5BD337BF51F 2018-04-16 [SC]<br />
Key fingerprint = 9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [ultimate] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096/366FA0E6B8EE80D8 2018-04-16 [E]<br />
Key fingerprint = 83DA 26B4 FAC2 2215 832B 8894 366F A0E6 B8EE 80D8</pre><br />
Notice next to UID, the <code>[ unknown]</code> marker has been replaced to <code>[ultimate]</code>. The computer now trusts this key and its owner to be valid to the point where it will consider ''any'' keys that this key has certified to be fully valid as being verified to belong to who they really say they belong to, as long as this key itself is. <br />
<br />
<br />
===Retrieving the Detached Digital Signature===<br />
Retrieving the detached digital signature is simple, by either visiting the url shown below the QR code on the ''front'' of the Important Information letter, or by simply using <code>curl</code> to retrieve the detached digital signature file in the same manner the public key was retrieved. The command to do so should be similar to the following. Note that the version number of the command has been obscured. '''To determine the version of your recovery disk, look at the url on the letter.''' <br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v████.iso.asc</pre><br />
<br />
This should download the detached signature file to your computer. <br />
<br />
===Retrieving The Firmware Signing Key===<br />
The digital signature file and the Root Umbrella key however are not everything we need to verify the integrity of the disk. Attempting to verify the disk (more on that later) will yield the following error:<br />
<br />
<pre>gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: key 101A7EF8EF283DDC: 1 signature not checked due to a missing key<br />
</pre><br />
<br />
This error message is simple: the signature was generated by an RSA key with the particular long key ID shown, but you do not have that public key in your keyring to verify the signature with. Two options present themselves:<br />
* If you have GnuPG configured to connect to the internet, you may get GnuPG to automatically connect to the Internet and fetch the missing key with the command below. '''If done without the aid of anonymizing proxy such as Tor, this approach may leak your IP address and your key request to the key server and possibly the rest of the Internet.'''<br />
<pre>user@computer:~$ gpg --recv-keys 101A7EF8EF283DDC</pre><br />
* If you do not have GnuPG configured for automatic key retrieval, you can go onto the PGP Key Server pool, such as to https://pgp.mit.edu and seach via the web user interface by searching for the Long Key ID, copy the text of the key beginning with <code>-----BEGIN PGP PUBLIC KEY BLOCK-----</code> and ending with <code>-----END PGP PUBLIC KEY BLOCK-----</code> into a text file, and import it into your GPG keyring with <code>gpg --import [path to file]</code>.<br />
* If you use a graphical frontend such as Gnu Privacy Assistant or Enigmail on your computer to manage keys, you may copy the keys from the clipboard. <br />
<br />
After the key is imported, you may see a screen similar to this:<br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
gpg: marginals needed: 3 completes needed: 1 trust model: pgp<br />
gpg: depth: 0 valid: 9 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 9u<br />
gpg: depth: 1 valid: 5 signed: 0 trust: 5-, 0q, 0n, 0m, 0f, 0u<br />
gpg: next trustdb check due at 2018-09-09<br />
</pre><br />
<br />
We may then check its validity. If all has gone right, since we chose to trust Raptor's Umbrella signing key "ultimately," should this be the real key, this key will immediately become fully valid thanks to Raptor's digital signature on it. We then check may the command with <code>gpg -k EF283DDC --with-fingerprint</code> and look for the trust level which should be indicated next to the symbol "uid". <br />
<br />
<pre><br />
user@computer:~$ gpg -k EF283DDC --with-fingerprint<br />
pub rsa4096/101A7EF8EF283DDC 2018-04-25 [SC] [expires: 2019-01-20]<br />
Key fingerprint = D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
uid [ full ] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sub rsa4096/CE591B3C94F3C9EE 2018-04-25 [E] [expires: 2019-01-20]</pre><br />
<br />
Note that it says <code>[ full ]</code> next to the User ID. This indicates that the computer has found the keys as being authentic, as it has verified the chain of trust back to an ultimately trusted key that in the previous steps, we verified to be provably unique and identitical to the one listed on Raptor's letter. Because of this, the computer now considers the firmware signing key to be fully valid. We may now attempt to verify the DVD image with GnuPG. <br />
<br />
'''WARNING!''' If the text in the brackets lists anything aside from <code>[ full ]</code>, '''STOP IMMEDIATELY''' as the key has not validated. A failure for the key to validate may signify something benign, such as either obtaining the wrong key, or worse, a counterfeit. Note that Raptor maintains several keys: some are used for different projects, some are used for customer correspondence, and some are used for signing their [[Warrant Canary]], all of which should be signed by the Umbrella Signer. Ensure you have gotten the one that is used for signing the firmware. <br />
<br />
===Verifying The Disk===<br />
With the chain of trust intact and the detached digital signature and a bitwise copy of the disk image, you may now verify the digital signature on the recovery and firmware disk. This tutorial assumes that you have saved both the recovery disk and detached digital signature file into your home directory, and named the image of the disk "raptordisk.iso" and the detached signature file "talos_recovery_disk_v████.iso.asc"<br />
<br />
The command syntax to verify a detached signature file is: <code> gpg --verify [path-to-signature-file] [path-to-file-being-verified]</code>. For the purpose of this tutorial, the command is shown below with the version numbers hidden. Since the disk image itself will be as large as the recovery disk is (approximately 8.5GB) this command may take several minutes to complete, and will not display a progress indicator during this time. <br />
<br />
<pre><br />
user@computer:~$ gpg --verify raptordisk.iso talos_recovery_disk_v████.iso.asc<br />
gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [full]<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
If you see <code>Good Signature</code>, congratulations. The chain of trust has been verified to an ultimately trusted key, which has been compared to a tracked and insured letter directly from Raptor. You may wish to further check the validity of the key in other ways, including asking other people you know and trust over an end-to-end authenticated and secure channel to attest to the key fingerprint of the Umbrella Signing Key. Your disk is verified to have come from Raptor, and not been modified since. <br />
<br />
'''Heads Up!''' If you get a <code>Bad Signature</code> warning, this may signify that the disk is no longer in the original condition that Raptor sent it in (and could represent the work of tampering or damage) or may be resultant of much more benign causes, such as selecting the wrong file for validation, or that the disk was not copied properly (a single flipped or extra bit will cause the validation to fail). If you get a Bad Signature error, ensure you have checked the commands properly and copied the disk properly using dd with the exact bit size and count according to the disk properties. This is the most common cause of false positives.<br />
<br />
<br />
<br />
=Quick Verification Guide for Advanced Users=<br />
This section contains a quick reference guide for the commands, and omits the rationale and theory. <br />
<br />
'''Please note that this section is in progress and is incomplete.'''<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1501Verifying DVDs2018-08-28T02:48:45Z<p>Peter Easton: </p>
<hr />
<div>= Verification of Recovery and Software DVDs =<br />
<br />
Raptor Computing Systems signs their source DVD images with a publicly available Firmware Signing GPG key. Verification of DVD contents is strongly recommended to ensure you have received an authentic copy of the software and information contained thereon. Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. <br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
==The Process Explained==<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
==The Steps Detailed==<br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@computer:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@computer:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
<br />
===Obtaining and Trusting the Umbrella Signer Public Key===<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
If you do not have curl, you may install it using the command <code>sudo apt install -y curl </code>.<br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this. (Please note that in this manual entry, the key fingerprint itself has been obscured to prevent confusion)<br />
<br />
<pre><br />
pub rsa4096/████████████ created: 2018-04-16 expires: never<br />
Key fingerprint = ████ ████ ████ ████ ████ ████ ████ ████ ████ ████<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. <br />
<br />
If you miss this information the first time around, you may view it again with the command:<br />
<br />
<pre> user@computer:~$ gpg -k authentication@raptorcs.com --with-fingerprint</pre><br />
<br />
First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> user@computer:~$ gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type <code>trust</code> and press return to bring up the trust dialogue, allowing you to tell the computer how much you trust the user of this key to cryptographically attest to the validity of other keys. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue. If we do not have a key of our own to validate to its ownership, we will need to take ownership of it ourselves and pretend it is ours for the moment by setting it to ultimate trust. <br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return, which should send you back to your terminal shell. We can verify that the command worked using <code> gpg -k --with-fingerprint authentication@raptorcs.com</code> to check. <br />
<br />
<pre>pub rsa4096/9B2BF5BD337BF51F 2018-04-16 [SC]<br />
Key fingerprint = 9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [ultimate] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096/366FA0E6B8EE80D8 2018-04-16 [E]<br />
Key fingerprint = 83DA 26B4 FAC2 2215 832B 8894 366F A0E6 B8EE 80D8</pre><br />
Notice next to UID, the <code>[ unknown]</code> marker has been replaced to <code>[ultimate]</code>. The computer now trusts this key and its owner to be valid to the point where it will consider ''any'' keys that this key has certified to be fully valid as being verified to belong to who they really say they belong to, as long as this key itself is. <br />
<br />
<br />
===Retrieving the Detached Digital Signature===<br />
Retrieving the detached digital signature is simple, by either visiting the url shown below the QR code on the ''front'' of the Important Information letter, or by simply using <code>curl</code> to retrieve the detached digital signature file in the same manner the public key was retrieved. The command to do so should be similar to the following. Note that the version number of the command has been obscured. '''To determine the version of your recovery disk, look at the url on the letter.''' <br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v████.iso.asc</pre><br />
<br />
This should download the detached signature file to your computer. <br />
<br />
===Retrieving The Firmware Signing Key===<br />
The digital signature file and the Root Umbrella key however are not everything we need to verify the integrity of the disk. Attempting to verify the disk (more on that later) will yield the following error:<br />
<br />
<pre>gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: key 101A7EF8EF283DDC: 1 signature not checked due to a missing key<br />
</pre><br />
<br />
This error message is simple: the signature was generated by an RSA key with the particular long key ID shown, but you do not have that public key in your keyring to verify the signature with. Two options present themselves:<br />
* If you have GnuPG configured to connect to the internet, you may get GnuPG to automatically connect to the Internet and fetch the missing key with the command below. '''If done without the aid of anonymizing proxy such as Tor, this approach may leak your IP address and your key request to the key server and possibly the rest of the Internet.'''<br />
<pre>user@computer:~$ gpg --recv-keys 101A7EF8EF283DDC</pre><br />
* If you do not have GnuPG configured for automatic key retrieval, you can go onto the PGP Key Server pool, such as to https://pgp.mit.edu and seach via the web user interface by searching for the Long Key ID, copy the text of the key beginning with <code>-----BEGIN PGP PUBLIC KEY BLOCK-----</code> and ending with <code>-----END PGP PUBLIC KEY BLOCK-----</code> into a text file, and import it into your GPG keyring with <code>gpg --import [path to file]</code>.<br />
* If you use a graphical frontend such as Gnu Privacy Assistant or Enigmail on your computer to manage keys, you may copy the keys from the clipboard. <br />
<br />
After the key is imported, you may see a screen similar to this:<br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
gpg: marginals needed: 3 completes needed: 1 trust model: pgp<br />
gpg: depth: 0 valid: 9 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 9u<br />
gpg: depth: 1 valid: 5 signed: 0 trust: 5-, 0q, 0n, 0m, 0f, 0u<br />
gpg: next trustdb check due at 2018-09-09<br />
</pre><br />
<br />
We may then check its validity. If all has gone right, since we chose to trust Raptor's Umbrella signing key "ultimately," should this be the real key, this key will immediately become fully valid thanks to Raptor's digital signature on it. We then check may the command with <code>gpg -k EF283DDC --with-fingerprint</code> and look for the trust level which should be indicated next to the symbol "uid". <br />
<br />
<pre><br />
user@computer:~$ gpg -k EF283DDC --with-fingerprint<br />
pub rsa4096/101A7EF8EF283DDC 2018-04-25 [SC] [expires: 2019-01-20]<br />
Key fingerprint = D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
uid [ full ] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sub rsa4096/CE591B3C94F3C9EE 2018-04-25 [E] [expires: 2019-01-20]</pre><br />
<br />
Note that it says <code>[ full ]</code> next to the User ID. This indicates that the computer has found the keys as being authentic, as it has verified the chain of trust back to an ultimately trusted key that in the previous steps, we verified to be provably unique and identitical to the one listed on Raptor's letter. Because of this, the computer now considers the firmware signing key to be fully valid. We may now attempt to verify the DVD image with GnuPG. <br />
<br />
'''WARNING!''' If the text in the brackets lists anything aside from <code>[ full ]</code>, '''STOP IMMEDIATELY''' as the key has not validated. A failure for the key to validate may signify something benign, such as either obtaining the wrong key, or worse, a counterfeit. Note that Raptor maintains several keys: some are used for different projects, some are used for customer correspondence, and some are used for signing their [[Warrant Canary]], all of which should be signed by the Umbrella Signer. Ensure you have gotten the one that is used for signing the firmware. <br />
<br />
===Verifying The Disk===<br />
With the chain of trust intact and the detached digital signature and a bitwise copy of the disk image, you may now verify the digital signature on the recovery and firmware disk. This tutorial assumes that you have saved both the recovery disk and detached digital signature file into your home directory, and named the image of the disk "raptordisk.iso" and the detached signature file "talos_recovery_disk_v████.iso.asc"<br />
<br />
The command syntax to verify a detached signature file is: <code> gpg --verify [path-to-signature-file] [path-to-file-being-verified]</code>. For the purpose of this tutorial, the command is shown below with the version numbers hidden. Since the disk image itself will be as large as the recovery disk is (approximately 8.5GB) this command may take several minutes to complete, and will not display a progress indicator during this time. <br />
<br />
<pre><br />
user@computer:~$ gpg --verify raptordisk.iso talos_recovery_disk_v████.iso.asc<br />
gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [full]<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
If you see <code>Good Signature</code>, congratulations. The chain of trust has been verified to an ultimately trusted key, which has been compared to a tracked and insured letter directly from Raptor. You may wish to further check the validity of the key in other ways, including asking other people you know and trust over an end-to-end authenticated and secure channel to attest to the key fingerprint of the Umbrella Signing Key. Your disk is verified to have come from Raptor, and not been modified since. <br />
<br />
'''Heads Up!''' If you get a <code>Bad Signature</code> warning, this may signify that the disk is no longer in the original condition that Raptor sent it in (and could represent the work of tampering or damage) or may be resultant of much more benign causes, such as selecting the wrong file for validation, or that the disk was not copied properly (a single flipped or extra bit will cause the validation to fail). If you get a Bad Signature error, ensure you have checked the commands properly and copied the disk properly using dd with the exact bit size and count according to the disk properties. This is the most common cause of false positives.<br />
<br />
<br />
<br />
=Quick Verification Guide for Advanced Users=<br />
This section contains a quick reference guide for the commands, and omits the rationale and theory. <br />
<br />
'''Please note that this section is in progress and is incomplete.'''<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1500Verifying DVDs2018-08-28T02:34:55Z<p>Peter Easton: /* Verifying The Disk */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
<br />
====Obtaining and Trusting the Umbrella Signer Public Key====<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
If you do not have curl, you may install it using the command <code>sudo apt install -y curl </code>.<br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this. (Please note that in this manual entry, the key fingerprint itself has been obscured to prevent confusion)<br />
<br />
<pre><br />
pub rsa4096/████████████ created: 2018-04-16 expires: never<br />
Key fingerprint = ████ ████ ████ ████ ████ ████ ████ ████ ████ ████<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. <br />
<br />
If you miss this information the first time around, you may view it again with the command:<br />
<br />
<pre> user@computer:~$ gpg -k authentication@raptorcs.com --with-fingerprint</pre><br />
<br />
First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> user@computer:~$ gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type <code>trust</code> and press return to bring up the trust dialogue, allowing you to tell the computer how much you trust the user of this key to cryptographically attest to the validity of other keys. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue. If we do not have a key of our own to validate to its ownership, we will need to take ownership of it ourselves and pretend it is ours for the moment by setting it to ultimate trust. <br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return, which should send you back to your terminal shell. <br />
<br />
===Retrieving the Detached Digital Signature===<br />
Retrieving the detached digital signature is simple, by either visiting the url shown below the QR code on the ''front'' of the Important Information letter, or by simply using <code>curl</code> to retrieve the detached digital signature file in the same manner the public key was retrieved. The command to do so should be similar to the following. Note that the version number of the command has been obscured. '''To determine the version of your recovery disk, look at the url on the letter.''' <br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v████.iso.asc</pre><br />
<br />
This should download the detached signature file to your computer. <br />
