{"title":"Cryptech Project - Releases","link":[{"@attributes":{"href":"https:\/\/wiki.cryptech.is\/","rel":"alternate"}},{"@attributes":{"href":"https:\/\/wiki.cryptech.is\/feeds\/releases.atom.xml","rel":"self"}}],"id":"https:\/\/wiki.cryptech.is\/","updated":"2021-10-10T23:43:00+00:00","entry":[{"title":"Release Notes","link":{"@attributes":{"href":"https:\/\/wiki.cryptech.is\/ReleaseNotes","rel":"alternate"}},"published":"2017-05-13T19:06:00+00:00","updated":"2017-05-13T19:18:00+00:00","author":{"name":"Rob Austein"},"id":"tag:wiki.cryptech.is,2017-05-13:\/ReleaseNotes","summary":"<h2>3.0, May 2017<\/h2>\n<ul>\n<li>New keystore implementation.  Basically a very small flash filesystem, including basic wear leveling.  Maximum number of keys varies depending on key size and how many options are attached, but for any reasonable use it should hold on the order of 2,000 keys at least.<\/li>\n<li>In-memory \u2026<\/li><\/ul>","content":"<h2>3.0, May 2017<\/h2>\n<ul>\n<li>New keystore implementation.  Basically a very small flash filesystem, including basic wear leveling.  Maximum number of keys varies depending on key size and how many options are attached, but for any reasonable use it should hold on the order of 2,000 keys at least.<\/li>\n<li>In-memory keystore moved to HSM (previously was in memory of the client library), uses same API as flash keystore.<\/li>\n<li>RPC mechanism extended to support the new keystores (<code>hal_rpc_pkey_match()<\/code>, <code>hal_rpc_pkey_set_attributes()<\/code>, etc).<\/li>\n<li>PKCS #11 code rewritten to use libhal attribute mechanism, sqlite3 database gone.<\/li>\n<li>Verilog implementations of ECDSA base point multipliers for P-256 and P-384 curves, key generation and signing significantly faster than with software ECDSA implementation.<\/li>\n<li>Key backup mechanism: two more RPC functions, and a Python script <code>cryptech_backup<\/code> to drive the process.<\/li>\n<li>Private key representation changed to PKCS #8 format (a self-identifying uniform format with optional encryption, supported by many other tools).  Key backup uses encrypted form of PKCS #8.<\/li>\n<li>Default build of client software now uses a multiplexer daemon <code>cryptech_muxd<\/code> which allows multiple clients to talk to the HSM at once (packages such as OpenDNSSEC which uses multiple daemons talking to the same HSM need this).  Software can still be built for direct connection to HSM but it is no longer the default.<\/li>\n<li>New trivial script <code>cryptech_console<\/code> to talk to the HSM's management port via the multiplexer daemon; <code>cryptech_upload<\/code> now supports both direct connection and connection via the multiplexer daemon.<\/li>\n<li>Python client implementations of libhal RPC mechanism and PKCS #11 now installed as <code>cryptech.libhal<\/code> and <code>cryptech.py11<\/code>, respectively.<\/li>\n<li>Python PKCS #11 client hacked to play nicely with <code>pkcs11-spy<\/code> debugging tool.<\/li>\n<li>RTOS replaced by simple non-preemptive (voluntary yield) tasking system, eliminating a huge morass of potential race conditions, debugging nightmares, priority inversions, and similar horrors.  Lack of preemption means that console acess may have to wait for something else to yield the ARM CPU, but it's more than worth it to get rid of all the stability problems the RTOS was causing.<\/li>\n<li><a href=\"https:\/\/git.cryptech.is\/user\/sra\/openssl-engine\/about\">Sample code for using the HSM as an OpenSSL engine<\/a> is available.  This only works with RSA for the moment, due to apparent limitations of the engine implementation.<\/li>\n<\/ul>\n<p>Getting started with 3.0:<\/p>\n<ul>\n<li><a href=\"https:\/\/wiki.cryptech.is\/BinaryPackages\">Install the software<\/a>.<\/li>\n<li><a href=\"https:\/\/wiki.cryptech.is\/Upgrading\">Upgrade the firmware<\/a>.  <strong>Please note the warnings about bricking your HSM<\/strong>, how to avoid that, and what to do if you failed to avoid it.<\/li>\n<li>Set the usual environment variables, perhaps using <code>cryptech_probe<\/code>.<\/li>\n<li>Start the multiplexer daemon <code>cryptech_muxd<\/code>.<\/li>\n<\/ul>\n<p>At this point, you should be able to use the PKCS #11 library, the <code>cryptech_backup<\/code> script, and so forth.<\/p>","category":{"@attributes":{"term":"Releases"}}},{"title":"Building Cryptech Software\/Firmware\/Bitstream From Source","link":{"@attributes":{"href":"https:\/\/wiki.cryptech.is\/BuildingFromSource","rel":"alternate"}},"published":"2017-05-13T17:47:00+00:00","updated":"2021-10-10T23:43:00+00:00","author":{"name":"Rob Austein"},"id":"tag:wiki.cryptech.is,2017-05-13:\/BuildingFromSource","summary":"<p>Everything you need to build our software, firmware, and FPGA\nbitstreams from source yourself is publicly available, but the process\nis a bit complicated.  Overall, there are two methods, one of which\nour developers use while writing this stuff, the other of which we use\nfor the automated reproducible builds \u2026<\/p>","content":"<p>Everything you need to build our software, firmware, and FPGA\nbitstreams from source yourself is publicly available, but the process\nis a bit complicated.  Overall, there are two methods, one of which\nour developers use while writing this stuff, the other of which we use\nfor the automated reproducible builds which go into our binary\ndistributions.  Both methods eventually boil down to \"get the source\ncode then run make\", but the details differ.<\/p>\n<h2>What developers do<\/h2>\n<p>We check out copies of all the several dozen separate repositories and\ncarefully arrange them in a tree structure which matches the official\nnaming scheme.  Yes, really.  It's tedious, but we have\n<a href=\"https:\/\/git.cryptech.is\/user\/sra\/build-tools\/tree\/https-sync-repos.py\">a script to automate this<\/a>.\nThis works by parsing the <code>.gitmodules<\/code> file in the <code>releng\/alpha<\/code>\nrepository (see \"reproducible builds\", below).<\/p>\n<p>Once you have this tree, you can hop around within it, building\nwhichever bits are of interest to you.  So if you want to rebuild just\nthe HSM firmware (the C code that runs on the ARM), you would go to\n<code>sw\/stm32<\/code> and run <code>make<\/code> there.<\/p>\n<h2>What we do for reproducible builds<\/h2>\n<p>Reproducible builds use the same tree structure (as they must for the\nvarious Makefiles to work properly), but the entire tree is embedded\nin a git \"superrepository\" which also contains the release engineering\ngoo necessary to make the whole thing work.  Do <code>git help submodule<\/code>\nfor an introduction to git's submodule mechanism.<\/p>\n<p>With this model, one just checks out a copy of\n<a href=\"https:\/\/git.cryptech.is\/releng\/alpha\/about\">the superrepository<\/a>,\nruns <code>make<\/code> in its top directory, and eventually\nthe complete package pops out the other side.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>git clone https:\/\/git.cryptech.is\/releng\/alpha.git\ncd alpha\nmake\n<\/code><\/pre><\/div>\n\n<p>That's the good news.  The bad news is that this process has higher\ndemands on its build environment: it expects to find the a complete\ntool set, including the XiLinx synthesis tools, the several different\ncross compilers for the firmware, and the <code>pbuilder<\/code> system for\nbuilding clean room packages for Ubuntu and Debian.<\/p>\n<p>As a compromise, one can use this source tree as if it were the\ndevelopment source tree described above: just use the supermodule to\npull down everything else, but then ignore the supermodule and build\nindividual pieces as if you'd checked out all the repositories by\nhand.<\/p>\n<h2>Skip all this git mess and just download a tarball<\/h2>\n<p>There's another alternative, which is simpler than any of the above:\njust download the source tarball.  Since the only build environments\nwe support at the moment are Debian Jessie and Ubuntu Xenial, which\nalso happen to be environments for which we build binary packages, you\ncan just use APT:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>apt-get source cryptech-alpha\n<\/code><\/pre><\/div>\n\n<p>Which will give you the same tree structure, but without all the git fun.<\/p>\n<h2>Build environment<\/h2>\n<p>Our software and firmware developers use the Debian and Ubuntu Linux\ndistributions.  Our current build box for binary packages runs Debian\nJessie.<\/p>\n<p>Our Verilog developers use various environments and have been known to\nuse graphical tools, but synthesis of the bitstreams that go in our\nbinary packages is done via the XiLinx command line tools on the same\nDebian Jessie machine as the software and firmware builds.<\/p>\n<p>Which tools you need will of course depend on exactly what you're\ntrying to do.<\/p>\n<p>Most of the tools work on either 32-bit or 64-bit machines, but if you\nintend to run the full binary package build script, you'll need a\n64-bit machine (or VM) because the tools won't build 64-bit binaries\non a 32-bit machine.<\/p>\n<p>Basic tool set (not all required for every purpose, but they're all\nsupported Debian packages so it's usually easier just to install them\nall and not worry about it):<\/p>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"w\">  <\/span><span class=\"n\">apt<\/span><span class=\"o\">-<\/span><span class=\"n\">get<\/span><span class=\"w\"> <\/span><span class=\"n\">install<\/span><span class=\"w\"> <\/span><span class=\"n\">git<\/span><span class=\"w\"> <\/span><span class=\"n\">pbuilder<\/span><span class=\"w\"> <\/span><span class=\"n\">ubuntu<\/span><span class=\"o\">-<\/span><span class=\"n\">dev<\/span><span class=\"o\">-<\/span><span class=\"n\">tools<\/span><span class=\"w\"> <\/span><span class=\"n\">rsync<\/span><span class=\"w\"> <\/span><span class=\"n\">sudo<\/span>\n<span class=\"w\">  <\/span><span class=\"n\">apt<\/span><span class=\"o\">-<\/span><span class=\"n\">get<\/span><span class=\"w\"> <\/span><span class=\"n\">install<\/span><span class=\"w\"> <\/span><span class=\"n\">python<\/span><span class=\"o\">-<\/span><span class=\"n\">yaml<\/span><span class=\"w\"> <\/span><span class=\"n\">python<\/span><span class=\"o\">-<\/span><span class=\"n\">serial<\/span><span class=\"w\"> <\/span><span class=\"n\">python<\/span><span class=\"o\">-<\/span><span class=\"n\">crypto<\/span><span class=\"w\"> <\/span><span class=\"n\">python<\/span><span class=\"o\">-<\/span><span class=\"n\">ecdsa<\/span>\n<span class=\"w\">  <\/span><span class=\"n\">apt<\/span><span class=\"o\">-<\/span><span class=\"n\">get<\/span><span class=\"w\"> <\/span><span class=\"n\">install<\/span><span class=\"w\"> <\/span><span class=\"n\">gcc<\/span><span class=\"o\">-<\/span><span class=\"n\">arm<\/span><span class=\"o\">-<\/span><span class=\"n\">none<\/span><span class=\"o\">-<\/span><span class=\"n\">eabi<\/span><span class=\"w\"> <\/span><span class=\"n\">gdb<\/span><span class=\"o\">-<\/span><span class=\"n\">arm<\/span><span class=\"o\">-<\/span><span class=\"n\">none<\/span><span class=\"o\">-<\/span><span class=\"n\">eabi<\/span>\n<span class=\"w\">  <\/span><span class=\"n\">apt<\/span><span class=\"o\">-<\/span><span class=\"n\">get<\/span><span class=\"w\"> <\/span><span class=\"n\">install<\/span><span class=\"w\"> <\/span><span class=\"n\">gcc<\/span><span class=\"o\">-<\/span><span class=\"n\">avr<\/span><span class=\"w\"> <\/span><span class=\"n\">binutils<\/span><span class=\"o\">-<\/span><span class=\"n\">avr<\/span><span class=\"w\"> <\/span><span class=\"n\">avr<\/span><span class=\"o\">-<\/span><span class=\"n\">libc<\/span>\n<span