<br />
===Retrieving The Firmware Signing Key===<br />
The digital signature file and the Root Umbrella key however are not everything we need to verify the integrity of the disk. Attempting to verify the disk (more on that later) will yield the following error:<br />
<br />
<pre>gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: key 101A7EF8EF283DDC: 1 signature not checked due to a missing key<br />
</pre><br />
<br />
This error message is simple: the signature was generated by an RSA key with the particular long key ID shown, but you do not have that public key in your keyring to verify the signature with. Two options present themselves:<br />
* If you have GnuPG configured to connect to the internet, you may get GnuPG to automatically connect to the Internet and fetch the missing key with the command below. '''If done without the aid of anonymizing proxy such as Tor, this approach may leak your IP address and your key request to the key server and possibly the rest of the Internet.'''<br />
<pre>user@computer:~$ gpg --recv-keys 101A7EF8EF283DDC</pre><br />
* If you do not have GnuPG configured for automatic key retrieval, you can go onto the PGP Key Server pool, such as to https://pgp.mit.edu and seach via the web user interface by searching for the Long Key ID, copy the text of the key beginning with <code>-----BEGIN PGP PUBLIC KEY BLOCK-----</code> and ending with <code>-----END PGP PUBLIC KEY BLOCK-----</code> into a text file, and import it into your GPG keyring with <code>gpg --import [path to file]</code>.<br />
* If you use a graphical frontend such as Gnu Privacy Assistant or Enigmail on your computer to manage keys, you may copy the keys from the clipboard. <br />
<br />
After the key is imported, you may see a screen similar to this:<br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
gpg: marginals needed: 3 completes needed: 1 trust model: pgp<br />
gpg: depth: 0 valid: 9 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 9u<br />
gpg: depth: 1 valid: 5 signed: 0 trust: 5-, 0q, 0n, 0m, 0f, 0u<br />
gpg: next trustdb check due at 2018-09-09<br />
</pre><br />
<br />
We may then check its validity. If all has gone right, since we chose to trust Raptor's Umbrella signing key "ultimately," should this be the real key, this key will immediately become fully valid thanks to Raptor's digital signature on it. We then check may the command with <code>gpg -k EF283DDC --with-fingerprint</code> and look for the trust level which should be indicated next to the symbol "uid". <br />
<br />
<pre><br />
user@computer:~$ gpg -k EF283DDC --with-fingerprint<br />
pub rsa4096/101A7EF8EF283DDC 2018-04-25 [SC] [expires: 2019-01-20]<br />
Key fingerprint = D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
uid [ full ] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sub rsa4096/CE591B3C94F3C9EE 2018-04-25 [E] [expires: 2019-01-20]</pre><br />
<br />
Note that it says <code>[ full ]</code> next to the User ID. This indicates that the computer has found the keys as being authentic, as it has verified the chain of trust back to an ultimately trusted key that in the previous steps, we verified to be provably unique and identitical to the one listed on Raptor's letter. Because of this, the computer now considers the firmware signing key to be fully valid. We may now attempt to verify the DVD image with GnuPG. <br />
<br />
'''WARNING!''' If the text in the brackets lists anything aside from <code>[ full ]</code>, '''STOP IMMEDIATELY''' as the key has not validated. A failure for the key to validate may signify something benign, such as either obtaining the wrong key, or worse, a counterfeit. Note that Raptor maintains several keys: some are used for different projects, some are used for customer correspondence, and some are used for signing their [[Warrant Canary]], all of which should be signed by the Umbrella Signer. Ensure you have gotten the one that is used for signing the firmware. <br />
<br />
===Verifying The Disk===<br />
With the chain of trust intact and the detached digital signature and a bitwise copy of the disk image, you may now verify the digital signature on the recovery and firmware disk. This tutorial assumes that you have saved both the recovery disk and detached digital signature file into your home directory, and named the image of the disk "raptordisk.iso" and the detached signature file "talos_recovery_disk_v████.iso.asc"<br />
<br />
The command syntax to verify a detached signature file is: <code> gpg --verify [path-to-signature-file] [path-to-file-being-verified]</code>. For the purpose of this tutorial, the command is shown below with the version numbers hidden. Since the disk image itself will be as large as the recovery disk is (approximately 8.5GB) this command may take several minutes to complete, and will not display a progress indicator during this time. <br />
<br />
<pre><br />
user@computer:~$ gpg --verify raptordisk.iso talos_recovery_disk_v████.iso.asc<br />
gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [full]<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
If you see <code>Good Signature</code>, congratulations. The chain of trust has been verified to an ultimately trusted key, which has been compared to a tracked and insured letter directly from Raptor. You may wish to further check the validity of the key in other ways, including asking other people you know and trust over an end-to-end authenticated and secure channel to attest to the key fingerprint of the Umbrella Signing Key. Your disk is verified to have come from Raptor, and not been modified since. <br />
<br />
'''Heads Up!''' If you get a <code>Bad Signature</code> warning, this may signify that the disk is no longer in the original condition that Raptor sent it in (and could represent the work of tampering or damage) or may be resultant of much more benign causes, such as selecting the wrong file for validation, or that the disk was not copied properly (a single flipped or extra bit will cause the validation to fail). If you get a Bad Signature error, ensure you have checked the commands properly and copied the disk properly using dd with the exact bit size and count according to the disk properties. This is the most common cause of false positives.<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1499Verifying DVDs2018-08-28T02:25:14Z<p>Peter Easton: /* Using gnupg to Verify The Chain of Trust Back to Raptor */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
<br />
====Obtaining and Trusting the Umbrella Signer Public Key====<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
If you do not have curl, you may install it using the command <code>sudo apt install -y curl </code>.<br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this. (Please note that in this manual entry, the key fingerprint itself has been obscured to prevent confusion)<br />
<br />
<pre><br />
pub rsa4096/████████████ created: 2018-04-16 expires: never<br />
Key fingerprint = ████ ████ ████ ████ ████ ████ ████ ████ ████ ████<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. <br />
<br />
If you miss this information the first time around, you may view it again with the command:<br />
<br />
<pre> user@computer:~$ gpg -k authentication@raptorcs.com --with-fingerprint</pre><br />
<br />
First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> user@computer:~$ gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type <code>trust</code> and press return to bring up the trust dialogue, allowing you to tell the computer how much you trust the user of this key to cryptographically attest to the validity of other keys. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue. If we do not have a key of our own to validate to its ownership, we will need to take ownership of it ourselves and pretend it is ours for the moment by setting it to ultimate trust. <br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return, which should send you back to your terminal shell. <br />
<br />
===Retrieving the Detached Digital Signature===<br />
Retrieving the detached digital signature is simple, by either visiting the url shown below the QR code on the ''front'' of the Important Information letter, or by simply using <code>curl</code> to retrieve the detached digital signature file in the same manner the public key was retrieved. The command to do so should be similar to the following. Note that the version number of the command has been obscured. '''To determine the version of your recovery disk, look at the url on the letter.''' <br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v████.iso.asc</pre><br />
<br />
This should download the detached signature file to your computer. <br />
<br />
===Retrieving The Firmware Signing Key===<br />
The digital signature file and the Root Umbrella key however are not everything we need to verify the integrity of the disk. Attempting to verify the disk (more on that later) will yield the following error:<br />
<br />
<pre>gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: key 101A7EF8EF283DDC: 1 signature not checked due to a missing key<br />
</pre><br />
<br />
This error message is simple: the signature was generated by an RSA key with the particular long key ID shown, but you do not have that public key in your keyring to verify the signature with. Two options present themselves:<br />
* If you have GnuPG configured to connect to the internet, you may get GnuPG to automatically connect to the Internet and fetch the missing key with the command below. '''If done without the aid of anonymizing proxy such as Tor, this approach may leak your IP address and your key request to the key server and possibly the rest of the Internet.'''<br />
<pre>user@computer:~$ gpg --recv-keys 101A7EF8EF283DDC</pre><br />
* If you do not have GnuPG configured for automatic key retrieval, you can go onto the PGP Key Server pool, such as to https://pgp.mit.edu and seach via the web user interface by searching for the Long Key ID, copy the text of the key beginning with <code>-----BEGIN PGP PUBLIC KEY BLOCK-----</code> and ending with <code>-----END PGP PUBLIC KEY BLOCK-----</code> into a text file, and import it into your GPG keyring with <code>gpg --import [path to file]</code>.<br />
* If you use a graphical frontend such as Gnu Privacy Assistant or Enigmail on your computer to manage keys, you may copy the keys from the clipboard. <br />
<br />
After the key is imported, you may see a screen similar to this:<br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
gpg: marginals needed: 3 completes needed: 1 trust model: pgp<br />
gpg: depth: 0 valid: 9 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 9u<br />
gpg: depth: 1 valid: 5 signed: 0 trust: 5-, 0q, 0n, 0m, 0f, 0u<br />
gpg: next trustdb check due at 2018-09-09<br />
</pre><br />
<br />
We may then check its validity. If all has gone right, since we chose to trust Raptor's Umbrella signing key "ultimately," should this be the real key, this key will immediately become fully valid thanks to Raptor's digital signature on it. We then check may the command with <code>gpg -k EF283DDC --with-fingerprint</code> and look for the trust level which should be indicated next to the symbol "uid". <br />
<br />
<pre><br />
user@computer:~$ gpg -k EF283DDC --with-fingerprint<br />
pub rsa4096/101A7EF8EF283DDC 2018-04-25 [SC] [expires: 2019-01-20]<br />
Key fingerprint = D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
uid [ full ] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sub rsa4096/CE591B3C94F3C9EE 2018-04-25 [E] [expires: 2019-01-20]</pre><br />
<br />
Note that it says <code>[ full ]</code> next to the User ID. This indicates that the computer has found the keys as being authentic, as it has verified the chain of trust back to an ultimately trusted key that in the previous steps, we verified to be provably unique and identitical to the one listed on Raptor's letter. Because of this, the computer now considers the firmware signing key to be fully valid. We may now attempt to verify the DVD image with GnuPG. <br />
<br />
'''WARNING!''' If the text in the brackets lists anything aside from <code>[ full ]</code>, '''STOP IMMEDIATELY''' as the key has not validated. A failure for the key to validate may signify something benign, such as either obtaining the wrong key, or worse, a counterfeit. Note that Raptor maintains several keys: some are used for different projects, some are used for customer correspondence, and some are used for signing their [[Warrant Canary]], all of which should be signed by the Umbrella Signer. Ensure you have gotten the one that is used for signing the firmware. <br />
<br />
===Verifying The Disk===<br />
With the chain of trust intact and the detached digital signature and a bitwise copy of the disk image, you may now verify the digital signature on the recovery and firmware disk. <br />
<br />
The command syntax to verify a detached signature file is: <code> gpg --verify [path-to-signature-file] [path-to-file-being-verified]</code><br />
<br />
This tutorial assumes that you have saved both the recovery disk and detached digital signature file into your home directory, and named the image of the disk "raptordisk.iso" and the detached signature file "raptordisk.iso.sig"<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1498Verifying DVDs2018-08-28T02:12:57Z<p>Peter Easton: /* Using gnupg to Verify The Chain of Trust Back to Raptor */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
<br />
====Obtaining and Trusting the Umbrella Signer Public Key====<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
If you do not have curl, you may install it using the command <code>sudo apt install -y curl </code>.<br />
<br />
<pre> user@computer:~$ curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this. (Please note that in this manual entry, the key fingerprint itself has been obscured to prevent confusion)<br />
<br />
<pre><br />
pub rsa4096/████████████ created: 2018-04-16 expires: never<br />
Key fingerprint = ████ ████ ████ ████ ████ ████ ████ ████ ████ ████<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. <br />
<br />
If you miss this information the first time around, you may view it again with the command:<br />
<br />
<pre> user@computer:~$ gpg -k authentication@raptorcs.com --with-fingerprint</pre><br />
<br />
First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> user@computer:~$ gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type <code>trust</code> and press return to bring up the trust dialogue, allowing you to tell the computer how much you trust the user of this key to cryptographically attest to the validity of other keys. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue. If we do not have a key of our own to validate to its ownership, we will need to take ownership of it ourselves and pretend it is ours for the moment by setting it to ultimate trust. <br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return, which should send you back to your terminal shell. <br />
<br />
<br />
===Retrieving The Firmware Signing Key===<br />
The digital signature file and the Root Umbrella key however are not everything we need to verify the integrity of the disk. Attempting to verify the disk (more on that later) will yield the following error:<br />
<br />
<pre>gpg: Signature made Tue 19 Jun 2018 06:05:04 PM EDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: key 101A7EF8EF283DDC: 1 signature not checked due to a missing key<br />
</pre><br />
<br />
This error message is simple: the signature was generated by an RSA key with the particular long key ID shown, but you do not have that public key in your keyring to verify the signature with. Two options present themselves:<br />
* If you have GnuPG configured to connect to the internet, you may get GnuPG to automatically connect to the Internet and fetch the missing key with the command below. '''If done without the aid of anonymizing proxy such as Tor, this approach may leak your IP address and your key request to the key server and possibly the rest of the Internet.'''<br />
<pre>user@computer:~$ gpg --recv-keys 101A7EF8EF283DDC</pre><br />
* If you do not have GnuPG configured for automatic key retrieval, you can go onto the PGP Key Server pool, such as to https://pgp.mit.edu and seach via the web user interface by searching for the Long Key ID, copy the text of the key beginning with <code>-----BEGIN PGP PUBLIC KEY BLOCK-----</code> and ending with <code>-----END PGP PUBLIC KEY BLOCK-----</code> into a text file, and import it into your GPG keyring with <code>gpg --import [path to file]</code>.<br />
* If you use a graphical frontend such as Gnu Privacy Assistant or Enigmail on your computer to manage keys, you may copy the keys from the clipboard. <br />
<br />
After the key is importaed, you may see a screen similar to this:<br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
gpg: marginals needed: 3 completes needed: 1 trust model: pgp<br />
gpg: depth: 0 valid: 9 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 9u<br />
gpg: depth: 1 valid: 5 signed: 0 trust: 5-, 0q, 0n, 0m, 0f, 0u<br />
gpg: next trustdb check due at 2018-09-09<br />
</pre><br />
<br />
We may then check its validity. If all has gone right, since we chose to trust Raptor's Umbrella signing key "ultimately," should this be the real key, this key will immediately become fully valid thanks to Raptor's digital signature on it. We then check may the command with <code>gpg -k EF283DDC --with-fingerprint</code> and look for the trust level which should be indicated next to the symbol "uid". <br />
<br />
<pre><br />
user@computer:~$ gpg -k EF283DDC --with-fingerprint<br />
pub rsa4096/101A7EF8EF283DDC 2018-04-25 [SC] [expires: 2019-01-20]<br />
Key fingerprint = D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
uid [ full ] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sub rsa4096/CE591B3C94F3C9EE 2018-04-25 [E] [expires: 2019-01-20]</pre><br />
<br />
Note that it says <code>[ full ]</code> next to the User ID. This indicates that the computer has found the keys as being authentic, as it has verified the chain of trust back to an ultimately trusted key that in the previous steps, we verified to be provably unique and identitical to the one listed on Raptor's letter. Because of this, the computer now considers the firmware signing key to be fully valid. We may now attempt to verify the DVD image with GnuPG. <br />
<br />
'''WARNING!''' If the text in the brackets lists anything aside from <code>[ full ]</code>, '''STOP IMMEDIATELY''' as the key has not validated. A failure for the key to validate may signify something benign, such as either obtaining the wrong key, or worse, a counterfeit. <br />
<br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1497Verifying DVDs2018-08-27T05:43:36Z<p>Peter Easton: /* Obtaining and Trusting the Umbrella Signer Public Key */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
<br />
====Obtaining and Trusting the Umbrella Signer Public Key====<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
<pre>curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this:<br />
<br />
<pre><br />
pub rsa4096/9B2BF5BD337BF51F created: 2018-04-16 expires: never<br />
Key fingerprint = XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Note that in this tutorial, X's are shown here to denote where the key fingerprint would be. Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type <code>trust</code> and press return to bring up the trust dialogue, allowing you to tell the computer how much you trust the user of this key to cryptographically attest to the validity of other keys. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue.<br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return, which should send you back to your terminal shell. <br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1495Verifying DVDs2018-08-27T05:39:57Z<p>Peter Easton: /* Obtaining the Public Key */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
<br />
====Obtaining and Trusting the Umbrella Signer Public Key====<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
<pre>curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this:<br />
<br />
<pre><br />
pub rsa4096/9B2BF5BD337BF51F created: 2018-04-16 expires: never<br />
Key fingerprint = XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Note that in this tutorial, X's are shown here to denote where the key fingerprint would be. Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type trust. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue.<br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return. <br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1494Verifying DVDs2018-08-27T05:39:27Z<p>Peter Easton: /* Using gnupg to Verify The Chain of Trust Back to Raptor */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of where the Secret Key for Raptor's Umbrella Signing Key and cryptographic materials are stored. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit. <br />
<br />
<br />
====Obtaining the Public Key====<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
<pre>curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this:<br />
<br />
<pre><br />
pub rsa4096/9B2BF5BD337BF51F created: 2018-04-16 expires: never<br />
Key fingerprint = XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
Note that in this tutorial, X's are shown here to denote where the key fingerprint would be. Compare this result displayed on your computer to the 40-character key fingerprint you obtained from scanning the QR-Code reader. It must match '''exactly''' to avoid obtaining a counterfeit key. If the 40-character key fingerprint matches exactly, you can sign it locally with one of your own keys, or you can take ownership of the key by setting its trust to ultimate. First, we will edit the key with: <br />
<br />
'''Heads Up!''' This tutorial assumes you have no ultimately trusted keys in your GnuPG trust database. The "Ultimate" trust level in GnuPG is intended for keys you own, and is required to validate other keys. Setting ultimate trust for a key you do not own is normally a very harmful use case, as an ultimately trusted key that you do not own can be used to issue counterfeit keys for your contacts and impersonate your contacts to you unless you decide to stop trusting it. After the key is no longer needed to be trusted, you should un-set its trust from Ultimate. You can avoid using these issues by locally signing Raptor's Umbrella key with an ultimately trusted key that ''you'' own using <code> gpg --lsign-key</code>.<br />
<br />
<pre> gpg --edit-key 0x337BF51F</pre><br />
<br />
This will bring us to the gpg> key editing dialogue.<br />
<pre> <br />
pub rsa4096/9B2BF5BD337BF51F<br />
created: 2018-04-16 expires: never usage: SC <br />
trust: unknown validity: unknown<br />
sub rsa4096/366FA0E6B8EE80D8<br />
created: 2018-04-16 expires: never usage: E <br />
[ unknown] (1). Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
gpg> </pre><br />
<br />
At the prompt, type trust. <br />
<br />
<pre>gpg> trust</pre><br />
<br />
This will return the trust dialogue.<br />
<br />
<pre>Please decide how far you trust this user to correctly verify other users' keys<br />
(by looking at passports, checking fingerprints from different sources, etc.)<br />
<br />
1 = I don't know or won't say<br />
2 = I do NOT trust<br />
3 = I trust marginally<br />
4 = I trust fully<br />
5 = I trust ultimately<br />
m = back to the main menu<br />
<br />
Your decision? </pre><br />
<br />
Enter <code>5</code> for ultimate and press return.<br />
<br />
<pre>Please note that the shown key validity is not necessarily correct<br />
unless you restart the program.<br />
<br />
gpg> </pre><br />
<br />
Type <code>quit</code> and press return. <br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1493Verifying DVDs2018-08-27T05:23:51Z<p>Peter Easton: /* Obtaining the Public Key */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of Raptor's Umbrella Signing Key stored on a secure system or possibly in cold storage. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.<br />
<br />
The "Key Fingerprint" is a supposedly unforgeable mathematical proof of the uniqueness of the encryption key. You may first obtain this by scanning the letter on the back under the heading '''Raptor Computing Systems GPG Key''' using any Standard QR Code Reader application to obtain the 40-character hexadecimal key fingerprint. Write this down. <br />
<br />
====Obtaining the Public Key====<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. To do this, we will check the key fingerprint of the key we receive <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, '''take the one on the letter to be correct.''' <br />
<br />
<pre>user@my-pc:~$ curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this:<br />
<br />
<pre><br />
pub rsa4096/9B2BF5BD337BF51F created: 2018-04-16 expires: never<br />
Key fingerprint = XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
[still working on this, sorry]<br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1492Verifying DVDs2018-08-27T05:08:50Z<p>Peter Easton: /* Using gnupg to Verify The Chain of Trust Back to Raptor */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of Raptor's Umbrella Signing Key stored on a secure system or possibly in cold storage. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.<br />
<br />
The "Key Fingerprint" is a supposedly unforgeable mathematical proof of the uniqueness of the encryption key. You may first obtain this by scanning the letter on the back under the heading '''Raptor Computing Systems GPG Key''' using any Standard QR Code Reader application to obtain the 40-character hexadecimal key fingerprint. Write this down. <br />
<br />
====Obtaining the Public Key====<br />
<br />
To obtain the Umbrella Signing Public Key, you may use the url included on the letter, which is also given as a QR-code that may be scanned by any QR-code reading software or by visiting the url below it. Although the download is made over Transport Layer Security (or SSL), the key should first be verified locally on your computer against the 40-character fingerprint obtained by scanning the QR code in the letter. <br />
<br />
The public key will be available in ascii-armoured format and will be marked to note where the public key begins and ends. If your browser does not automatically download it, you may copy the page to your hard drive using wget or curl, and pass it to GnuPG with the following terminal command sequence. Note that if the url you receive on your letter is different from the one you see here, take the one on the letter to be correct. <br />
<br />
<pre>user@my-pc:~$ curl https://www.raptorcs.com/keys/gpg/0x337BF51F.pub | gpg --import </pre><br />
<br />
You may see a screen that resembles something like this:<br />
<br />
<pre><br />
pub rsa4096/9B2BF5BD337BF51F created: 2018-04-16 expires: never<br />
Key fingerprint = 9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
<br />
Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
<br />
Do you want to import this key? (y/N)</pre><br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1490Verifying DVDs2018-08-27T03:50:13Z<p>Peter Easton: /* Using gnupg to Verify The Chain of Trust Back to Raptor */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of Raptor's Umbrella Signing Key stored on a secure system or possibly in cold storage. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties by keeping different keys for different jobs, some amount of convenience by ensuring users only need to verify one key, and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.<br />
<br />
The "Key Fingerprint" is a supposedly unforgeable mathematical proof of the uniqueness of the encryption key. You may first obtain this by scanning the letter on the back under the heading '''Raptor Computing Systems GPG Key''' using any Standard QR Code Reader application. <br />
<br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1489Verifying DVDs2018-08-27T03:39:33Z<p>Peter Easton: </p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<pre>user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </pre><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<pre>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
Logical block size is: 2048<br />
Volume size is: 4135453</pre><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<pre>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</pre><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of Raptor's Umbrella Signing Key stored on a secure system or possibly in cold storage. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The theory behind this chain of trust is simple: as Raptor is a large company and may require many different keys to be used for different reasons and different jobs. Rather than needing to verify many different keys out of band for everything manually, instead Raptor can generate one key that represents them, and digitally certifies all the keys that they use, then keep that one special umbrella signing key in an ultra-secure place. Users that wish to verify that a key really does belong to Raptor then only need to verify that one key at the end of the chain of trust, and if they trust it, all the keys that it validates may be assumed to actually belong to Raptor. This approach provides separation of duties, some amount of convenience and ensures that the Umbrella Key does not need to be entrusted to many different people. In turn, keeping the number of people who need to be trusted with the key reduces the likelihood that someone may mishandle it and allow it to leak. As a side-benefit, in the event that one of the keys it certified is stolen, Raptor can simply use the Umbrella key to revoke its certification to inform other people that the key has been compromised and is no longer valid, without having to start over from scratch with entirely new credentials and force everyone to go through the entire exercise of verifying all of the keys all again. <br />
<br />
The detached digital signature files produced by the signing keys are available on Raptor's Website. Copies of the public keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.<br />
<br />
The "Key Fingerprint" is a supposedly unforgeable mathematical proof of the uniqueness of the encryption key. You may first obtain this by scanning the letter on the back under the heading '''Raptor Computing Systems GPG Key''' using any Standard QR Code Reader application. <br />
<br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
<br />
<br />
<br />
<br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1488Verifying DVDs2018-08-26T20:35:53Z<p>Peter Easton: </p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
===Overview===<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
===Deterministic Copying Of The Disk===<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<code><br />
user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </code><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<code>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<br />
<code>Logical block size is: 2048<br />
<br />
<code>Volume size is: 4135453</code><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<code>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</code><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by <code>if=</code> and <code>of=</code> respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
If all has been done correctly, this will procedure should create a bit-wise (exact) clone of the disk image in your home directory, which will be called "raptordisk.iso." We will verify this clone shortly. <br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify, in this case Raptor's DVD;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key or by a Sales Key;<br />
* Validation of the Firmware Signing Key by the Umbrella Signing Key;<br />
* Security of Raptor's Umbrella Signing Key stored on a secure system or possibly in cold storage. <br />
* Verification of the Hash of the Signing Key via the QR Code included in Raptor's "Important Information" Letter. <br />
<br />
The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.<br />
<br />
The "Key Fingerprint" is a supposedly unforgeable mathematical proof of the uniqueness of the encryption key. You may first obtain this by scanning the letter on the back under the heading '''Raptor Computing Systems GPG Key''' using any Standard QR Code Reader application. <br />
<br />
<br />
<br />
<br />
'''Umbrella Key Fingerprint'''<br />
:Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
:Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) <br />
:(Verify this fingerprint matches multiple independent sources.)<br />
<br /><br />
Additional information on validating public keys:<br />
<br /><br />
[https://www.gnupg.org/gph/en/manual/x334.html The GNU Privacy Handbook: Validating other keys on your public keyring]<br />
<br />
===How To===<br />
====Get Block and Logical Volume Sizes (Needed Later)====<br />
<code>isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'</code><br />
<pre><br />
Logical block size is: 2048<br />
Volume size is: 3871504<br />
</pre><br />
<br />
====Save ISO File (Optional)====<br />
:<code>dd if="/dev/sr0" of="source.iso" count='''<volume size>''' bs='''<block size>'''</code><br />
:<code>dd if="/dev/sr0" of="source.iso" count=3871504 bs=2048</code><br />
<br />
====Download Signature File:====<br />
:In this example we will be verifying a v1.03 disc.<br />
:Details may vary for other versions/keys, but they all should lead back to the Raptor Umbrella Signer.<br />
:<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
====Verifying ISO Signature:====<br />
Verifying ISO file:<br />
:<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
Verify without saving ISO (Optional):<br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs='''<block size>''' count='''<volume size>''')</code><br />
:<code>gpg --verify talos_recovery_disk_v1.03.iso.asc <(dd if=/dev/cdrom bs=<2048> count=<3871504>)</code><br />
<br />
===== If you see this, import the public key and verify again: =====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</pre><br />
<br />
=====Importing a Key (If Applicable)=====<br />
:<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<pre><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</pre><br />
<br />
=====Successful Verification of Signed ISO=====<br />
<pre><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted 0 messages.<br />
...<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</pre><br />
<br />
=====Verifing Keys=====<br />
We've verified that source.iso was signed by 101A7EF8EF283DDC (2018 Firmware Signer) <support@raptorcs.com>.<br />
<br /><br />
How do we verify that key really belongs to Raptor? <br />
<br /><br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<pre><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</pre><br />
101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F<br />
<br /><br />
<code>gpg --fingerprint 9B2BF5BD337BF51F</code><br />
<pre><br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</pre><br />
<br />
<br />
<br />
<br />
<br />
<br />
==Scraps===<br />
This section is just for WIP<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code></div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1383Verifying DVDs2018-08-17T22:41:08Z<p>Peter Easton: /* How to Verify a Raptor Computing Systems Source DVD */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
Verifying the integrity of your recovery disk<br />
<br />
You will need: <br />
* isoinfo. This is a handy little utility which will print the image about a CD you will need to properly copy the disk in a condition where it will be in the exact condition that it was burned. isoinfo is included in the package manager of most Linux distributions. <br />
* GnuPG, which is usually invoked from the commandline with the command <code>gpg</code>. By default, almost every Linux distribution should have GnuPG which provides the necessary functions for handling cryptography. <br />
* The letter marked "Important Information" that came in the box with your Talos II. This should have three QR codes on it, one at the front, and two at the back. <br />
* A computer that you can trust to verify the integrity of the Talos. This could be an old Pentium IV you have buried away in your basement that has no networking adapter and is running an operating system installation you consider trustworthy, or an X60 laptop running coreboot from 2005. <br />
* A device that is capable of scanning QR codes that you trust. This could be an old Samsung Galaxy S2 running Replicant that has had cellular antennas removed. <br />
<br />
What we will do:<br />
* We will first copy the CD image to someplace on your drive on your secure, trustworthy computer. Because signing and verification only works if the copying is exact, we will use the Unix utility "data definition" to do it after finding out the information on the image. <br />
* Once the drive is copied, we will scan the letter for its QR codes to obtain the PGP Key Fingerprints for the respective keys and copy them down.<br />
* With the PGP key fingerprints scanned, we will then retrieve the keys from Raptor's website or from a PGP Public Key server of our choice via the Internet.<br />
* We will then validate the Chain of Trust (see: Chain Of Trust, Section 2) to ensure that the key is genuine and valid, and opt to trust the key. <br />
* Once the chain of trust is valid, we will verify the digital signature on the CD image. If GnuPG verifies that the signature is valid and from a trusted key, we can be reasonably confident that Raptor authorized the sending of the CD image, and it has not been modified since. <br />
<br />
<br />
When the cd image was signed by Raptor, it was signed in a specific condition. You will need to reproduce this condition exactly right down to the last bit, or the verification will fail and produce a "Bad Signature" error. To do so, we will first need to obtain the information about the drive to supply the right parameters to copy the drive. <br />
<br />
<br />
'''Heads-up!''' If you get an error that says <code>isoinfo: command not found</code> then the correct package has not been installed on your system. If you do not have it, on Debian-based systems such as Ubuntu or Linux Mint, you may obtain them with the command <code>sudo apt install genisoimage</code> which should automatically download and install isoinfo and its dependencies on your system.<br />
<br />
<br />
This tutorial assumes that your cd rom device entry is listed as <code>/dev/cdrom</code>. However, some systems may not have the symbolic link of /dev/cdrom to /dev/sr0. You may check to see which device entry your DVD or BD ROM is by inserting the disk, and typing without any other arguments <code>mount | grep udf</code> which will display all the device entries associated with handling the currently inserted disks. The device entry will be the first entry listed, for example: <br />
<br />
<code><br />
user@trustedsystem:~$ mount | grep udf<br />
/dev/sr0 on /media/cdrom0 type udf </code><br />
<br />
In this tutorial, we will use /dev/sr0.<br />
<br />
We will be looking for two specific items here: Logical Block Size, and Volume Size, which will become parameters will then pass on to Data Definition. To make this easier for the end user, we can use grep to search through the entire output text and only print the information we want with the following command <br />
This should return two lines, one number representing logical block size, and the other number representing the volume block size.<br />
<br />
<br />
<code>user@trustedsystem:~$ isoinfo -d -i /dev/sr0 | grep -E 'Logical block size|Volume size'<br />
<br />
Logical block size is: 2048<br />
<br />
Volume size is: 4135453</code><br />
<br />
'''STOP!''' Do not simply enter the values obtained on the Wiki blindly. The values for Logical Block Size and Volume size shown here are listed as being for example only, and may change depending on which version of the disk you were supplied with. Always double check your command syntax prior to entering it. Each person's system will be slightly different, so ensure you do what is right for your system, not just what is listed on the wiki page. <br />
<br />
With this information now known, we will now begin deterministing copying of the CD via the data definition (or define data) tool, <code>dd</code>. dd is a utility that has been a part of all Unix-like operating systems since approximately 1985. dd mainly utilizes two parameters, the input file, which is specified by "if", and the output file specified by "of", and will bitwise copy from the input file to the output file, along with any parameters we want to set, such as the block size, and the volume size. We will then set the parameters as such:<br />
*Input file, or <code>if=</code> The input file should be the device entry for your CD ROM, which we obtained earlier by searching for the mounted media of the type "udf". In our example, we are using /dev/sr0<br />