class=\"w\">  <\/span><span class=\"n\">apt<\/span><span class=\"o\">-<\/span><span class=\"n\">get<\/span><span class=\"w\"> <\/span><span class=\"o\">-<\/span><span class=\"n\">t<\/span><span class=\"w\"> <\/span><span class=\"n\">jessie<\/span><span class=\"o\">-<\/span><span class=\"n\">backports<\/span><span class=\"w\"> <\/span><span class=\"n\">install<\/span><span class=\"w\"> <\/span><span class=\"n\">debootstrap<\/span><span class=\"w\"> <\/span><span class=\"n\">distro<\/span><span class=\"o\">-<\/span><span class=\"n\">info<\/span><span class=\"o\">-<\/span><span class=\"n\">data<\/span>\n<span class=\"w\">  <\/span><span class=\"n\">apt<\/span><span class=\"o\">-<\/span><span class=\"n\">get<\/span><span class=\"w\"> <\/span><span class=\"n\">install<\/span><span class=\"w\"> <\/span><span class=\"n\">reprepro<\/span><span class=\"w\"> <\/span><span class=\"n\">ubuntu<\/span><span class=\"o\">-<\/span><span class=\"n\">archive<\/span><span class=\"o\">-<\/span><span class=\"n\">keyring<\/span>\n<\/code><\/pre><\/div>\n\n<p>This is not an exhaustive list, because some of the other packages we\nuse are pulled in by these as dependencies.<\/p>\n<p>You will also need a copy of the XiLinx tools, which is tedious enough\nthat it's described in a separate section, below.<\/p>\n<p>Once you have all the tools installed, you'll need a copy of the\nsource tree, as explained in the preceeding sections.<\/p>\n<p>pbuilder requires a bit of setup (you can skip this if you're not\ntrying to do the full binary package build):<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>for code in jessie xenial; do for arch in i386 amd64; do pbuilder-dist $code $arch create; done; done\nln -s jessie_result ~\/pbuilder\/jessie-amd64_result\nln -s xenial_result ~\/pbuilder\/xenial-amd64_result\n<\/code><\/pre><\/div>\n\n<h2>Installing the XiLinx tools<\/h2>\n<p>XiLinx tools setup is a bit involved.  You can skip this section if\nyou don't intend to build FPGA bitstreams.<\/p>\n<p>We use the command line versions of the XiLinx tools, but installing\nthem requires a graphical environment, because the XiLinx installer\nand license manager are GUI tools.  If you're running this on a server\nand don't already have a graphical environment installed, you can get\naway with something fairly minimal.  For example, if you have a VNC\nviewer such as \"Chicken of the VNC\" on your laptop, you can get away\nwith a fairly minimal X11 toolset:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>apt-get install tightvncserver xterm icewm\n<\/code><\/pre><\/div>\n\n<p>If you're already running X11 on your laptop and are comfortable with\nextruding that to the build machine, eg, via <code>ssh -Y<\/code>, you can just\nuse that (not recommended for long-haul use, eg, if the laptop is in\nBoston and the server is in Reykjavik).<\/p>\n<p>You'll need to start by using a web browser to download the\n<a href=\"http:\/\/www.xilinx.com\/support\/download\/index.html\/content\/xilinx\/en\/downloadNav\/design-tools.html\">Xilinx \u200bISE Design Suite<\/a>.<\/p>\n<p>XiLinx only supports specific versions of Red Hat and Suse Linux, but\ntheir tools do run on Debian and Ubuntu.  A few  caveats:<\/p>\n<ul>\n<li>\n<p>Debian and Ubuntu symlink <code>\/bin\/sh<\/code> to <code>\/bin\/dash<\/code>, which can't handle\n  some of the syntax used in XiLinx's shell scripts, so you'll need to\n  change that symlink to point to <code>\/bin\/bash<\/code>.<\/p>\n<\/li>\n<li>\n<p>Although the XiLinx software can be installed as user or root, by\n  default it wants to install into \/opt\/Xilinx, so you need to install\n  as root if you want to do that.<\/p>\n<\/li>\n<li>\n<p>The XiLinx tools are disk hogs, so if you're building a VM for this,\n  you'll probably want to give it at least 30-40 GB of disk space.<\/p>\n<\/li>\n<\/ul>\n<p>Step-by-step installation:<\/p>\n<ol>\n<li>Unpack <code>Xilinx_ISE_DS_Lin_14.7_1015_1.tar<\/code> (or whatever version you have).<\/li>\n<li>In an X11 environment, cd to <code>Xilinx_ISE_DS_Lin_14.7_1015_1<\/code>, and run <code>sudo .\/xsetup<\/code><\/li>\n<li>Click through two screens of license agreements.<\/li>\n<li>Select <code>ISE WebPACK<\/code>.<\/li>\n<li>Unselect (or leave unselected) Install Cable Drivers.<\/li>\n<li>Go!<\/li>\n<\/ol>\n<p>Well, not quite.  You'll need to convince the ISE tools that you have\na valid license to use the ISE tools.  Go to\nhttp:\/\/www.xilinx.com\/products\/design-tools\/ise-design-suite\/ise-webpack.htm,\nclick the <code>Licensing Solutions<\/code> link.  On the page to which that takes\nyou, expand the section <code>Obtain a license for Free or Evaluation\nproduct<\/code>.  To download the ISE Webpack, you should have created an\naccount, so now you can go to the Licensing Site and use that account\nto create a Certificate Based License.<\/p>\n<p>You do not need to go through the HostID dance, just say Do It. You\nwill then receive a certificate in email (not an X.509 certificate)\nwhich you will be able to use. Then start the ISE Webpack by issuing\nthe command <code>ise<\/code>.  Go to the Help menu and Manage Licenses. Use the\nresulting new License Manager window to install the <code>.lic<\/code> file.  This\nprocess is complex and flakey.<\/p>\n<p>Here's\n<a href=\"http:\/\/www.armadeus.com\/wiki\/index.php?title=ISE_WebPack_installation_on_Linux\">another description of installing ISE on Ubuntu<\/a>.<\/p>\n<p>The <code>ise<\/code> binary referred to above is in <code>\/opt\/Xilinx\/14.7\/ISE_DS\/ISE\/bin\/lin64\/ise<\/code>\n(or in <code>...\/lin\/ise<\/code>, but the pbuilder setup requires a 64-bit build machine).