*Output file, or <code>of=</code> The output file is the clone we will copy to the disk to verify. Here, we will put it in your home directory, with the filename "raptordisk.iso" or the absolute filename "~/raptordisk.iso"<br />
*Block Size or <code>bs=</code> The block size will be the number indicated by "Logical block size" as given by isoinfo.<br />
*Volume Size, or <code>count=</code>The volume size is the exact size of the entire volume, in the number of blocks. <br />
For our example, our command syntax will be the following. To include a progress meter, simply include "status=progress" to let the computer know you wish to view the progress of the copy being made in real time. This will produce an exact clone of the disk to your home directory under the name "raptordisk.iso".<br />
<br />
<br />
<code>dd if="/dev/sr0" of="~/raptordisk.iso" count=4135453 bs=2048 status=progress</code><br />
<br />
<br />
'''STOP!''' dd is a powerful tool intended for low-level, bitwise copying of the actual ones and zeroes on the disk or media. The dd command is intended to restore backups and make exact clones of data, but can also be repurposed for secure erasure of hard drives. With great power comes great responsibility: ensure that the input file and output file denoted by "<code>if=</code>" and "<code>of</code>" respectively are the files you really want to write. Never specify an output file to one you do not intend to overwrite! <br />
<br />
<br />
<br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
<br />
==Using gnupg to Verify The Chain of Trust Back to Raptor==<br />
<br />
Note: Your iso will most likely not be signed with the same key/fingerprint that is included in your letter. However it is possible to trace the signatures all the way back to the master signing key from Raptor. <br />
<br />
Brief overview of the signing chain hierarchy:<br />
ISO<br />
Signed by intermediate key.<br />
Signed by Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) (Verify this against your letter and others in IRC channel!)<br />
<br />
'''Find your iso version from your letter and download the correct signature file''' from https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/<br />
<br />
In this example we will be using v1.03. The actual keys differ for other versions.<br />
<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code><br />
<br />
It is assumed that your iso has already been saved as source.iso. If you have not done so, please dump your iso using the directions above.<br />
<br />
'''Verify the iso signature:'''<br />
<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
<br />
'''If you see this message, you need to import the signing key:'''<br />
<code><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Can't check signature: No public key<br />
</code><br />
<br />
<br />
'''You can import this signing key like this:'''<br />
<code>gpg --recv-keys 101A7EF8EF283DDC</code><br />
<br />
<br />
'''Which will return something like:'''<br />
<code><br />
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported<br />
gpg: no ultimately trusted keys found<br />
gpg: Total number processed: 1<br />
gpg: imported: 1<br />
</code><br />
<br />
<br />
'''After you have the signing key you can attempt to verify the iso again.'''<br />
<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code><br />
<br />
'''<br />
Now you should see something like (Note: Some isos are signed by sales@raptorcs.com and others are signed by support@raptorcs.com):'''<br />
<code><br />
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT<br />
gpg: using RSA key 101A7EF8EF283DDC<br />
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]<br />
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted<br />
0 messages.<br />
gpg: Warning: we've only seen one message signed using this key and user id!<br />
gpg: Warning: you have yet to encrypt a message to this key!<br />
gpg: Warning: if you think you've seen more signatures by this key and user<br />
id, then this key might be a forgery! Carefully examine the email address<br />
for small variations. If the key is suspect, then use<br />
gpg --tofu-policy bad D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
to mark it as being bad.<br />
gpg: WARNING: This key is not certified with sufficiently trusted signatures!<br />
gpg: It is not certain that the signature belongs to the owner.<br />
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC<br />
</code><br />
<br />
<br />
'''Great, now we've verified that this ISO was signed support@raptorcs.com, but how do we know that the key that signed the ISO belongs to Raptor? In this case, the ISO was signed by 101A7EF8EF283DDC.'''<br />
<code>gpg --list-signatures 101A7EF8EF283DDC</code><br />
<br />
<br />
'''Shows you what this key was signed by:'''<br />
<code><br />
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]<br />
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC<br />
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]<br />
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com><br />
</code><br />
<br />
<br />
Here we can see that 101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>.<br />
<code><br />
gpg --fingerprint 9B2BF5BD337BF51F<br />
pub rsa4096 2018-04-16 [SC]<br />
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F<br />
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com><br />
sub rsa4096 2018-04-16 [E]<br />
</code><br />
<br />
<br />
Again, verify this fingerprint with others in IRC and your received letter.<br />
<br />
==The Chain of Trust==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key;<br />
* Verification of the Hash of the Firmware Signing Key via the QR Code included in Raptor's "Important Information" Letter, and possibly out of band, such as via a phone call or by contacting another Talos owner you trust over an end-to-end secure and authenticated channel to get their input. <br />
<br />
The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1320Verifying DVDs2018-08-12T06:21:10Z<p>Peter Easton: /* How to Verify a Raptor Computing Systems Source DVD */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust.'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
Extracting an ISO image from the DVD can be accomplished with the following commands, substituting your DVD drive device node for <code>/dev/sr0</code>. Insert the source DVD into the drive before beginning.<br />
<br />
<code>isoinfo -d -i /dev/sr0</code><br />
<br />
Look for the "Block size" and "Volume size" values, then create the ISO image using <code>dd</code>:<br />
<br />
<code>dd if=/dev/sr0 of=source.iso bs=<block size> count=<volume size></code><br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
==The Chain of Trust==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key;<br />
* Verification of the Hash of the Firmware Signing Key via the QR Code included in Raptor's "Important Information" Letter, and possibly out of band, such as via a phone call or by contacting another Talos owner you trust over an end-to-end secure and authenticated channel to get their input. <br />
<br />
The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1319Verifying DVDs2018-08-12T06:20:57Z<p>Peter Easton: /* How to Verify a Raptor Computing Systems Source DVD */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: ''The Chain Of Trust'' You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware. <br />
<br />
Extracting an ISO image from the DVD can be accomplished with the following commands, substituting your DVD drive device node for <code>/dev/sr0</code>. Insert the source DVD into the drive before beginning.<br />
<br />
<code>isoinfo -d -i /dev/sr0</code><br />
<br />
Look for the "Block size" and "Volume size" values, then create the ISO image using <code>dd</code>:<br />
<br />
<code>dd if=/dev/sr0 of=source.iso bs=<block size> count=<volume size></code><br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
==The Chain of Trust==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key;<br />
* Verification of the Hash of the Firmware Signing Key via the QR Code included in Raptor's "Important Information" Letter, and possibly out of band, such as via a phone call or by contacting another Talos owner you trust over an end-to-end secure and authenticated channel to get their input. <br />
<br />
The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1318Verifying DVDs2018-08-12T06:15:11Z<p>Peter Easton: /* The Chain of Trust */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a sheet of paper with a link to the associated GPG signature file in both QR code and plain text form. You will need a copy of this signature file along with an extracted ISO image from the DVD to verify authenticity.<br />
<br />
Extracting an ISO image from the DVD can be accomplished with the following commands, substituting your DVD drive device node for <code>/dev/sr0</code>. Insert the source DVD into the drive before beginning.<br />
<br />
<code>isoinfo -d -i /dev/sr0</code><br />
<br />
Look for the "Block size" and "Volume size" values, then create the ISO image using <code>dd</code>:<br />
<br />
<code>dd if=/dev/sr0 of=source.iso bs=<block size> count=<volume size></code><br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
<br />
==The Chain of Trust==<br />
<br />
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key;<br />
* Verification of the Hash of the Firmware Signing Key via the QR Code included in Raptor's "Important Information" Letter, and possibly out of band, such as via a phone call or by contacting another Talos owner you trust over an end-to-end secure and authenticated channel to get their input. <br />
<br />
The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1317Verifying DVDs2018-08-12T06:13:24Z<p>Peter Easton: /* How to Verify a Raptor Computing Systems Source DVD */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a sheet of paper with a link to the associated GPG signature file in both QR code and plain text form. You will need a copy of this signature file along with an extracted ISO image from the DVD to verify authenticity.<br />
<br />
Extracting an ISO image from the DVD can be accomplished with the following commands, substituting your DVD drive device node for <code>/dev/sr0</code>. Insert the source DVD into the drive before beginning.<br />
<br />
<code>isoinfo -d -i /dev/sr0</code><br />
<br />
Look for the "Block size" and "Volume size" values, then create the ISO image using <code>dd</code>:<br />
<br />
<code>dd if=/dev/sr0 of=source.iso bs=<block size> count=<volume size></code><br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
<br />
==The Chain of Trust==<br />
<br />
Digital signatures (or just digital signatures) offer sender authentication (meaning who sent the message) as well as provide message integrity (meaning that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, a potential adversary could simply change the keys and replace the signatures on the disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key;<br />
* Verification of the Hash of the Firmware Signing Key via the QR Code included in Raptor's "Important Information" Letter, and possibly out of band, such as via a phone call or by contacting another Talos owner you trust over an end-to-end secure and authenticated channel to get their input. <br />
<br />
The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Verifying_DVDs&diff=1316Verifying DVDs2018-08-12T06:12:29Z<p>Peter Easton: /* How to Verify a Raptor Computing Systems Source DVD */</p>
<hr />
<div>== How to Verify a Raptor Computing Systems Source DVD ==<br />
<br />
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.<br />
<br />
Shipments of the Talos II systems include both the source DVD and a sheet of paper with a link to the associated GPG signature file in both QR code and plain text form. You will need a copy of this signature file along with an extracted ISO image from the DVD to verify authenticity.<br />
<br />
Extracting an ISO image from the DVD can be accomplished with the following commands, substituting your DVD drive device node for <code>/dev/sr0</code>. Insert the source DVD into the drive before beginning.<br />
<br />
<code>isoinfo -d -i /dev/sr0</code><br />
<br />
Look for the "Block size" and "Volume size" values, then create the ISO image using <code>dd</code>:<br />
<br />
<code>dd if=/dev/sr0 of=source.iso bs=<block size> count=<volume size></code><br />
<br />
Once created, you may verify the ISO with GPG:<br />
<br />
<code>gpg --verify <GPG signature file> source.iso</code><br />
<br />
<br />
'''Verify Without Saving ISO:'''<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)</code><br />
<br />
<br />
E.g.<br />
<br />
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code><br />
<br />
<br />
'''The Chain of Trust'''<br />
<br />
Digital signatures (or just digital signatures) offer sender authentication (meaning who sent the message) as well as provide message integrity (meaning that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, a potential adversary could simply change the keys and replace the signatures on the disk with one of their own, then impersonate the sender to recipient or vice-versa.<br />
<br />
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common. <br />
<br />
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function. <br />
<br />
This forms something of a chain of trust that looks like the following:<br />
<br />
* You and the message you wish to verify;<br />
* Genuineness of the message attested by the Digital Signature;<br />
* Production of the Digital Signature using the Firmware Signing Key;<br />
* Verification of the Hash of the Firmware Signing Key via the QR Code included in Raptor's "Important Information" Letter, and possibly out of band, such as via a phone call or by contacting another Talos owner you trust over an end-to-end secure and authenticated channel to get their input. <br />
<br />
The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=File:Morgans-revenge-starboard-below.jpg&diff=1209File:Morgans-revenge-starboard-below.jpg2018-08-06T01:46:27Z<p>Peter Easton: Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</p>
<hr />
<div>Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=File:Morgans-revenge-starboard-dark.jpg&diff=1208File:Morgans-revenge-starboard-dark.jpg2018-08-06T01:46:00Z<p>Peter Easton: Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</p>
<hr />
<div>Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=File:Morgans-revenge-starboard-closeup.jpg&diff=1207File:Morgans-revenge-starboard-closeup.jpg2018-08-06T01:45:06Z<p>Peter Easton: Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</p>
<hr />
<div>Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=File:Morgans-revenge-starboard.jpeg&diff=1206File:Morgans-revenge-starboard.jpeg2018-08-06T01:44:33Z<p>Peter Easton: Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</p>
<hr />
<div>Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=File:Morgans-revenge-bow-dark.jpg&diff=1205File:Morgans-revenge-bow-dark.jpg2018-08-06T01:43:52Z<p>Peter Easton: Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</p>
<hr />
<div>Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=File:Morgans-revenge-bow.jpg&diff=1204File:Morgans-revenge-bow.jpg2018-08-06T01:43:19Z<p>Peter Easton: Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</p>
<hr />
<div>Yarr! Raise the black flag aboard the good ship, /Morgan's Revenge!/ It be time to plunder the oceans!</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II_Beginner%27s_Quick_Start_Guide&diff=1151Talos II Beginner's Quick Start Guide2018-07-25T02:17:21Z<p>Peter Easton: /* First Steps */</p>
<hr />
<div>Congratulations on your purchase of a new Raptor Computing Systems Talos II(TM) Secure Workstation!<br />
<br />
You're just a couple steps away from being able to get up and on your new secure system. This is a tutorial intended for novices to ease the transition from the x86 to the Talos II. This tutorial is primarily intended to be targeted toward non-technical users that just wish to get their Talos II up and running fast, and prefer documentation to be presented in as non-intimidating a manner as possible.<br />
<br />
The laptop used in this tutorial for access and provisioning of the Open [[BMC|Baseboard Management Controller]] (which is referred to as the "[[OpenBMC]]," or simply the "BMC") was a Lenovo Thinkpad X200 running OpenBSD. Your setup will likely differ from the one used to create this tutorial, so please remember to check your commands prior to entering them, as some of them may be different.<br />
<br />
=Changing The Default Factory Password=<br />
The Talos II comes with a remote management password set default from the factory. As the [[BMC|Baseboard Management Controller]] is used to control the computer out of band, it is important to change the Baseboard Management Controller's default factory password as quickly as possible to ensure security.<br />
<br />
In this tutorial, we will do the following:<br />
<br />
* Power on the Talos II and load Petitboot, which is analogous to a PC's BIOS or EFI.<br />
* Connect a computer to the Talos II via Ethernet cable.<br />
* Configure a static IP address on the networking interface.<br />
* Configure the second computer to use a static IP address.<br />
* Connect the Talos II's Open Baseboard Management Controller from the other computer via Secure SHell, or ssh.<br />
* Generate, Record, and Change the default factory password, to prevent unauthorized remote access to the BMC.<br />
* Log out and reboot the Talos II.<br />
* Take our first steps into the territory of computing freedom!<br />
<br />
'''STOP!'''<br />
''The Talos comes with a factory password of '0penBmc' which is set by default from the factory and is publicly posted and available everywhere that the Talos manual is hosted. The Baseboard Management Controller, which is used to provision and control the mainboard, is always running whenever there is any power connected to the mainboard. NEVER IN ANY CIRCUMSTANCES connect the Talos II to any network you cannot trust absolutely without first changing the factory password! Doing so may result in a compromise of the BMC root account and allow an adversary on the network to install malicious firmware onto the Talos, which can be used as a backdoor.''<br />
<br />
''If you have connected your Talos II to any untrusted network, no matter how briefly, stop immediately and refer to the section "Flashing The Firmware." (To Be Added at a later date)''<br />
<br />
==Before you begin...==<br />
In addition to a functioning Talos II system, you will need the following items:<br />
* A computer that you consider trustworthy, with an ethernet connection. This computer is going to handle the password for the Talos' OpenBMC. Remember that the OpenBMC guards the keys to the kingdom. Protect it well!<br />
* An Ethernet or Crossover cable. Crossover cables are preferred, but not necessary as the Talos II supports automatic negotiation.<br />
* A VGA computer monitor and cable.<br />
* A keyboard and mouse for the Talos.<br />
==First Steps==<br />
The Talos II's OpenBMC (Open Baseboard Management Controller) has a factory password, with the explicit expectation that the user change the password immediately prior to using the device. The BMC is not normally accessible from the Petitboot, and so must be configured over the network.<br />
<br />
'''STOP!'''<br />
''There is a difference between something that is 'trusted' and something that is 'trustworthy.' Remember, if something is 'trusted' that means if it fails, it can undo all of the security you have worked so hard to build up. Ensure that the system used to provision the BMC does not capture, exfiltrate or store the password used to provision the OpenBMC. The safety of your Talos II depends on it!''<br />
<br />
Plug in the power to the Talos II and turn the switch on the power supply unit to "On." The BMC Heartbeat indicator (a small green light in the lower left corner of the motherboard, when viewed from above) will flash and begin to blink. It may take several minutes for the BMC to initialize from cold power on, so give it time. Once the BMC is initialized, open a terminal on your second, trustworthy computer. Connect one end of the Crossover or Ethernet cable to your trustworthy computer, then connect the other end to the Ethernet port on the Talos II adjacent to the USB ports on the back. This port is allowed to communicate directly to the BMC; the other cannot.<br />
<br />
After allowing enough time for the BMC to initialize, press the Power button on the Talos. The system should start. If not, release the power button, wait a minute and attempt again. If it still does not start, check to ensure you have connected the power button between the correct pins on the front panel interface. Please note that the Talos may take a long time to initialize after initial power on. During this time, the fans on the CPU will run at full capacity for approximately one minute, and the screen will remain blank. After a minute or so, the Talos should beep and the fans should spin down. If this does not occur after several minutes, see Troubleshooting (To Be Added at a later date).<br />
<br />
'''Heads Up!'''<br />
By default, the Talos assumes that you are booting the computer remotely via the BMC, rather than standing at the computer pushing the button. This is a use case that is typical for when the Talos is operating in a secured environment like a datacenter or a physically locked and secured server rack, and you cannot simply walk in and plug a monitor into it to see it boot. The first time you boot it, the screen will be completely black until the Petitboot loads. If you would like to see the boot log on startup displayed on the monitor plugged into the integrated Video Graphics Adapter, rather than sent to a serial console as would be the case typical of a home use or desktop use machine, you when the Petitboot loads, you can change this option under the '''System configuration''' menu in the next section. ''<br />
<br />
===Preparing the Talos===<br />
Normally, the BMC will request an IP address from a DHCP server. Due to the state of router security (or rather, the lack of it), this should be best avoided for security reasons until the BMC has a password. The next step is to configure the Talos with a Static IP address.<br />
<br />
'''Heads Up!'''<br />
''If you do not see the Petitboot screen come up after several minutes, and you have ensured your display is functioning properly, ensure you have not disabled the integrated VGA via the jumper. By default, the integrated VGA adapter comes enabled from the factory. See the manual for reference.''<br />
<br />
You should see a screen that resembles this:<br />
<pre><br />
<br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Use the arrow keys to navigate to "Exit to Shell" to bring up the command shell on the Petitboot. From here, we'll configure the network interface to use a static IP.<br />
<br />
'''Stop!'''<br />
''Both the OpenBMC and the Petitboot are very much full fledged operating systems. The BMC is essentially a small computer, within your computer, and has its own persistent storage. Changes you make in the OpenBMC remain set until you either unset them, reset the BMC, or flash the BMC. Carelessly abusing the BMC or the Petitboot can result in damage to the firmware files of your computer and necessitate a re-flash to restore damaged files. Double check each command as you enter it, and be careful.''<br />
<br />
Once you leave the petitboot to escape to a shell, you'll be presented with a prompt.<br />
<pre><br />
Exiting petitboot. Type 'exit' to return.<br />
You may now run 'pb-sos' to gather diagnostic data<br />
/#</pre><br />
<br />
Welcome to the command shell of hostboot! The Talos is now ready to be set up.<br />
<br />
The BMC comes with ipmitool, a utility for managing networking. First, we're going to see which local area network interfaces are available to the BMC, with "lan print" and "1" to signify the interface "1". The BMC only has one network-enabled interface. <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: ███.███.███.███<br />
Subnet Mask: ███.███.███.███<br />
Default Gateway IP: ███.███.███.███<br />
</pre><br />
You will also see some information below for VLAN ID, Cipher Suite, and Bad Password threshold. We will not be using these for now. <br />
<br />
This should return some diagnostics information about the interface itself. Take note of the field marked "IP Address Source" We will first change it to set the computer to use a static IP using ipmitool.<br />
<pre><br />
/# ipmitool lan set 1 ipsrc static</pre><br />
<br />
Normally, when the IP address source is set to DHCP, a DHCP server (many home routers will fill this role automatically) will provide it with an IP address. However, because your secondary computer will (most likely) not be running a DHCP server, we will then change LAN 1's IP address to a static IP. This way, it already will have its own address on the network and will not need to rely on DHCP to auto-configure one.<br />
<br />
Next, we provide it with the IP address we would like it to use. In this case, we're going to use 192.168.0.43 for the secondary computer, and 192.168.0.42 for the Talos BMC. <br />
<pre><br />
/# ipmitool lan set 1 ipaddr 192.168.0.42<br />
Setting LAN IP address to 192.168.0.42</pre><br />
<br />
From here, we set the Subnet mask. Both computers must be on the same subnet, so we'll pick 255.255.255.0. Keep these numbers in mind, as we will be setting them on the secondary computer later. <br />
<pre><br />
/# ipmitool lan 1 set netmask 255.255.255.0<br />
Setting LAN Subnet Mask to 255.255.255.0</pre><br />
<br />
Next, we set the default gateway. Under normal circumstances, this would be your router. There are two ways this can be done, either by the mac address of your router, or your IP address. In this case, we're going to use 192.168.1.1. <br />
<pre><br />
/# ipmitool lan set 1 set defgw ipaddr 192.168.1.1<br />
Setting Default Gateway IP to 192.168.1.1<br />
</pre><br />
If you decide to use your router's MAC address, then substitute "ipaddr" with "macaddr" after which you will need to enter the mac address instead of the IP address. Lastly, check to ensure that the computer recognized your settings with "ipmitool lan print 1" <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: 192.168.0.42<br />
Subnet Mask: 255.255.255.0<br />
Default Gateway IP: 192.168.1.1<br />
</pre><br />
<br />
The OpenBMC is now ready to be connected to via Secure Shell. <br />
<br />
===Preparing The Client===<br />
Return to the trustworthy computer that you wish to use to set the BMC Password. If you are unfamiliar with the networking interfaces on your computer, you can try to list them by entering ifconfig without any other arguments. Since configuration of the network interfaces is capable of affecting the whole computer, we must first "substitute user" to root and try the "ifconfig" command without any arguments to list all of the network interfaces the computer can utilize, and look for the one labelled "Ethernet." <br />
<pre><br />
root@laptop:~# ifconfig<br />
<br />
em0: flags=█████████<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONFIG>, mtu 1500<br />
lladdr ██:██:██:██:██:██<br />
index 1 priority 0 llprio 3 <br />
media: Ethernet autoselect (████████████████████████)<br />
status: active<br />
inet6: ████::████::████::████:████%em0 prefixlen 64 scopeid 0x1<br />
inet 192.168.█.██ netmask █x█████████ broadcast 192.168.█.███<br />
<br />
root@laptop:~#<br />
</pre><br />
<br />
You may see other entries, such as iwn0 for wireless, or lo0, for loopback. We will not be using these. Take note of the interface named in the upper left corner that lists "Ethernet." In this example, em0 will be the interface we will<br />
configure to use a static IP address, to reach the Talos.<br />
<br />
From there, we need to use ifconfig to set the network address to something easily memorable. In this case, we will set the laptop's Local Area Network IP address to be 192.168.0.43, and use a netmask of 255.255.255.0. For this, we will use ifconfig, point it to em0, and supply our desired IP address and network mask. On an x200 laptop running OpenBSD, the command looks like this:<br />
<pre><br />
root@laptop:~# ifconfig em0 inet 192.168.0.43 netmask 255.255.255.0<br />
root@laptop:~#<br />
</pre><br />
<br />
The command should immediately return to a prompt once complete. Once we're done, we can leave the root account on the laptop and return to a regular user account.<br />
<pre><br />
root@laptop:~# exit<br />
user@laptop:~$<br />
</pre><br />
<br />
We will now connect to the BMC using your laptop. Most Linux distributions come with ssh installed. If yours does not, stop now and consult your operating system's documentation on how to install the SSH client. Package names may be something like "openssh", "openssh-client", "ssh2", or "dropbear".<br />
<br />
==Connecting to the BMC==<br />
You're now ready to remotely manage your Talos II, and set the default password. SSH, with the right practices, allows a user to securely establish a confidential and authenticated encrypted channel between a pair of computers and control the host remotely. There are several ways to authenticate yourself to the computer that you will be running the commands on, including using a password which is then sent to the server through the encrypted tunnel, or through the use of cryptography. Using cryptography is stronger, safer, and more convenient, but requires that the user first transfer the digital certificates and keys to the computer being accessed. <br />
<br />
Bring up the terminal on your secondary computer and recall that the IP address of the Talos is 192.168.0.43. We want to log in as the root user, so we pass that onto the ssh command using -l to let it know that we have a specific login username that we would like to authenticate as (hence, the -l is for "login"), the name of the login, and the destination. <br />
<pre><br />
user@laptop:~$ ssh -l root 192.168.0.42<br />
</pre><br />
<br />
The following error message will be produced the first time. <br />
<pre><br />
The authenticity of host `192.168.0.42' can't be established. ECDSA key fingerprint is SHA256:[.......] <br />
Are you sure you want to continue connecting? (yes/no)?<br />
</pre><br />
<br />
This tutorial assumes that we are using SSH over a network that consists of a relatively short Ethernet cable we can see the entirety of, between two computers that are both in a physically trustworthy environment such as your private home. However, the majority of uses for SSH normally assume that the two computers are not in this comfortably convenient and safe arrangement. They could be located away, potentially in other countries, and connected only over the untrusted Internet. SSH uses cryptography, but because the keys and certificates themselves cannot be encrypted, how do we know that the keys and certificates themselves are the genuine ones, and not replaced by an attacker (such as a misconfigured ISP's router that is configured to intercept, decrypt, inspect and then re-encrypt and transparently pass on SSL traffic as an antispam measure) which could capture, store, then possibly leak the password?<br />
<br />
In a situation where the computer would be located on the other side of the Internet, to ensure that the password is not stolen by an attacker impersonating the computer to us, we would first verify that this is the computer's real and genuine key fingerprint. This could be as simple as making a phone call to the system administrator working at the place where the computer is installed, or physically travelling to the location to compare the digital fingerprint with our own eyes. If the codes match exactly, it is mathematical proof that the certificate is real, and has not been tampered with or replaced during delivery by an active adversary that will impersonate the client to the server, and vice versa, an attack commonly known as a "man in the middle" attack. <br />
<br />
However, since we are physically at the location of the computer and the two computers are physically plugged into each other over a cable, with no middleman between, it is unlikely that the certificate will be counterfeit. So, we will simply trust the certificate by typing in "yes." <br />
<br />
You will then be prompted for the password. In this case, it is simply "0penBmc" exactly as typed (without quotes).<br />
<pre><br />
root@192.168.0.43's password: *******<br />
</pre><br />
<br />
If all goes well, you'll find a familiar screen!<br />
<br />
<pre><br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Welcome back to Petitboot! Here, we will now set the password. Scroll down to "Exit to Shell" or press and release "x" to escape back to the commandline. <br />
<pre><br />
/#</pre><br />
<br />
You are now ready to change the password. <br />
<br />
==Changing The Password==<br />
Recall the golden rules of password safety:<br />
* Passwords should never be shared with anyone except between the two owners of the mutually agreed-upon secret password. In this case, the password will be shared between you and the BMC, and should never be disclosed to anything else, and only used from a computer you ''absolutely'' trust not to capture or steal it.<br />
* Passwords must never be reused even between parties you trust, as that trust relationship can change with no warning and often, without your knowledge.<br />
* Spent passwords must be disposed of carefully. <br />
* If the password is ever exposed (such as typing the wrong password into the wrong computer or the into the wrong form), change the password immediately by starting over. ''When in doubt, change it out.'' Never wait for a compromise to occur before taking action if you suspect the password has been compromised.<br />
* It is much safer and more convenient to have a cryptographically strong long-term password that you can memorize, than a short one that you will need to change every 90 days. <br />
* Complexity and randomness of the password is important. Never use a password that was derived from a previous one or any other by any 'clever' algorithm or obscure scheme. You do not know the flaws in your own scheme and will very likely be the last person to learn of them when they are found. <br />
<br />
Ideally, stop thinking of a password, and start to think of a pass ''phrase.'' Remember that in terms of password strength, although there are only 52 characters you can type from a keyboard, there are more than 51,000 words in the pocket edition of the Oxford English Dictionary. Thus, if we assume the use of a 10-digit, "perfectly random" password (please note that simply closing your eyes and mashing keys is not "perfectly random" as the locations of the keys are predictable based on the fact their positions are known, and the patterns your hands can take are statistically predictable to someone with a copy of Microsoft Excel, a bit of time, and basic math), this gives us a password strength of 52^10, or roughly 1.4E17 combinations. However, a six-word passphrase consisting of six "perfectly random" words chosen from the compact edition of the Oxford English dictionary will yield 51000^6, or roughly 1.8E28 combinations, more than ten orders of magnitude more difficult to guess, much easier to type, and easier to record and check for typographical errors. Backronyms or memory aids may help with the memorization.<br />
<br />
You may wish to write down the password on a sheet of cardboard you will keep on your person until it has been fully committed to memory, then once it has, either place the ticket in a physically secured area only you have access to, or destroy it. <br />
<br />
To change the password, at the prompt, type:<br />
<pre><br />
/# passwd</pre><br />
<br />
You will be prompted by the system to enter a password, then confirm it. Once that is done, you will be returned to the prompt. <br />
<br />
'''STOP!'''<br />
''Do not log out yet. Ensure that the password change worked successfully and that you have not managed to mistype the same password twice. Open up another terminal window on your client machine and ssh back into your Talos II by repeating step 4, in a different instance. Make sure that the password is tested and verified to be working. If you mistype the password, the BMC will be permanently locked and must be flashed to reset it or the BMC chip replaced entirely. If the password to the BMC is lost, forgotten, or mis-set, the BMC will be rendered inaccessible to you until it is reprovisioned.''<br />
<br />
When you are finished, the password is verified to be working and the old password no longer works, you may continue to explore the Talos II's OpenBMC and Petitboot at your leisure, or leave the secure shell with the exit command, which is: <br />
<br />
<pre> /# exit</pre><br />
<br />
If you wish to restart the Talos II via the BMC, simply type "reboot." The Talos II will power its CPUs down, and restart them. The BMC will remain functioning so long as there is power going to the mainboard even when the CPUs are off, so you should not be worried about being disconnected from the server. <br />
<br />
Congratulations. You are now ready to connect the Talos II to an untrusted network, and begin installing your operating system!<br />
<br />
=Installing The Operating System=<br />
[To Be Added]<br />
<br />
=Patching, Compiling, and Installing Your Kernel=<br />
[To Be Added]<br />
<br />
=Virtual Machines=<br />
[To Be Added]</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II_Beginner%27s_Quick_Start_Guide&diff=1146Talos II Beginner's Quick Start Guide2018-07-21T16:41:25Z<p>Peter Easton: </p>
<hr />
<div>Congratulations on your purchase of a new Raptor Computing Systems Talos II(TM) Secure Workstation!<br />
<br />
You're just a couple steps away from being able to get up and on your new secure system. This is a tutorial intended for novices to ease the transition from the x86 to the Talos II. This tutorial is primarily intended to be targeted toward non-technical users that just wish to get their Talos II up and running fast, and prefer documentation to be presented in as non-intimidating a manner as possible.<br />
<br />
The laptop used in this tutorial for access and provisioning of the Open [[BMC|Baseboard Management Controller]] (which is referred to as the "[[OpenBMC]]," or simply the "BMC") was a Lenovo Thinkpad X200 running OpenBSD. Your setup will likely differ from the one used to create this tutorial, so please remember to check your commands prior to entering them, as some of them may be different.<br />
<br />
=Changing The Default Factory Password=<br />
The Talos II comes with a remote management password set default from the factory. As the [[BMC|Baseboard Management Controller]] is used to control the computer out of band, it is important to change the Baseboard Management Controller's default factory password as quickly as possible to ensure security.<br />
<br />
In this tutorial, we will do the following:<br />
<br />
* Power on the Talos II and load Petitboot, which is analogous to a PC's BIOS or EFI.<br />
* Connect a computer to the Talos II via Ethernet cable.<br />
* Configure a static IP address on the networking interface.<br />
* Configure the second computer to use a static IP address.<br />
* Connect the Talos II's Open Baseboard Management Controller from the other computer via Secure SHell, or ssh.<br />
* Generate, Record, and Change the default factory password, to prevent unauthorized remote access to the BMC.<br />
* Log out and reboot the Talos II.<br />
* Take our first steps into the territory of computing freedom!<br />
<br />
'''STOP!'''<br />
''The Talos comes with a factory password of '0penBmc' which is set by default from the factory and is publicly posted and available everywhere that the Talos manual is hosted. The Baseboard Management Controller, which is used to provision and control the mainboard, is always running whenever there is any power connected to the mainboard. NEVER IN ANY CIRCUMSTANCES connect the Talos II to any network you cannot trust absolutely without first changing the factory password! Doing so may result in a compromise of the BMC root account and allow an adversary on the network to install malicious firmware onto the Talos, which can be used as a backdoor.''<br />
<br />
''If you have connected your Talos II to any untrusted network, no matter how briefly, stop immediately and refer to the section "Flashing The Firmware." (To Be Added at a later date)''<br />
<br />
==Before you begin...==<br />
In addition to a functioning Talos II system, you will need the following items:<br />
* A computer that you consider trustworthy, with an ethernet connection. This computer is going to handle the password for the Talos' OpenBMC. Remember that the OpenBMC guards the keys to the kingdom. Protect it well!<br />
* An Ethernet or Crossover cable. Crossover cables are preferred, but not necessary as the Talos II supports automatic negotiation.<br />
* A VGA computer monitor and cable.<br />