<\/p>\n<p>When running this remotely under tightvncserver, setup looks something like this:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"n\">vncserver<\/span><span class=\"w\"> <\/span><span class=\"o\">:<\/span><span class=\"mi\">0<\/span><span class=\"w\"> <\/span><span class=\"o\">-<\/span><span class=\"n\">geometry<\/span><span class=\"w\"> <\/span><span class=\"mi\">1280<\/span><span class=\"n\">x768<\/span><span class=\"w\"> <\/span><span class=\"o\">-<\/span><span class=\"n\">depth<\/span><span class=\"w\"> <\/span><span class=\"mi\">16<\/span><span class=\"w\"> <\/span><span class=\"o\">-<\/span><span class=\"n\">localhost<\/span>\n<span class=\"n\">export<\/span><span class=\"w\"> <\/span><span class=\"n\">DISPLAY<\/span><span class=\"o\">=:<\/span><span class=\"mi\">0<\/span><span class=\"w\"> <\/span><span class=\"n\">XAUTHORITY<\/span><span class=\"o\">=~\/.<\/span><span class=\"n\">Xauthority<\/span>\n<span class=\"n\">icewm<\/span><span class=\"o\">&amp;<\/span>\n<\/code><\/pre><\/div>\n\n<p>Then, either in the same shell as the above or in an xterm in the new display<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>cd Xilinx_ISE_DS_Lin_14.7_1015_1\nsudo .\/xsetup\n\ncd\n\/opt\/Xilinx\/14.7\/ISE_DS\/ISE\/bin\/lin64\/ise\n<\/code><\/pre><\/div>\n\n<p>It turns out you don't really need to run the whole <code>ise<\/code> tool to\nget to the license manager, you can just run<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>\/opt\/Xilinx\/14.7\/ISE_DS\/common\/bin\/lin64\/xlcm -manage\n<\/code><\/pre><\/div>\n\n<p>But you do have to source the appropriate settings file first, none of\nthe XiLinx tools work properly without that:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>. \/opt\/Xilinx\/14.7\/ISE_DS\/settings64.sh\n<\/code><\/pre><\/div>","category":{"@attributes":{"term":"Releases"}}},{"title":"Upgrading the Cryptech Alpha HSM","link":{"@attributes":{"href":"https:\/\/wiki.cryptech.is\/Upgrading","rel":"alternate"}},"published":"2017-05-12T23:15:00+00:00","updated":"2018-04-07T23:03:00+00:00","author":{"name":"Cryptech Core Team"},"id":"tag:wiki.cryptech.is,2017-05-12:\/Upgrading","summary":"<p>This page explains how to upgrade the Cryptech Alpha firmware, bootloader,\nand FPGA bitstream (as needed).<\/p>\n<p>All of the operations here use the Alpha's \"management\" (MGMT) port,\nso that cable must be connected to your Linux or OSX host machine.<\/p>\n<h2>Upgrading from the stock firmware (Berlin workshop or CrowdSupply)<\/h2>\n<p>The \u2026<\/p>","content":"<p>This page explains how to upgrade the Cryptech Alpha firmware, bootloader,\nand FPGA bitstream (as needed).<\/p>\n<p>All of the operations here use the Alpha's \"management\" (MGMT) port,\nso that cable must be connected to your Linux or OSX host machine.<\/p>\n<h2>Upgrading from the stock firmware (Berlin workshop or CrowdSupply)<\/h2>\n<p>The main feature of the 3.0 firmware release is a completely new HSM\nkeystore implementation, which makes better use of the Alpha's keystore\nflash, allows a much larger number of keys, and removes the need for an\nSQL database on the host. (See ReleaseNotes.)<\/p>\n<p>We did not attempt to provide any sort of backwards compatability to the\noriginal minimalistic keystore implementation, so this upgrade process\nwill wipe your keystore. Sorry. More importantly (from the limited\nviewpoint of the upgrade process), it will change how the HSM stores its\nPINs, which complicates the upgrade process.<\/p>\n<p>Because we use the bootloader to upgrade the firmware, and the firmware to\nupgrade the bootloader, both use the PINs stored in the keystore to login,\nso both need to understand the new keystore, so both need to be upgraded.<\/p>\n<p>Because of the tricky nature of this particular upgrade, you must\nperform these steps, in the specified order:<\/p>\n<ul>\n<li>Install the new host software package using APT or Homebrew.<\/li>\n<li>Wipe the HSM keystore to reset PINs back to the \"factory\" state.<\/li>\n<li>Upgrade the main HSM firmware.<\/li>\n<li>Upgrade the HSM bootloader.<\/li>\n<li>Log in to upgraded HSM to set PINs, etc.<\/li>\n<\/ul>\n<p><strong>Upgrading the bootloader before the main firmware will brick your\nAlpha.<\/strong>  So don't do that.<\/p>\n<p>If something goes horribly wrong and you do somehow manage to brick\nyour Alpha, see DisasterRecovery.<\/p>\n<h2>Upgrading from 'ksng'<\/h2>\n<p>A few intrepid users are already testing the 'ksng' development branch,\nusing the instructions at <a href=\"https:\/\/wiki.cryptech.is\/UpgradeToKSNG\">UpgradeToKSNG<\/a>. In this case, and with future\nupgrades, it it not necessary to either wipe the keystore or upgrade the\nbootloader.<\/p>\n<ul>\n<li>Install the new host software package using APT or Homebrew.<\/li>\n<li>Upgrade the main HSM firmware.<\/li>\n<\/ul>\n<h2>Install the cryptech-alpha package<\/h2>\n<h3>using apt-get on Debian or Ubuntu Linux<\/h3>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>sudo<span class=\"w\"> <\/span>apt-get<span class=\"w\"> <\/span>update\n$<span class=\"w\"> <\/span>sudo<span class=\"w\"> <\/span>apt-get<span class=\"w\"> <\/span>install<span class=\"w\"> <\/span>cryptech-alpha\n<\/code><\/pre><\/div>\n\n<p>Yes, you have to install it even if you already had it installed, because\nAPT wants permission before accepting the new package dependencies.<\/p>\n<p>Or you could instead run:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>sudo<span class=\"w\"> <\/span>apt-get<span class=\"w\"> <\/span>upgrade<span class=\"w\"> <\/span>--with-new-pkgs\n<\/code><\/pre><\/div>\n\n<p>but that might upgrade unrelated stuff.<\/p>\n<p>If you had the '-ksng' package installed, you might then want to run:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>sudo<span class=\"w\"> <\/span>apt-get<span class=\"w\"> <\/span>remove<span class=\"w\"> <\/span>cryptech-alpha-ksng\n$<span class=\"w\"> <\/span>sudo<span class=\"w\"> <\/span>apt-get<span class=\"w\"> <\/span>autoclean\n<\/code><\/pre><\/div>\n\n<p>but nothing terrible is likely to happen if you omit those steps.