* A keyboard and mouse for the Talos.<br />
==First Steps==<br />
The Talos II's OpenBMC (Open Baseboard Management Controller) has a factory password, with the explicit expectation that the user change the password immediately prior to using the device. The BMC is not normally accessible from the Petitboot, and so must be configured over the network.<br />
<br />
'''STOP!'''<br />
''There is a difference between something that is 'trusted' and something that is 'trustworthy.' Remember, if something is 'trusted' that means if it fails, it can undo all of the security you have worked so hard to build up. Ensure that the system used to provision the BMC does not capture, exfiltrate or store the password used to provision the OpenBMC. The safety of your Talos II depends on it!''<br />
<br />
Plug in the power to the Talos II and turn the switch on the power supply unit to "On." The BMC Heartbeat indicator (a small green light in the lower left corner of the motherboard, when viewed from above) will flash and begin to blink. It may take several minutes for the BMC to initialize from cold power on, so give it time. Once the BMC is initialized, open a terminal on your second, trustworthy computer. Connect one end of the Crossover or Ethernet cable to your trustworthy computer, then connect the other end to the Ethernet port on the Talos II adjacent to the USB ports on the back. This port is allowed to communicate directly to the BMC; the other cannot.<br />
<br />
After allowing enough time for the BMC to initialize, press the Power button on the Talos. The system should start. If not, release the power button, wait a minute and attempt again. If it still does not start, check to ensure you have connected the power button between the correct pins on the front panel interface. Please note that the Talos may take a long time to initialize after initial power on. During this time, the fans on the CPU will run at full capacity for approximately one minute, and the screen will remain blank. After a minute or so, the Talos should beep and the fans should spin down. If this does not occur after several minutes, see Troubleshooting (To Be Added at a later date)<br />
<br />
===Preparing the Talos===<br />
Normally, the BMC will request an IP address from a DHCP server. Due to the state of router security (or rather, the lack of it), this should be best avoided for security reasons until the BMC has a password. The next step is to configure the Talos with a Static IP address.<br />
<br />
'''Heads Up!'''<br />
''If you do not see the Petitboot screen come up after several minutes, and you have ensured your display is functioning properly, ensure you have not disabled the integrated VGA via the jumper. By default, the integrated VGA adapter comes enabled from the factory. See the manual for reference.''<br />
<br />
You should see a screen that resembles this:<br />
<pre><br />
<br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Use the arrow keys to navigate to "Exit to Shell" to bring up the command shell on the Petitboot. From here, we'll configure the network interface to use a static IP.<br />
<br />
'''Stop!'''<br />
''Both the OpenBMC and the Petitboot are very much full fledged operating systems. The BMC is essentially a small computer, within your computer, and has its own persistent storage. Changes you make in the OpenBMC remain set until you either unset them, reset the BMC, or flash the BMC. Carelessly abusing the BMC or the Petitboot can result in damage to the firmware files of your computer and necessitate a re-flash to restore damaged files. Double check each command as you enter it, and be careful.''<br />
<br />
Once you leave the petitboot to escape to a shell, you'll be presented with a prompt.<br />
<pre><br />
Exiting petitboot. Type 'exit' to return.<br />
You may now run 'pb-sos' to gather diagnostic data<br />
/#</pre><br />
<br />
Welcome to the command shell of hostboot! The Talos is now ready to be set up.<br />
<br />
The BMC comes with ipmitool, a utility for managing networking. First, we're going to see which local area network interfaces are available to the BMC, with "lan print" and "1" to signify the interface "1". The BMC only has one network-enabled interface. <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: ███.███.███.███<br />
Subnet Mask: ███.███.███.███<br />
Default Gateway IP: ███.███.███.███<br />
</pre><br />
You will also see some information below for VLAN ID, Cipher Suite, and Bad Password threshold. We will not be using these for now. <br />
<br />
This should return some diagnostics information about the interface itself. Take note of the field marked "IP Address Source" We will first change it to set the computer to use a static IP using ipmitool.<br />
<pre><br />
/# ipmitool lan set 1 ipsrc static</pre><br />
<br />
Normally, when the IP address source is set to DHCP, a DHCP server (many home routers will fill this role automatically) will provide it with an IP address. However, because your secondary computer will (most likely) not be running a DHCP server, we will then change LAN 1's IP address to a static IP. This way, it already will have its own address on the network and will not need to rely on DHCP to auto-configure one.<br />
<br />
Next, we provide it with the IP address we would like it to use. In this case, we're going to use 192.168.0.43 for the secondary computer, and 192.168.0.42 for the Talos BMC. <br />
<pre><br />
/# ipmitool lan set 1 ipaddr 192.168.0.42<br />
Setting LAN IP address to 192.168.0.42</pre><br />
<br />
From here, we set the Subnet mask. Both computers must be on the same subnet, so we'll pick 255.255.255.0. Keep these numbers in mind, as we will be setting them on the secondary computer later. <br />
<pre><br />
/# ipmitool lan 1 set netmask 255.255.255.0<br />
Setting LAN Subnet Mask to 255.255.255.0</pre><br />
<br />
Next, we set the default gateway. Under normal circumstances, this would be your router. There are two ways this can be done, either by the mac address of your router, or your IP address. In this case, we're going to use 192.168.1.1. <br />
<pre><br />
/# ipmitool lan set 1 set defgw ipaddr 192.168.1.1<br />
Setting Default Gateway IP to 192.168.1.1<br />
</pre><br />
If you decide to use your router's MAC address, then substitute "ipaddr" with "macaddr" after which you will need to enter the mac address instead of the IP address. Lastly, check to ensure that the computer recognized your settings with "ipmitool lan print 1" <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: 192.168.0.42<br />
Subnet Mask: 255.255.255.0<br />
Default Gateway IP: 192.168.1.1<br />
</pre><br />
<br />
The OpenBMC is now ready to be connected to via Secure Shell. <br />
<br />
===Preparing The Client===<br />
Return to the trustworthy computer that you wish to use to set the BMC Password. If you are unfamiliar with the networking interfaces on your computer, you can try to list them by entering ifconfig without any other arguments. Since configuration of the network interfaces is capable of affecting the whole computer, we must first "substitute user" to root and try the "ifconfig" command without any arguments to list all of the network interfaces the computer can utilize, and look for the one labelled "Ethernet." <br />
<pre><br />
root@laptop:~# ifconfig<br />
<br />
em0: flags=█████████<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONFIG>, mtu 1500<br />
lladdr ██:██:██:██:██:██<br />
index 1 priority 0 llprio 3 <br />
media: Ethernet autoselect (████████████████████████)<br />
status: active<br />
inet6: ████::████::████::████:████%em0 prefixlen 64 scopeid 0x1<br />
inet 192.168.█.██ netmask █x█████████ broadcast 192.168.█.███<br />
<br />
root@laptop:~#<br />
</pre><br />
<br />
You may see other entries, such as iwn0 for wireless, or lo0, for loopback. We will not be using these. Take note of the interface named in the upper left corner that lists "Ethernet." In this example, em0 will be the interface we will<br />
configure to use a static IP address, to reach the Talos.<br />
<br />
From there, we need to use ifconfig to set the network address to something easily memorable. In this case, we will set the laptop's Local Area Network IP address to be 192.168.0.43, and use a netmask of 255.255.255.0. For this, we will use ifconfig, point it to em0, and supply our desired IP address and network mask. On an x200 laptop running OpenBSD, the command looks like this:<br />
<pre><br />
root@laptop:~# ifconfig em0 inet 192.168.0.43 netmask 255.255.255.0<br />
root@laptop:~#<br />
</pre><br />
<br />
The command should immediately return to a prompt once complete. Once we're done, we can leave the root account on the laptop and return to a regular user account.<br />
<pre><br />
root@laptop:~# exit<br />
user@laptop:~$<br />
</pre><br />
<br />
We will now connect to the BMC using your laptop. Most Linux distributions come with ssh installed. If yours does not, stop now and consult your operating system's documentation on how to install the SSH client. Package names may be something like "openssh", "openssh-client", "ssh2", or "dropbear".<br />
<br />
==Connecting to the BMC==<br />
You're now ready to remotely manage your Talos II, and set the default password. SSH, with the right practices, allows a user to securely establish a confidential and authenticated encrypted channel between a pair of computers and control the host remotely. There are several ways to authenticate yourself to the computer that you will be running the commands on, including using a password which is then sent to the server through the encrypted tunnel, or through the use of cryptography. Using cryptography is stronger, safer, and more convenient, but requires that the user first transfer the digital certificates and keys to the computer being accessed. <br />
<br />
Bring up the terminal on your secondary computer and recall that the IP address of the Talos is 192.168.0.43. We want to log in as the root user, so we pass that onto the ssh command using -l to let it know that we have a specific login username that we would like to authenticate as (hence, the -l is for "login"), the name of the login, and the destination. <br />
<pre><br />
user@laptop:~$ ssh -l root 192.168.0.42<br />
</pre><br />
<br />
The following error message will be produced the first time. <br />
<pre><br />
The authenticity of host `192.168.0.42' can't be established. ECDSA key fingerprint is SHA256:[.......] <br />
Are you sure you want to continue connecting? (yes/no)?<br />
</pre><br />
<br />
This tutorial assumes that we are using SSH over a network that consists of a relatively short Ethernet cable we can see the entirety of, between two computers that are both in a physically trustworthy environment such as your private home. However, the majority of uses for SSH normally assume that the two computers are not in this comfortably convenient and safe arrangement. They could be located away, potentially in other countries, and connected only over the untrusted Internet. SSH uses cryptography, but because the keys and certificates themselves cannot be encrypted, how do we know that the keys and certificates themselves are the genuine ones, and not replaced by an attacker (such as a misconfigured ISP's router that is configured to intercept, decrypt, inspect and then re-encrypt and transparently pass on SSL traffic as an antispam measure) which could capture, store, then possibly leak the password?<br />
<br />
In a situation where the computer would be located on the other side of the Internet, to ensure that the password is not stolen by an attacker impersonating the computer to us, we would first verify that this is the computer's real and genuine key fingerprint. This could be as simple as making a phone call to the system administrator working at the place where the computer is installed, or physically travelling to the location to compare the digital fingerprint with our own eyes. If the codes match exactly, it is mathematical proof that the certificate is real, and has not been tampered with or replaced during delivery by an active adversary that will impersonate the client to the server, and vice versa, an attack commonly known as a "man in the middle" attack. <br />
<br />
However, since we are physically at the location of the computer and the two computers are physically plugged into each other over a cable, with no middleman between, it is unlikely that the certificate will be counterfeit. So, we will simply trust the certificate by typing in "yes." <br />
<br />
You will then be prompted for the password. In this case, it is simply "0penBmc" exactly as typed (without quotes).<br />
<pre><br />
root@192.168.0.43's password: *******<br />
</pre><br />
<br />
If all goes well, you'll find a familiar screen!<br />
<br />
<pre><br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Welcome back to Petitboot! Here, we will now set the password. Scroll down to "Exit to Shell" or press and release "x" to escape back to the commandline. <br />
<pre><br />
/#</pre><br />
<br />
You are now ready to change the password. <br />
<br />
==Changing The Password==<br />
Recall the golden rules of password safety:<br />
* Passwords should never be shared with anyone except between the two owners of the mutually agreed-upon secret password. In this case, the password will be shared between you and the BMC, and should never be disclosed to anything else, and only used from a computer you ''absolutely'' trust not to capture or steal it.<br />
* Passwords must never be reused even between parties you trust, as that trust relationship can change with no warning and often, without your knowledge.<br />
* Spent passwords must be disposed of carefully. <br />
* If the password is ever exposed (such as typing the wrong password into the wrong computer or the into the wrong form), change the password immediately by starting over. ''When in doubt, change it out.'' Never wait for a compromise to occur before taking action if you suspect the password has been compromised.<br />
* It is much safer and more convenient to have a cryptographically strong long-term password that you can memorize, than a short one that you will need to change every 90 days. <br />
* Complexity and randomness of the password is important. Never use a password that was derived from a previous one or any other by any 'clever' algorithm or obscure scheme. You do not know the flaws in your own scheme and will very likely be the last person to learn of them when they are found. <br />
<br />
Ideally, stop thinking of a password, and start to think of a pass ''phrase.'' Remember that in terms of password strength, although there are only 52 characters you can type from a keyboard, there are more than 51,000 words in the pocket edition of the Oxford English Dictionary. Thus, if we assume the use of a 10-digit, "perfectly random" password (please note that simply closing your eyes and mashing keys is not "perfectly random" as the locations of the keys are predictable based on the fact their positions are known, and the patterns your hands can take are statistically predictable to someone with a copy of Microsoft Excel, a bit of time, and basic math), this gives us a password strength of 52^10, or roughly 1.4E17 combinations. However, a six-word passphrase consisting of six "perfectly random" words chosen from the compact edition of the Oxford English dictionary will yield 51000^6, or roughly 1.8E28 combinations, more than ten orders of magnitude more difficult to guess, much easier to type, and easier to record and check for typographical errors. Backronyms or memory aids may help with the memorization.<br />
<br />
You may wish to write down the password on a sheet of cardboard you will keep on your person until it has been fully committed to memory, then once it has, either place the ticket in a physically secured area only you have access to, or destroy it. <br />
<br />
To change the password, at the prompt, type:<br />
<pre><br />
/# passwd</pre><br />
<br />
You will be prompted by the system to enter a password, then confirm it. Once that is done, you will be returned to the prompt. <br />
<br />
'''STOP!'''<br />
''Do not log out yet. Ensure that the password change worked successfully and that you have not managed to mistype the same password twice. Open up another terminal window on your client machine and ssh back into your Talos II by repeating step 4, in a different instance. Make sure that the password is tested and verified to be working. If you mistype the password, the BMC will be permanently locked and must be flashed to reset it or the BMC chip replaced entirely. If the password to the BMC is lost, forgotten, or mis-set, the BMC will be rendered inaccessible to you until it is reprovisioned.''<br />
<br />
When you are finished, the password is verified to be working and the old password no longer works, you may continue to explore the Talos II's OpenBMC and Petitboot at your leisure, or leave the secure shell with the exit command, which is: <br />
<br />
<pre> /# exit</pre><br />
<br />
If you wish to restart the Talos II via the BMC, simply type "reboot." The Talos II will power its CPUs down, and restart them. The BMC will remain functioning so long as there is power going to the mainboard even when the CPUs are off, so you should not be worried about being disconnected from the server. <br />
<br />
Congratulations. You are now ready to connect the Talos II to an untrusted network, and begin installing your operating system!<br />
<br />
=Installing The Operating System=<br />
[To Be Added]<br />
<br />
=Patching, Compiling, and Installing Your Kernel=<br />
[To Be Added]<br />
<br />
=Virtual Machines=<br />
[To Be Added]</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=User:Peter_Easton&diff=1142User:Peter Easton2018-07-21T05:01:33Z<p>Peter Easton: </p>
<hr />
<div>Ahoy matey!<br />
<br />
Yarr-har! I be a plunderin', rum-swillin' salty sea dog of the Internet! Ye can find me sailin' the seas with me shipmates at yon IRC channel '''#Talos-Workstation''', flyin the flag o' the ''JollyRoger`!''</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=User:Peter_Easton&diff=1141User:Peter Easton2018-07-21T05:00:40Z<p>Peter Easton: Created page with "Ahoy shipmates! Yarr-har! I be a plunderin', rum-swillin' salty sea dog of the Internet! Ye can find me sailin' the seas with me shipmates at yon IRC channel '''#Talos-Works..."</p>
<hr />
<div>Ahoy shipmates! <br />
<br />
Yarr-har! I be a plunderin', rum-swillin' salty sea dog of the Internet! Ye can find me sailin' the seas with me shipmates at yon IRC channel '''#Talos-Workstation''', flyin the flag o' the ''JollyRoger`!''</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II_Beginner%27s_Quick_Start_Guide&diff=1140Talos II Beginner's Quick Start Guide2018-07-21T04:42:46Z<p>Peter Easton: </p>
<hr />
<div>Congratulations on your purchase of a new Raptor Computing Systems Talos II(TM) Secure Workstation!<br />
<br />
You're just a couple steps away from being able to get up and on your new secure system. This is a tutorial intended for novices to ease the transition from the x86 to the Talos II. This tutorial is primarily intended to be targeted toward non-technical users that just wish to get their Talos II up and running fast, and prefer documentation to be presented in as non-intimidating a manner as possible.<br />
<br />
The laptop used in this tutorial for access and provisioning of the Open Baseboard Management Controller (which is referred to as the "OpenBMC," or simply the "BMC") were done using a Lenovo Thinkpad X200 running OpenBSD. Your setup will likely differ from the one used to create this tutorial, so please remember to check your commands prior to entering them, as some of them may be different.<br />
<br />
=Changing The Default Factory Password=<br />
The Talos II comes with a default factory password. As the Baseboard Management Controller is used to control the computer out of band, for security reasons it is important to change the Baseboard Management Controller's default factory password as quickly as possible. <br />
<br />
In this tutorial, we will do the following:<br />
<br />
* Power on the Talos II and load Petitboot, which is analogous to a PC's basic in/out system for the Talos II.<br />
* Connect the two computers via a cable<br />
* Configure a static IP address on the networking interface.<br />
* Configure a laptop to use a static IP address.<br />
* Connect the Talos II's Open Baseboard Management Controller from the laptop via Secure SHell, or ssh.<br />