<\/p>\n<p>If you're running on Debian Jessie, you may need to enable <a href=\"https:\/\/backports.debian.org\/Instructions\/\"><code>jessie-backports<\/code><\/a> and make sure you're getting the <code>python-serial<\/code> and <code>python-tornado<\/code> dependencies from the backports (the versions of those packages in the base Debian Jessie distribution are too old).<\/p>\n<h3>using Homebrew on OSX<\/h3>\n<p>If you're upgrading from the original firmware (have not installed the <code>-ksng<\/code> package), a normal Homebrew upgrade cycle\nshould suffice:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>update\n$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>upgrade\n<\/code><\/pre><\/div>\n\n<p>If you have the <code>-ksng<\/code> package installed, you need to tell Homebrew that you want to switch back:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>update\n$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>migrate<span class=\"w\"> <\/span>cryptech-alpha-ksng\n$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>update\n<\/code><\/pre><\/div>\n\n<p>In either case, you might then want to do something like:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>cleanup\n<\/code><\/pre><\/div>\n\n<p>but nothing terrible is likely to happen if you omit that step.<\/p>\n<p>If you've tried doing this and nothing happens, you might be hitting a known old bug in Homebrew itself.  Make sure your copy of Homebrew is up to date, and if that still doesn't work, try deinstalling whichever <code>cryptech-alpha*<\/code> package you have installed and reinstalling <code>cryptech-alpha<\/code>.<\/p>\n<h2>Set usual CRYPTECH_* environment variables<\/h2>\n<p>The upgrade process uses the <code>CRYPTECH_CTY_CLIENT_SERIAL_DEVICE<\/code>\nenvironment variable.  The easiest way to set it is by using the\n<code>cryptech_probe<\/code> script, just as you would for other usage of the\nAlpha.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"n\">$<\/span><span class=\"w\"> <\/span><span class=\"n\">eval<\/span><span class=\"w\"> <\/span><span class=\"n n-Quoted\">`cryptech_probe`<\/span>\n<\/code><\/pre><\/div>\n\n<p>(Note: you can use the new <code>cryptech_muxd<\/code> and <code>cryptech_console<\/code>, but\nthese instructions assume you are familiar with <code>cryptech_miniterm<\/code>. Or\nyou could be using <code>picocom<\/code> or <code>kermit<\/code> or something else. Doesn't matter\nto us.)<\/p>\n<h2>Clear the keystore flash<\/h2>\n<p>If you are upgrading from the original firmware, you will need to wipe the\nkeystore, to avoid confusing the new keystore code.<\/p>\n<p>The good news is that we have a utility to back up and restore the new\nkeystore. The bad news is that we don't have a way to back up the old\nkeystore.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>cryptech_miniterm\n\nUsername:<span class=\"w\"> <\/span>wheel\nPassword:<span class=\"w\"> <\/span>&lt;your-wheel-pin-goes-here&gt;\n\ncryptech&gt;<span class=\"w\"> <\/span>keystore<span class=\"w\"> <\/span>erase<span class=\"w\"> <\/span>YesIAmSure\n\n^<span class=\"o\">]<\/span>\n<\/code><\/pre><\/div>\n\n<h2>Upgrade the main HSM firmware<\/h2>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"o\">$<\/span><span class=\"w\"> <\/span><span class=\"n\">cryptech_upload<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">firmware<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">user<\/span><span class=\"w\"> <\/span><span class=\"n\">wheel<\/span>\n<span class=\"n\">PIN<\/span><span class=\"p\">:<\/span><span class=\"w\"> <\/span><span class=\"n\">YouReallyNeedToChangeThisPINRightNowWeAreNotKidding<\/span>\n<\/code><\/pre><\/div>\n\n<h2>Upgrade the bootloader<\/h2>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"o\">$<\/span><span class=\"w\"> <\/span><span class=\"n\">cryptech_upload<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">bootloader<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">user<\/span><span class=\"w\"> <\/span><span class=\"n\">wheel<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">simon<\/span><span class=\"o\">-<\/span><span class=\"n\">says<\/span><span class=\"o\">-<\/span><span class=\"n\">whack<\/span><span class=\"o\">-<\/span><span class=\"n\">my<\/span><span class=\"o\">-<\/span><span class=\"n\">bootloader<\/span>\n<span class=\"n\">PIN<\/span><span class=\"p\">:<\/span><span class=\"w\"> <\/span><span class=\"n\">YouReallyNeedToChangeThisPINRightNowWeAreNotKidding<\/span>\n<\/code><\/pre><\/div>\n\n<h2>(Optional) Upgrade the FPGA bitstream<\/h2>\n<p>This upgrade includes an experimental ECDSA point multiplier in hardware,\nwhich the firmware will use if present.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"o\">$<\/span><span class=\"w\"> <\/span><span class=\"n\">cryptech_upload<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">fpga<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">user<\/span><span class=\"w\"> <\/span><span class=\"n\">wheel<\/span>\n<span class=\"n\">PIN<\/span><span class=\"p\">:<\/span><span class=\"w\"> <\/span><span class=\"n\">YouReallyNeedToChangeThisPINRightNowWeAreNotKidding<\/span>\n<\/code><\/pre><\/div>\n\n<h2>Log in and set PINs, masterkey, etcetera<\/h2>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>cryptech_miniterm\n\nUsername:<span class=\"w\"> <\/span>wheel\nPIN:<span class=\"w\"> <\/span>YouReallyNeedToChangeThisPINRightNowWeAreNotKidding\n\ncryptech&gt;<span class=\"w\"> <\/span>keystore<span class=\"w\"> <\/span><span class=\"nb\">set<\/span><span class=\"w\"> <\/span>pin<span class=\"w\"> <\/span>wheel<span class=\"w\"> <\/span>fnord\ncryptech&gt;<span class=\"w\"> <\/span>keystore<span class=\"w\"> <\/span><span