* Generate, Record, and Change the default factory password, to prevent unauthorized remote access to the BMC.<br />
* Log out and reboot the Talos II.<br />
* Take our first steps into the territory of computing freedom!<br />
<br />
'''STOP!'''<br />
''The Talos comes with a factory password of '0penBmc' which is set by default from the factory and is publicly posted and available everywhere that the Talos Manual is hosted. The Baseboard Management Controller, which is used to provision and control the mainboard, is always running whenever there is any power connected to the mainboard. NEVER IN ANY CIRCUMSTANCES connect the Talos II to any network you cannot trust absolutely without changing first changing the factory password! Doing so may result in a compromise of the BMC root account and allow an adversary on the network to install malicious firmware onto the Talos, which can be used as a backdoor.'' <br />
<br />
''If you have connected your Talos II to any untrusted network, no matter how briefly, stop immediately and refer to the section "Flashing The Firmware." (To Be Added at a later date)''<br />
<br />
==Before you begin...==<br />
In addition to a functioning Talos II system, you will need the following items:<br />
* A computer that you consider trustworthy, with an ethernet connection. This computer is going to handle the password for the Talos' OpenBMC. Remember that the OpenBMC guards the keys to the kingdom. Protect it well!<br />
* An Ethernet or Crossover cable (Crossover cables are preferred, but not necessary as the Talos II supports automatic detection)<br />
* A VGA computer monitor and cable<br />
* A keyboard and mouse for the Talos<br />
==First Steps==<br />
The Talos II's OpenBMC (Open Baseboard Management Controller) has a factory password, with the explicit expectation that the user change the password immediately prior to using the device. The BMC is not normally accessible from the Petitboot, and so must be configured over the network.<br />
<br />
'''STOP!'''<br />
''There is a difference between something that is 'trusted' and something that is 'trustworthy.' Remember, if something is 'trusted' that means if it fails, it can undo all of the security you have worked so hard to build up. Ensure that the system used to provision the BMC does not capture, exfiltrate or store the password used to provision the OpenBMC. The safety of your Talos II depends on it!''<br />
<br />
Plug in the power to the Talos II and turn the switch on the power supply unit to "On." The BMC Heartbeat indicator (a small green light in the lower left corner of the motherboard, when viewed from above) will flash and begin to blink. It may take several minutes for the BMC to initialize from cold power on, so give it time. Once the BMC is initialized power on the laptop and get a terminal running. Connect one end of the Crossover or Ethernet Cable to the laptop, then connect the other to the Ethernet port on the Talos II adjacent to the USB ports on the back. This port is allowed to talk directly to the BMC. The other does not.<br />
<br />
At this point, plug one end of the crossover or Ethernet cable into the Ethernet Port adjacent to the rear USB slots. The BMC is able to access this device. Plug the other end into the client computer you wish to use to set the password on the BMC.<br />
<br />
After allowing enough time for the BMC to initialize, press the Power button on the Talos. The system should start. If not, release the power button, wait a minute and attempt again. If it still does not start, check to ensure you have connected the power button between the correct pins on the front panel interface. Please note that the Talos may take a long time to initialize after initial power on. During this time, the fans on the CPU will run at full capacity for approximately one minute, and the screen will remain blank. After a minute or so, the Talos should beep and the fans should spin down. If this does not occur after several minutes, see Troubleshooting (To Be Added at a later date)<br />
<br />
===Preparing the Talos===<br />
Normally, the BMC will request an IP address from a DHCP server. Due to the state of router security (or rather, the lack of it), this should be best avoided for security reasons until the BMC has a password. The next step is to configure the Talos with a Static IP address.<br />
<br />
'''Heads Up!'''<br />
''If you do not see the Petitboot screen come up after several minutes, and the VGA checks out, ensure you have not disabled the integrated VGA via the jumper. By default, the integrated VGA adapter comes enabled from the factory. See the manual for reference.''<br />
<br />
You should see a screen that resembles this:<br />
<pre><br />
<br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Use the arrow keys to navigate to "Exit to Shell" to bring up the command shell on the Petitboot. From here, we'll configure the network interface to use a static IP.<br />
<br />
'''Stop!'''<br />
''Both the OpenBMC and the Petitboot are very much full fledged operating systems. The BMC is essentially a small computer, within your computer, and has its own persistent storage. Changes you make in the OpenBMC, once set remain set until you either unset them, reset, or flash the BMC. Abusing the BMC or the Petitboot carelessly can result in damage to the firmware files of your computer and necessitate a flash to restore damaged files. Double check each command as you enter it, and be careful.''<br />
<br />
Once you leave the petitboot to escape to a shell, you'll be presented with a prompt.<br />
<pre><br />
Exiting petitboot. Type 'exit' to return.<br />
You may now run 'pb-sos' to gather diagnostic data<br />
/#</pre><br />
<br />
Welcome to the commandshell of hostboot! The Talos is now ready to be set up. Plug the network cable in: one end should go to the Ethernet port adjacent to the two rear USB ports on the Talos II, and the other, to the Ethernet port on your (hopefully secure) computer. <br />
<br />
The BMC comes with ipmitool, a utility for managing networking. First, we're going to see which local area network interfaces are available to the BMC, with "lan print" and "1" to signify the interface "1." The BMC only has one network-enabled interface. <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: ███.███.███.███<br />
Subnet Mask: ███.███.███.███<br />
Default Gateway IP: ███.███.███.███<br />
</pre><br />
You will also see some information below for VLAN ID, Cipher Suite, and Bad Password threshold. We will not be using these for now. <br />
<br />
This should return some diagnostics information about the interface itself. Take note of the field marked "IP Address Source" We will first change it to set the computer to use a static IP using ipmitool.<br />
<pre><br />
/# ipmitool lan set 1 ipsrc static</pre><br />
<br />
Normally, when the IP address source is set to DHCP, a DHCP server (many home routers will fill this role automatically) will provide it with an IP address. However, because the laptop will most likely not be running a dhcp server, we will then change lan 1's ip address to a static IP. This way, it already will have its own address on the network and will not need to count on your laptop supplying it with one.<br />
<br />
Next, we provide it with the IP address we would like it to use. In this case, we're going to use 192.168.0.43 for the laptop, and 192.168.0.42 for the Talos BMC. <br />
<pre><br />
/# ipmitool lan set 1 ipaddr 192.168.0.42<br />
Setting LAN IP address to 192.168.0.42</pre><br />
<br />
From here, we set the Subnet mask. Both computers must be on the same subnet, so we'll pick 255.255.255.0. Keep these numbers in mind, as we will be setting them on the laptop later. <br />
<pre><br />
/# ipmitool lan 1 set netmask 255.255.255.0<br />
Setting LAN Subnet Mask to 255.255.255.0</pre><br />
<br />
Next, we set the default gateway. Under normal circumstances, this would be your router. There are two ways this can be done, either by the mac address of your router, or your IP address. In this case, we're going to use 192.168.1.1. <br />
<pre><br />
/# ipmitool lan set 1 set defgw ipaddr 192.168.1.1<br />
Setting Default Gateway IP to 192.168.1.1<br />
</pre><br />
If you decide to use your router's MAC address, then substitute "ipaddr" with "macaddr" after which you will need to enter the mac address instead of the IP address. Lastly, check to ensure that the computer recognized your settings with "ipmitool lan print 1" <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: 192.168.0.42<br />
Subnet Mask: 255.255.255.0<br />
Default Gateway IP: 192.168.1.1<br />
</pre><br />
<br />
The OpenBMC is now ready to be connected to via Secure Shell. <br />
<br />
===Preparing The Client===<br />
Return to your laptop, or the other secure system you wish to use to set the BMC Password. If you are unfamiliar with the networking interfaces on your computer, you can try to list them by entering ifconfig without any other arguments. Since configuration of the network interfaces is capable of affecting the whole computer, we must first "substitute user" to root and try the "ifconfig" command without any arguments to list all of the network interfaces the computer can utilize, and look for the one labelled "Ethernet." <br />
<pre><br />
root@laptop:~# ifconfig<br />
<br />
em0: flags=█████████<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONFIG>, mtu 1500<br />
lladdr ██:██:██:██:██:██<br />
index 1 priority 0 llprio 3 <br />
media: Ethernet autoselect (████████████████████████)<br />
status: active<br />
inet6: ████::████::████::████:████%em0 prefixlen 64 scopeid 0x1<br />
inet 192.168.█.██ netmask █x█████████ broadcast 192.168.█.███<br />
<br />
root@laptop:~#<br />
</pre><br />
<br />
You may see other entries, such as iwn0 for wireless, or lo0, for loopback. We will not be using these. Take note of the interface named in the upper left corner that lists "Ethernet." In this example, em0 will be the interface we will<br />
configure to use a static IP address, to reach the Talos.<br />
<br />
From there, we need to use ifconfig to set the network address to something easily memorable. In this case, we will set the laptop's Local Area Network IP address to be 192.168.0.43, and use a netmask of 255.255.255.0. For this, we will use ifconfig, point it to em0, and supply our desired IP address and network mask. On an x200 laptoprunning OpenBSD, the command looks like this:<br />
<pre><br />
root@laptop:~# ifconfig em0 inet 192.168.0.43 netmask 255.255.255.0<br />
root@laptop:~#<br />
</pre><br />
<br />
The command should immediately return to a prompt once complete. Once we're done, we can leave the root account on the laptop and return to a regular user account.<br />
<pre><br />
root@laptop:~# exit<br />
user@laptop:~$<br />
</pre><br />
<br />
We will now connect to the BMC using your laptop. Most Linux distributions come with ssh installed. If yours does not, stop now and consult your operating system's documentation on how to install the ssh client. <br />
<br />
==Connecting to the BMC==<br />
You're now ready to remotely manage your Talos II, and set the default password. SSH, with the right practices allows a user to securely establish a confidential and authenticated encrypted channel between a pair of computers and control the host remotely. There are several ways to authenticate yourself to the computer that you will be running the commands on, including using a password which is then sent to the server through the encrypted tunnel, or through the use of cryptography. Using cryptography is stronger, safer, and more convenient, but requires that the user first transfer the digital certificates and keys to the computer being accessed. <br />
<br />
Bring up the terminal on your laptop and recall that the IP address of the Talos is 192.168.0.43. We want to log in as the root user, so we pass that onto the ssh command using -l to let it know that we have a specific login username that we would like to authenticate as (hence, the -l is for "login"), the name of the login, and the destination. <br />
<pre><br />
user@laptop:~$ ssh -l root 192.168.0.42<br />
</pre><br />
<br />
The following error message will be produced the first time. <br />
<pre><br />
The authenticity of host `192.168.0.42' can't be established. ECDSA key fingerprint is SHA256:[.......] <br />
Are you sure you want to continue connecting? (yes/no)?<br />
</pre><br />
<br />
This tutorial assumes that we are using ssh over a network that consists of a relatively short Ethernet cable we can see the entirety of, between two computers that are both in a physically trustworthy environment such as your private home. However, the majority of uses for SSH normally assume that the two computers are not in this comfortably convenient and safe arrangement. They could be located away, potentially in other countries, and connected only over the untrusted Internet. SSH uses cryptography, but because the keys and certificates themselves cannot be encrypted, how do we know that the keys and certificates themselves are the genuine ones, and not replaced by an attacker (such as a misconfigured ISP's router that is configured to intercept, decrypt, inspect and then re-encrypt and transparently pass on SSL traffic as an antispam measure) which could capture, store, then possibly leak the password?<br />
<br />
In a situation where the computer would be located on the other side of the Internet, to ensure that the password is not stolen by an attacker impersonating the computer to us, we would first verify that this is the computer's real and genuine key fingerprint. This could be as simple as making a phone call to the system administrator working at the place where the computer is installed, or physically travelling to the location to compare the digital fingerprint with our own eyes. If the codes match exactly, it is mathematical proof that the certificate is real, and has not been tampered with or replaced during delivery by an active adversary that will impersonate the client to the server, and vice versa, an attack commonly known as a "man in the middle" attack. <br />
<br />
However, since we are physically at the location of the computer and the two computers are physically plugged into each other over a cable, with no middleman inbetween, it is unlikely that the certificate will be counterfeit. So, we will simply trust the certificate by typing in "yes." <br />
<br />
You will then be prompted for the password. In this case, it is simply "0penBmc" exactly as typed. <br />
<pre><br />
root@192.168.0.43's password: *******<br />
</pre><br />
<br />
If all goes well, you'll find a familiar screen!<br />
<br />
<pre><br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Welcome back to Petitboot! Here, we will now set the password. Scroll down to "Exit to Shell" or press and release "x" to escape back to the commandline. <br />
<pre><br />
/#</pre><br />
<br />
You are now ready to change the password. <br />
<br />
==Changing The Password==<br />
Recall the golden rules of password safety:<br />
* Passwords should never be shared with anyone except between the two owners of the mutually agreed-upon secret password. In this case, the password will be shared between you and the BMC, and should never be disclosed to anyone else.<br />
* Passwords must never be reused even between parties you trust, as that trust relationship can change with no warning and often, without your knowledge.<br />
* Spent passwords must be disposed of carefully. <br />
* If the password is ever exposed (such as typing the wrong password into the wrong computer or the into the wrong form), change the password immediately by starting over. ''When in doubt, change it out.'' Never wait for a compromise to occur before taking action if you suspect the password has been compromised.<br />
* It is much safer and more convenient to have a cryptographically strong long-term password that you can memorize, than a short one that you will need to change every 90 days. <br />
* Complexity and randomness of the password is important. Never use a password that was derived from a previous one or any other by any 'clever' algorithm or obscure scheme. You do not know the flaws in your own scheme and will very likely be the last person to learn of them when they are found. <br />
<br />
Ideally, stop thinking of a password, and start to think of a pass ''phrase.'' Remember that in terms of password strength, although there are only 52 characters you can type from a keyboard, there are more than 51,000 words in the pocket edition of the Oxford English Dictionary. Thus, if we assume the use of a 10-digit, "perfectly random" password (please note that simply closing your eyes and mashing keys is not "perfectly random" as the locations of the keys are predictable based on the fact their positions are known, and the patterns your hands can take are statistically predictable to someone with a copy of Microsoft Excel, a bit of time, and basic math), this gives us a password strength of 52^10, or roughly 1.4E17 combinations. However, a six-word passphrase consisting of six "perfectly random" words chosen from the compact edition of the Oxford English dictionary will yield 51000^6, or roughly 1.8E28 combinations, more than ten orders of magnitude more difficult to guess, much easier to type, and easier to record and check for typographical errors. Backronyms or memory aids may help with the memorization.<br />
<br />
You may wish to write down the password on a sheet of cardboard you will keep on your person until it has been fully committed to memory, then once it has, either place the ticket in a physically secured area only you have access to, or destroy it. <br />
<br />
To change the password, at the prompt, type:<br />
<pre><br />
/# passwd</pre><br />
<br />
You will be prompted by the system to enter a password, then confirm it. Once that is done, you will be returned to the prompt. <br />
<br />
'''STOP!'''<br />
''Do not log out yet. Ensure that the password change worked successfully and that you have not managed to mistype the same password twice. Open up another terminal window on your client machine and ssh back into your Talos II by repeating step 4, in a different instance. Make sure that the password is tested and verified to be working. If you mistype the password, the BMC will be permanently locked and must be flashed to reset it or the BMC chip replaced entirely. If the password to the BMC is lost, forgotten, or mis-set, the BMC will be rendered inaccessible to you until it is reprovisioned.''<br />
<br />
When you are finished, the password is verified to be working and the old password no longer works, you may continue to explore the Talos II's OpenBMC and Petitboot at your leisure, or leave the secure shell with the exit command, which is: <br />
<br />
<pre> /# exit</pre><br />
<br />
If you wish to restart the Talos II via the BMC, simply type "reboot." The Talos II will power its CPUs down, and restart them. The BMC will remain functioning so long as there is power going to the mainboard even when the CPUs are off, so you should not be worried about being disconnected from the server. <br />
<br />
Congratulations. You are now ready to connect the Talos II to an untrusted network, and begin installing your operating system!<br />
<br />
=Installing The Operating System=<br />
[To Be Added]<br />
<br />
=Patching, Compiling, and Installing Your Kernel=<br />
[To Be Added]<br />
<br />
=Virtual Machines=<br />
[To Be Added]</div>Peter Eastonhttps://wiki.raptorcs.com/w/index.php?title=Talos_II_Beginner%27s_Quick_Start_Guide&diff=1139Talos II Beginner's Quick Start Guide2018-07-21T04:35:03Z<p>Peter Easton: A complete newbie's guide to changing the BMC Password.</p>
<hr />
<div>Congratulations on your purchase of a new Raptor Computing Systems Talos II(TM) Secure Workstation!<br />
<br />
You're just a couple steps away from being able to get up and on your new secure system. This is a tutorial intended for novices to ease the transition from the x86 to the Talos II. This tutorial is primarily intended to be targeted toward non-technical users that just wish to get their Talos II up and running fast, and prefer documentation to be presented in as non-intimidating a manner as possible.<br />
<br />
The laptop used in this tutorial for access and provisioning of the Open Baseboard Management Controller (which is referred to as the "OpenBMC," or simply the "BMC") were done using a Lenovo Thinkpad X200 running OpenBSD. Your setup will likely differ from the one used to create this tutorial, so please remember to check your commands prior to entering them, as some of them may be different.<br />