class=\"nb\">set<\/span><span class=\"w\"> <\/span>pin<span class=\"w\"> <\/span>so<span class=\"w\">    <\/span>fnord\ncryptech&gt;<span class=\"w\"> <\/span>keystore<span class=\"w\"> <\/span><span class=\"nb\">set<\/span><span class=\"w\"> <\/span>pin<span class=\"w\"> <\/span>user<span class=\"w\">  <\/span>fnord\ncryptech&gt;<span class=\"w\"> <\/span>masterkey<span class=\"w\"> <\/span><span class=\"nb\">set<\/span>\n\n^<span class=\"o\">]<\/span>\n<\/code><\/pre><\/div>","category":{"@attributes":{"term":"Releases"}}},{"title":"Upgrading Cryptech Alpha HSM to \"ksng\" development package","link":{"@attributes":{"href":"https:\/\/wiki.cryptech.is\/UpgradeToKSNG","rel":"alternate"}},"published":"2016-12-22T22:33:00+00:00","updated":"2016-12-22T22:53:00+00:00","author":{"name":"Rob Austein"},"id":"tag:wiki.cryptech.is,2016-12-22:\/UpgradeToKSNG","summary":"<p>This page attempts to explain the upgrade procedure for testing out\nthe new \"ksng\" development branch of the Cryptech Alpha firmware.<\/p>\n<h2>Cavats<\/h2>\n<p>This particular upgrade is more complicated than we would have\npreferred, due to the interaction of two unrelated factors:<\/p>\n<ol>\n<li>As the name (obscurely) implies, the main feature in \u2026<\/li><\/ol>","content":"<p>This page attempts to explain the upgrade procedure for testing out\nthe new \"ksng\" development branch of the Cryptech Alpha firmware.<\/p>\n<h2>Cavats<\/h2>\n<p>This particular upgrade is more complicated than we would have\npreferred, due to the interaction of two unrelated factors:<\/p>\n<ol>\n<li>As the name (obscurely) implies, the main feature in the ksng\n   branch is a completely new HSM keystore implementation, which makes\n   better use of the Alpha's keystore flash, allows a much larger\n   number of keys, removes the need for an SQL database on the host,\n   gets your laundry 25% brighter, and leaves your breath alone.<\/li>\n<\/ol>\n<p>We did not attempt to provide any sort of backwards compatability\n   to the old minimalistic keystore implementation, so this upgrade\n   process will wipe your keystore.  Sorry.  More importantly (from\n   the limited viewpoint of the upgrade process), it will change how\n   the HSM stores its PINs, which complicates the upgrade process.<\/p>\n<ol>\n<li>The \"Device Field Upgrade\" (DFU) capability in the Alpha's firmware\n   was a last-minute addition before the Berlin workshop in July 2016,\n   and, as last minute additions often do, it turned out to be buggy.\n   There are three distinct pieces of software involved in the upgrade\n   process, and they were all slightly buggy, in different ways.\n   Because of this, one must perform the upgrade steps in a particular\n   order to avoid bricking the HSM.  The upgrade includes fixes for\n   all the (known) bugs in the DFU process, so we hope that this will\n   be a one-time annoyance (famous last words).<\/li>\n<\/ol>\n<p>If something goes horribly wrong and you do somehow manage to brick\nyour Alpha, don't give up, recovery is still possible, it just\nrequires an ST-LINK debugger and cable (more on this below).<\/p>\n<h2>Overview<\/h2>\n<p>Because of the tricky nature of this particular upgrade, you must\nperform these steps, in the specified order:<\/p>\n<ul>\n<li>Install the new host software package using APT or Homebrew.<\/li>\n<li>Wipe the HSM keystore to reset PINs back to the \"factory\" state.<\/li>\n<li>Upgrade the main HSM firmware.<\/li>\n<li>Upgrade the HSM bootloader.<\/li>\n<li>Log in to upgraded HSM to set PINs, etc.<\/li>\n<\/ul>\n<p><strong>Upgrading the bootloader before the main firmware will brick your\nAlpha.<\/strong>  So don't do that.<\/p>\n<p>All of the operations here use the Alpha's \"management\" (MGMT) port,\nso that cable must be connected to your Linux or OSX host machine.<\/p>\n<p>This upgrade procedure was tested on Debian Jessie, with an Alpha\nwhose firmware had been rolled back to the version from the Berlin\nworkshop (APT\/Homebrew package version 2.0.1468584175, commit\ncd445b69b2caa7205f4e1c368aa2c6bf8c2d7692 in repository\nhttps:\/\/git.cryptech.is\/releng\/alpha.git).<\/p>\n<h2>Install cryptech-alpha-ksng package using apt-get or Homebrew<\/h2>\n<p>Binaries for the \"ksng\" branch are available as a separate set of\n\"cryptech-alpha-ksng\" packages, which replace the \"cryptech-alpha\"\npackages for the master branch.  This seemed the simplest way of\nletting people experiment with the new code while falling back to the\nold if necessary.  The \"cryptech-alpha-ksng\" packages are declared to\nconflict with the \"cryptech-alpha\" packages, because they install\nprograms by the same name in the same places and you need the version\nof the host software which goes with the HSM firmware your running.<\/p>\n<p>APT handles package conflicts differently from the way that Homebrew\ndoes.  If you have \"cryptech-alpha\" installed and try to install\n\"cryptech-alpha-ksng\", APT assumes you meant what you said and will\njust replace the old package with the new one.  Homebrew, on the other\nhand, reports the conflict and refuses to proceed until you sort it out.<\/p>\n<p>The following assumes that you already had the Cryptech APT repository\nor Homebrew tap configured; if not, see  <a href=\"https:\/\/wiki.cryptech.is\/BinaryPackages\">BinaryPackages<\/a>.<\/p>\n<h3>Installing cryptech-alpha-ksng package using apt-get on Debian or Ubuntu Linux<\/h3>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>sudo<span class=\"w\"> <\/span>apt-get<span class=\"w\"> <\/span>update\n$<span class=\"w\"> <\/span>sudo<span class=\"w\"> <\/span>apt-get<span class=\"w\"> <\/span>install<span class=\"w\"> <\/span>cryptech-alpha-ksng\n<\/code><\/pre><\/div>\n\n<h3>Installing cryptech-alpha-ksng package using Homebrew on OSX<\/h3>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>update\n$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>uninstall<span class=\"w\"> <\/span>cryptech-alpha\n$<span class=\"w\"> <\/span>brew<span class=\"w\"> <\/span>install<span class=\"w\"> <\/span>cryptech-alpha-ksng\n<\/code><\/pre><\/div>\n\n<h2>Set usual CRYPTECH_* environment variables<\/h2>\n<p>The upgrade process uses the <code>CRYPTECH_CTY_CLIENT_SERIAL_DEVICE<\/code>\nenvironment variable.  The easiest way to set it is by using the\n<code>cryptech_probe<\/code> script, just as you would for other usage of the\nAlpha.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span><span class=\"nb\">eval<\/span><span class=\"w\"> <\/span><span class=\"sb\">`<\/span>cryptech_probe<span class=\"w\"> <\/span>-v<span class=\"sb\">`<\/span>\n<\/code><\/pre><\/div>\n\n<h2>Clear the keystore flash<\/h2>\n<p>Sorry about this.  Yes, we know we need backup and restore, we'll get\nthere.  But for this upgrade, it's safest to wipe the keystore.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>cryptech_miniterm\n\nUsername:<span class=\"w\"> <\/span>wheel\nPassword:<span class=\"w\"> <\/span>&lt;your-wheel-pin-goes-here&gt;\n\ncryptech&gt;<span class=\"w\"> <\/span>keystore<span class=\"w\"> <\/span>erase<span class=\"w\"> <\/span>YesIAmSure\n\n^<span class=\"o\">]<\/span>\n<\/code><\/pre><\/div>\n\n<h2>Upgrade the main HSM firmware<\/h2>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"o\">$<\/span><span class=\"w\"> <\/span><span class=\"n\">cryptech_upload<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">firmware<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">user<\/span><span class=\"w\"> <\/span><span class=\"n\">wheel<\/span>\n<span class=\"n\">PIN<\/span><span class=\"p\">:<\/span><span class=\"w\"> <\/span><span class=\"n\">YouReallyNeedToChangeThisPINRightNowWeAreNotKidding<\/span>\n<\/code><\/pre><\/div>\n\n<h2>Upgrade the bootloader<\/h2>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"o\">$<\/span><span class=\"w\"> <\/span><span class=\"n\">cryptech_upload<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">bootloader<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">user<\/span><span class=\"w\"> <\/span><span class=\"n\">wheel<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"n\">simon<\/span><span class=\"o\">-<\/span><span class=\"n\">says<\/span><span class=\"o\">-<\/span><span class=\"n\">whack<\/span><span class=\"o\">-<\/span><span class=\"n\">my<\/span><span class=\"o\">-<\/span><span class=\"n\">bootloader<\/span>\n<span class=\"n\">PIN<\/span><span class=\"p\">:<\/span><span class=\"w\"> <\/span><span class=\"n\">YouReallyNeedToChangeThisPINRightNowWeAreNotKidding<\/span>\n<\/code><\/pre><\/div>\n\n<h2>Log in and set PINs, masterkey, etcetera<\/h2>\n<div class=\"highlight\"><pre><span><\/span><code>$<span class=\"w\"> <\/span>cryptech_miniterm\n\nUsername:<span class=\"w\"> <\/span>wheel\nPIN:<span class=\"w\"> <\/span>YouReallyNeedToChangeThisPINRightNowWeAreNotKidding\n\ncryptech&gt;<span class=\"w\"> <\/span>keystore<span class=\"w\"> <\/span><span class=\"nb\">set<\/span><span class=\"w\"> <\/span>pin<span class=\"w\"> <\/span>wheel<span class=\"w\"> <\/span>fnord\ncryptech&gt;<span class=\"w\"> <\/span>keystore<span class=\"w\"> <\/span><span class=\"nb\">set<\/span><span class=\"w\"> <\/span>pin<span class=\"w\"> <\/span>so<span class=\"w\">    <\/span>fnord\ncryptech&gt;<span class=\"w\"> <\/span>keystore<span class=\"w\"> <\/span><span class=\"nb\">set<\/span><span class=\"w\"> <\/span>pin<span class=\"w\"> <\/span>user<span class=\"w\">  <\/span>fnord\ncryptech&gt;<span class=\"w\"> <\/span>masterkey<span class=\"w\"> <\/span><span class=\"nb\">set<\/span>\n\n^<span class=\"o\">]<\/span>\n<\/code><\/pre><\/div>\n\n<h2>What to do if you manage to brick your Alpha<\/h2>\n<p>If the above procedure somehow goes horribly wrong and bricks your\nalpha, you can still recover, but you'll need an ST-LINK programmer.\nThere's some discussion of this at <a href=\"https:\/\/git.cryptech.is\/sw\/stm32.md\">sw\/stm32<\/a>.<\/p>\n<p>Possible sources for the ST-LINK programmer and a suitable cable:<\/p>\n<ul>\n<li>http:\/\/www.mouser.com\/search\/ProductDetail.aspx?R=0virtualkey0virtualkeyNUCLEO-F411RE<\/li>\n<li>https:\/\/www.sparkfun.com\/products\/10376<\/li>\n<\/ul>\n<p>These are relatively cheap, you'll probably pay as much for the\npostage as for the parts themselves.  If you have a better source, go\nfor it.<\/p>\n<p>The programmer is the important part, you can use any sort of cabling\nyou like so long as it connects the right pins of the programmer to\nthe corresponding pins on the Alpha; the SparkFun cable just happens\nto be a tidy package which matches the relevant SWD headers.<\/p>\n<p>We'll include a more detailed description of the recovery process here\nif anybody needs it, but the short version is:<\/p>\n<ul>\n<li>Install OpenOCD on your host machine.<\/li>\n<li>Open up the Alpha's case, take the board out.<\/li>\n<li>Connect the programmer and power the board back up.<\/li>\n<li>Use the <code>flash-target<\/code> script from the <code>sw\/stm32<\/code> repository to\n  stuff the <code>hsm.elf<\/code> and <code>bootloader.elf<\/code> files from the binary\n  firmware tarball into the HSM.<\/li>\n<li>Power down, disconnect the programmer, put the Alpha back in its\n  case, done.<\/li>\n<\/ul>","category":{"@attributes":{"term":"Releases"}}},{"title":"Binary Packages for Cryptech Software and Firmware","link":{"@attributes":{"href":"https:\/\/wiki.cryptech.is\/BinaryPackages","rel":"alternate"}},"published":"2016-12-15T22:44:00+00:00","updated":"2019-09-03T15:23:00+00:00","author":{"name":"Rob Austein"},"id":"tag:wiki.cryptech.is,2016-12-15:\/BinaryPackages","summary":"<p>The Cryptech Project maintains APT and Homebrew repositories\ncontaining packaged software for the Cryptech Alpha board for Debian\nand Ubuntu Linux and for Mac OS X.  