<br />
=Changing The Default Factory Password=<br />
The Talos II comes with a default factory password. As the Baseboard Management Controller is used to control the computer out of band, for security reasons it is important to change the Baseboard Management Controller's default factory password as quickly as possible. <br />
<br />
In this tutorial, we will do the following:<br />
<br />
* Power on the Talos II and load Petitboot, which is analogous to a PC's basic in/out system for the Talos II.<br />
* Connect the two computers via a cable<br />
* Configure a static IP address on the networking interface.<br />
* Configure a laptop to use a static IP address.<br />
* Connect the Talos II's Open Baseboard Management Controller from the laptop via Secure SHell, or ssh.<br />
* Generate, Record, and Change the default factory password, to prevent unauthorized remote access to the BMC.<br />
* Log out and reboot the Talos II.<br />
* Take our first steps into the territory of computing freedom!<br />
<br />
'''STOP!'''<br />
''The Talos comes with a factory password of '0penBmc' which is set by default from the factory and is publicly posted and available everywhere that the Talos Manual is hosted. The Baseboard Management Controller, which is used to provision and control the mainboard, is always running whenever there is any power connected to the mainboard. NEVER IN ANY CIRCUMSTANCES connect the Talos II to any network you cannot trust absolutely without changing first changing the factory password! Doing so may result in a compromise of the BMC root account and allow an adversary on the network to install malicious firmware onto the Talos, which can be used as a backdoor.'' <br />
<br />
''If you have connected your Talos II to any untrusted network, no matter how briefly, stop immediately and refer to the section "Flashing The Firmware." (To Be Added at a later date)''<br />
<br />
==Before you begin...==<br />
In addition to a functioning Talos II system, you will need the following items:<br />
* A computer that you consider trustworthy, with an ethernet connection. This computer is going to handle the password for the Talos' OpenBMC. Remember that the OpenBMC guards the keys to the kingdom. Protect it well!<br />
* An Ethernet or Crossover cable (Crossover cables are preferred, but not necessary as the Talos II supports automatic detection)<br />
* A VGA computer monitor and cable<br />
* A keyboard and mouse for the Talos<br />
==First Steps==<br />
The Talos II's OpenBMC (Open Baseboard Management Controller) has a factory password, with the explicit expectation that the user change the password immediately prior to using the device. The BMC is not normally accessible from the Petitboot, and so must be configured over the network.<br />
<br />
'''STOP!'''<br />
''There is a difference between something that is 'trusted' and something that is 'trustworthy.' Remember, if something is 'trusted' that means if it fails, it can undo all of the security you have worked so hard to build up. Ensure that the system used to provision the BMC does not capture, exfiltrate or store the password used to provision the OpenBMC. The safety of your Talos II depends on it!''<br />
<br />
Plug in the power to the Talos II and turn the switch on the power supply unit to "On." The BMC Heartbeat indicator (a small green light in the lower left corner of the motherboard, when viewed from above) will flash and begin to blink. It may take several minutes for the BMC to initialize from cold power on, so give it time. Once the BMC is initialized power on the laptop and get a terminal running. Connect one end of the Crossover or Ethernet Cable to the laptop, then connect the other to the Ethernet port on the Talos II adjacent to the USB ports on the back. This port is allowed to talk directly to the BMC. The other does not.<br />
<br />
At this point, plug one end of the crossover or Ethernet cable into the Ethernet Port adjacent to the rear USB slots. The BMC is able to access this device. Plug the other end into the client computer you wish to use to set the password on the BMC.<br />
<br />
After allowing enough time for the BMC to initialize, press the Power button on the Talos. The system should start. If not, release the power button, wait a minute and attempt again. If it still does not start, check to ensure you have connected the power button between the correct pins on the front panel interface. Please note that the Talos may take a long time to initialize after initial power on. During this time, the fans on the CPU will run at full capacity for approximately one minute, and the screen will remain blank. After a minute or so, the Talos should beep and the fans should spin down. If this does not occur after several minutes, see Troubleshooting (To Be Added at a later date)<br />
<br />
===Preparing the Talos===<br />
Normally, the BMC will request an IP address from a DHCP server. Due to the state of router security (or rather, the lack of it), this should be best avoided for security reasons until the BMC has a password. The next step is to configure the Talos with a Static IP address.<br />
<br />
'''Heads Up!'''<br />
''If you do not see the Petitboot screen come up after several minutes, and the VGA checks out, ensure you have not disabled the integrated VGA via the jumper. By default, the integrated VGA adapter comes enabled from the factory. See the manual for reference.''<br />
<br />
You should see a screen that resembles this:<br />
<pre><br />
<br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Use the arrow keys to navigate to "Exit to Shell" to bring up the command shell on the Petitboot. From here, we'll configure the network interface to use a static IP.<br />
<br />
'''Stop!'''<br />
''Both the OpenBMC and the Petitboot are very much full fledged operating systems. The BMC is essentially a small computer, within your computer, and has its own persistent storage. Changes you make in the OpenBMC, once set remain set until you either unset them, reset, or flash the BMC. Abusing the BMC or the Petitboot carelessly can result in damage to the firmware files of your computer and necessitate a flash to restore damaged files. Double check each command as you enter it, and be careful.''<br />
<br />
Once you leave the petitboot to escape to a shell, you'll be presented with a prompt.<br />
<pre><br />
Exiting petitboot. Type 'exit' to return.<br />
You may now run 'pb-sos' to gather diagnostic data<br />
/#</pre><br />
<br />
Welcome to the commandshell of hostboot! The Talos is now ready to be set up. Plug the network cable in: one end should go to the Ethernet port adjacent to the two rear USB ports on the Talos II, and the other, to the Ethernet port on your (hopefully secure) computer. <br />
<br />
The BMC comes with ipmitool, a utility for managing networking. First, we're going to see which local area network interfaces are available to the BMC, with "lan print" and "1" to signify the interface "1." The BMC only has one network-enabled interface. <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: ███.███.███.███<br />
Subnet Mask: ███.███.███.███<br />
Default Gateway IP: ███.███.███.███<br />
</pre><br />
You will also see some information below for VLAN ID, Cipher Suite, and Bad Password threshold. We will not be using these for now. <br />
<br />
This should return some diagnostics information about the interface itself. Take note of the field marked "IP Address Source" We will first change it to set the computer to use a static IP using ipmitool.<br />
<pre><br />
/# ipmitool lan set 1 ipsrc static</pre><br />
<br />
Normally, when the IP address source is set to DHCP, a DHCP server (many home routers will fill this role automatically) will provide it with an IP address. However, because the laptop will most likely not be running a dhcp server, we will then change lan 1's ip address to a static IP. This way, it already will have its own address on the network and will not need to count on your laptop supplying it with one.<br />
<br />
Next, we provide it with the IP address we would like it to use. In this case, we're going to use 192.168.0.43 for the laptop, and 192.168.0.42 for the Talos BMC. <br />
<pre><br />
/# ipmitool lan set 1 ipaddr 192.168.0.42<br />
Setting LAN IP address to 192.168.0.42</pre><br />
<br />
From here, we set the Subnet mask. Both computers must be on the same subnet, so we'll pick 255.255.255.0. Keep these numbers in mind, as we will be setting them on the laptop later. <br />
<pre><br />
/# ipmitool lan 1 set netmask 255.255.255.0<br />
Setting LAN Subnet Mask to 255.255.255.0</pre><br />
<br />
Next, we set the default gateway. Under normal circumstances, this would be your router. There are two ways this can be done, either by the mac address of your router, or your IP address. In this case, we're going to use 192.168.1.1. <br />
<pre><br />
/# ipmitool lan set 1 set defgw ipaddr 192.168.1.1<br />
Setting Default Gateway IP to 192.168.1.1<br />
</pre><br />
If you decide to use your router's MAC address, then substitute "ipaddr" with "macaddr" after which you will need to enter the mac address instead of the IP address. Lastly, check to ensure that the computer recognized your settings with "ipmitool lan print 1" <br />
<br />
<pre> /# ipmitool lan print 1<br />
Set in Progress: Set Complete<br />
Auth Type Support: MD5<br />
Auth Type Enable: Callback : MD5<br />
: User : MD5<br />
: Operator : MD5<br />
: Admin : MD5<br />
: OEM : MD5<br />
IP Address Source: DHCP Address<br />
IP Address: 192.168.0.42<br />
Subnet Mask: 255.255.255.0<br />
Default Gateway IP: 192.168.1.1<br />
</pre><br />
<br />
The OpenBMC is now ready to be connected to via Secure Shell. <br />
<br />
===Preparing The Client===<br />
Return to your laptop, or the other secure system you wish to use to set the BMC Password. If you are unfamiliar with the networking interfaces on your computer, you can try to list them by entering ifconfig without any other arguments. Since configuration of the network interfaces is capable of affecting the whole computer, we must first "substitute user" to root and try the "ifconfig" command without any arguments to list all of the network interfaces the computer can utilize, and look for the one labelled "Ethernet." <br />
<pre><br />
root@laptop:~# ifconfig<br />
<br />
em0: flags=█████████<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONFIG>, mtu 1500<br />
lladdr ██:██:██:██:██:██<br />
index 1 priority 0 llprio 3 <br />
media: Ethernet autoselect (████████████████████████)<br />
status: active<br />
inet6: ████::████::████::████:████%em0 prefixlen 64 scopeid 0x1<br />
inet 192.168.█.██ netmask █x█████████ broadcast 192.168.█.███<br />
<br />
root@laptop:~#<br />
</pre><br />
<br />
You may see other entries, such as iwn0 for wireless, or lo0, for loopback. We will not be using these. Take note of the interface named in the upper left corner that lists "Ethernet." In this example, em0 will be the interface we will<br />
configure to use a static IP address, to reach the Talos.<br />
<br />
From there, we need to use ifconfig to set the network address to something easily memorable. In this case, we will set the laptop's Local Area Network IP address to be 192.168.0.43, and use a netmask of 255.255.255.0. For this, we will use ifconfig, point it to em0, and supply our desired IP address and network mask. On an x200 laptoprunning OpenBSD, the command looks like this:<br />
<pre><br />
root@laptop:~# ifconfig em0 inet 192.168.0.43 netmask 255.255.255.0<br />
root@laptop:~#<br />
</pre><br />
<br />
The command should immediately return to a prompt once complete. Once we're done, we can leave the root account on the laptop and return to a regular user account.<br />
<pre><br />
root@laptop:~# exit<br />
user@laptop:~$<br />
</pre><br />
<br />
We will now connect to the BMC using your laptop. Most Linux distributions come with ssh installed. If yours does not, stop now and consult your operating system's documentation on how to install the ssh client. <br />
<br />
==Connecting to the BMC==<br />
You're now ready to remotely manage your Talos II, and set the default password. SSH, with the right practices allows a user to securely establish a confidential and authenticated encrypted channel between a pair of computers and control the host remotely. There are several ways to authenticate yourself to the computer that you will be running the commands on, including using a password which is then sent to the server through the encrypted tunnel, or through the use of cryptography. Using cryptography is stronger, safer, and more convenient, but requires that the user first transfer the digital certificates and keys to the computer being accessed. <br />
<br />
Bring up the terminal on your laptop and recall that the IP address of the Talos is 192.168.0.43. We want to log in as the root user, so we pass that onto the ssh command using -l to let it know that we have a specific login username that we would like to authenticate as (hence, the -l is for "login"), the name of the login, and the destination. <br />
<pre><br />
user@laptop:~$ ssh -l root 192.168.0.42<br />
</pre><br />
<br />
The following error message will be produced the first time. <br />
<pre><br />
The authenticity of host `192.168.0.42' can't be established. ECDSA key fingerprint is SHA256:[.......] <br />
Are you sure you want to continue connecting? (yes/no)?<br />
</pre><br />
<br />
This tutorial assumes that we are using ssh over a network that consists of a relatively short Ethernet cable we can see the entirety of, between two computers that are both in a physically trustworthy environment such as your private home. However, the majority of uses for SSH normally assume that the two computers are not in this comfortably convenient and safe arrangement. They could be located away, potentially in other countries, and connected only over the untrusted Internet. SSH uses cryptography, but because the keys and certificates themselves cannot be encrypted, how do we know that the keys and certificates themselves are the genuine ones, and not replaced by an attacker (such as a misconfigured ISP's router that is configured to intercept, decrypt, inspect and then re-encrypt and transparently pass on SSL traffic as an antispam measure) which could capture, store, then possibly leak the password?<br />
<br />
In a situation where the computer would be located on the other side of the Internet, to ensure that the password is not stolen by an attacker impersonating the computer to us, we would first verify that this is the computer's real and genuine key fingerprint. This could be as simple as making a phone call to the system administrator working at the place where the computer is installed, or physically travelling to the location to compare the digital fingerprint with our own eyes. If the codes match exactly, it is mathematical proof that the certificate is real, and has not been tampered with or replaced during delivery by an active adversary that will impersonate the client to the server, and vice versa, an attack commonly known as a "man in the middle" attack. <br />
<br />
However, since we are physically at the location of the computer and the two computers are physically plugged into each other over a cable, with no middleman inbetween, it is unlikely that the certificate will be counterfeit. So, we will simply trust the certificate by typing in "yes." <br />
<br />
You will then be prompted for the password. In this case, it is simply "0penBmc" exactly as typed. <br />
<pre><br />
root@192.168.0.43's password: *******<br />
</pre><br />
<br />
If all goes well, you'll find a familiar screen!<br />
<br />
<pre><br />
Petitboot (v1.7.1-p836d356)<br />
____________________________________________<br />
<br />
*<br />
System information<br />
System configuration<br />
System status log<br />
Language<br />
Rescan devices<br />
Retrieve config from URL<br />
Plugins (0)<br />
Exit to shell<br />
<br />
____________________________________________<br />
</pre><br />
<br />
Welcome back to Petitboot! Here, we will now set the password. Scroll down to "Exit to Shell" or press and release "x" to escape back to the commandline. <br />
<pre><br />
/#</pre><br />
<br />
You are now ready to change the password. <br />
<br />
==Changing The Password==<br />
Recall the golden rules of password safety:<br />
* Passwords should never be shared with anyone except the verified and genuine owner of the password. In this case, the password will be shared between you and the BMC, and should never be disclosed to anyone else.<br />
* Passwords must never be reused, and must be disposed of carefully. <br />
* If the password is ever exposed (such as typing the wrong password into the wrong computer or the into the wrong form), change the password immediately by starting over, over a network you can trust absolutely. <br />
* It is cryptographically stronger, much safer and more convenient to have a strong long-term password that you can memorize than a short one that you will need to change every 90 days. <br />
* Complexity and randomness of the password is important. Never use a password that was derived from a previous one or any other by any 'clever' algorithm or obscure scheme. <br />
<br />
<br />
Ideally, stop thinking of a password, and start to think of a pass phrase. Remember that in terms of password strength, although there are only 52 characters you can type from a keyboard, there are more than 51,000 words in the pocket edition of the Oxford English Dictionary. Thus, if we assume the use of a 10-digit, "perfectly random" password (please note that simply closing your eyes and mashing keys is not "perfectly random" as the locations of the keys are predictable based on the fact their positions are known, and the patterns your hands can take are statistically predictable to someone with a copy of Microsoft Excel, a bit of time, and basic math), this gives us a password strength of 52^10, or roughly 1.4E17 combinations. However, a six-word passphrase consisting of six "perfectly random" words chosen from the compact edition of the Oxford English dictionary will yield 51000^6, or roughly 1.8E28 combinations, more than ten orders of magnitude more difficult to guess, much easier to type, and easier to record and check for typographical errors. Backronyms or memory aids may help with the memorization.<br />
<br />
You may wish to write down the password on a sheet of cardboard you will keep on your person until it has been fully committed to memory, then once it has, either place the ticket in a physically secured area only you have access to, or destroy it. <br />
<br />
To change the password, at the prompt, type:<br />
<pre><br />
/# passwd</pre><br />
<br />
You will be prompted by the system to enter a password, then confirm it. Once that is done, you will be returned to the prompt. <br />
<br />
'''STOP!'''<br />
''Do not log out yet. Ensure that the password change worked successfully and that you have not managed to mistype the same password twice. Open up another terminal window on your client machine and ssh back into your Talos II by repeating step 4, in a different instance. Make sure that the password is tested and verified to be working. If you mistype the password, the BMC will be permanently locked and must be flashed to reset it or the BMC chip replaced entirely. If the password to the BMC is lost, forgotten, or mis-set, the BMC will be rendered inaccessible to you until it is reprovisioned.''<br />
<br />
When you are finished, the password is verified to be working and the old password no longer works, you may continue to explore the Talos II's OpenBMC and Petitboot at your leisure, or leave the secure shell with the exit command, which is: <br />
<br />
<pre> /# exit</pre><br />
<br />
If you wish to restart the Talos II via the BMC, simply type "reboot." The Talos II will power its CPUs down, and restart them. The BMC will remain functioning so long as there is power going to the mainboard even when the CPUs are off, so you should not be worried about being disconnected from the server. <br />
<br />
Congratulations. You are now ready to connect the Talos II to an untrusted network, and begin installing your operating system!<br />
<br />
=Installing The Operating System=<br />
[To Be Added]<br />
<br />
=Patching, Compiling, and Installing Your Kernel=<br />
[To Be Added]<br />
<br />
=Virtual Machines=<br />
[To Be Added]</div>Peter Easton