The binary packages also include\npre-compiled images for the Alpha Board's Artix-7 FPGA, Cortex M4 ARM\nCPU, and AVR ATtiny828 MCU.<\/p>\n<h2>How to get \u2026<\/h2>","content":"<p>The Cryptech Project maintains APT and Homebrew repositories\ncontaining packaged software for the Cryptech Alpha board for Debian\nand Ubuntu Linux and for Mac OS X.  The binary packages also include\npre-compiled images for the Alpha Board's Artix-7 FPGA, Cortex M4 ARM\nCPU, and AVR ATtiny828 MCU.<\/p>\n<h2>How to get APT packages for Debian Stretch, Debian Buster, Ubuntu Xenial, or Ubuntu Bionic<\/h2>\n<ul>\n<li>\n<p>Fetch and validate the repository key.  Presumably you're security\n    concious (otherwise, why are you installing this stuff?), so you may\n    want to pay attention to what <code>gpg --check-sig<\/code> says here.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>id=37A8E93F5D7E7B9A\nwget https:\/\/apt.cryptech.is\/apt-gpg-key.gpg\ngpg --recv-key $id\ngpg --check-sig $id\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>Install the repository key.  We used to use <code>apt-key(8)<\/code> for this,\n    these days the cool kids use the <code>\/etc\/apt\/trusted.gpg.d\/<\/code> directory:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>sudo chown root:root apt-gpg-key.gpg\nsudo mv apt-gpg-key.gpg \/etc\/apt\/trusted.gpg.d\/cryptech.gpg\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>Configure apt to use the repository.  You need to add a couple of\n    entries to <code>\/etc\/apt\/source.list.d\/<\/code>; which entries you need to add\n    depends on which distribution you're running.<\/p>\n<ul>\n<li>\n<p>For Debian Stretch, do:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>sudo wget -q -O \/etc\/apt\/sources.list.d\/cryptech.list https:\/\/apt.cryptech.is\/sources.stretch.list\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>For Debian Buster, do:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>sudo wget -q -O \/etc\/apt\/sources.list.d\/cryptech.list https:\/\/apt.cryptech.is\/sources.buster.list\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>For Ubuntu Xenial, do:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>sudo wget -q -O \/etc\/apt\/sources.list.d\/cryptech.list https:\/\/apt.cryptech.is\/sources.xenial.list\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>For Ubuntu Bionic, do:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>sudo wget -q -O \/etc\/apt\/sources.list.d\/cryptech.list https:\/\/apt.cryptech.is\/sources.bionic.list\n<\/code><\/pre><\/div>\n\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>Update the package index.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>sudo apt-get update\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>Install the <code>cryptech-alpha<\/code> package.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>sudo apt-get install cryptech-alpha\n<\/code><\/pre><\/div>\n\n<\/li>\n<\/ul>\n<h2>Updating APT packages<\/h2>\n<p>Once you've performed the steps above you should be able to upgrade to newer\nversion of the code using the normal APT upgrade process:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>sudo apt-get update\nsudo apt-get upgrade\n<\/code><\/pre><\/div>\n\n<h2>How to get Homebrew packages for Mac OS X<\/h2>\n<ul>\n<li>\n<p>Fetch and validate the repository key.  Presumably you're security\n    concious (otherwise, why are you installing this stuff?), so you may\n    want to pay attention to what <code>gpg --check-sig<\/code> says here.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>id=37A8E93F5D7E7B9A\ngpg --recv-key $id\ngpg --check-sig $id\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>Configure Homebrew to use the repository.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>brew tap cryptech\/sw https:\/\/brew.cryptech.is\/tap\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>Update the package index.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>brew update\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>Check the commit signature on the cryptech-alpha package formula.\n    This is optional (Homebrew doesn't care whether you do this), but if\n    you want to know whether the formula was signed by the Cryptech\n    project, this is how to check.<\/p>\n<div class=\"highlight\"><pre><span><\/span><code><span class=\"nv\">brew<\/span><span class=\"w\"> <\/span><span class=\"nv\">log<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"nv\">max<\/span><span class=\"o\">-<\/span><span class=\"nv\">count<\/span><span class=\"o\">=<\/span><span class=\"mi\">1<\/span><span class=\"w\"> <\/span><span class=\"o\">--<\/span><span class=\"k\">show<\/span><span class=\"o\">-<\/span><span class=\"nv\">signature<\/span><span class=\"w\"> <\/span><span class=\"nv\">cryptech<\/span><span class=\"o\">-<\/span><span class=\"nv\">alpha<\/span>\n<\/code><\/pre><\/div>\n\n<\/li>\n<li>\n<p>Install the <code>cryptech-alpha<\/code> package.  At the moment, this is only\n    available as a Homebrew source package due to licensing issues in\n    the MacOS Xcode SDK, so the installation will probably take several\n    minutes, as some of the libraries are a bit slow to compile (sorry...).<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>brew install cryptech-alpha\n<\/code><\/pre><\/div>\n\n<\/li>\n<\/ul>\n<h2>Updating Homebrew packages<\/h2>\n<p>Once you've performed the steps above you should be able to upgrade to newer\nversion of the code using the normal Homebrew upgrade process:<\/p>\n<div class=\"highlight\"><pre><span><\/span><code>brew update\nbrew upgrade\nbrew cleanup\n<\/code><\/pre><\/div>","category":{"@attributes":{"term":"Releases"}}}]}