Jump to content

xwiggen

Members
  • Posts

    136
  • Joined

  • Last visited

Everything posted by xwiggen

  1. https://apt.armbian.com/armbian.key if the image is signed by Igor's key then it is an 'authentic' image. If signature verification fails due whatever reason (be it modification afterwards) the image is not authentic. The SHA hash only verifies the image but not who creates the SHA hash, for this you have signature verification. So, if either SHA, image or asc file are maliciously altered on server, you still have signature verification to verify it's an authentic image (which fail in case of modification, because it requires access to Igor's key to sign). The fingerprint we can read from the public key, but in the end we have no guarantee the pubkey is Igor's; for this ideally you'd like to check the fingerprint in person to verify the pubkey with a post-it. But it's not necessary really, at this point we can safely assume the key's Igor's and should it ever be compromised the key will be revoked. Read up on public key cryptography, the system is pretty locked down secure as it is.
  2. Try cross-compiling with -mfloat-abi=soft -static, all libraries on your armbian image are armhf: % dpkg -S libm.so libc6:armhf: /lib/arm-linux-gnueabihf/libm.so.6 libc6-dev:armhf: /usr/lib/arm-linux-gnueabihf/libm.so
  3. xwiggen

    xwiggen

  4. Dependency on binary blobs will eventually render your system useless... and somehow I suspect GPU libraries/drivers are intentionally closed source partly due to the patent-riddled 3D ecosystem
  5. After you've imported the public key with step 1: % gpg --verify Armbian_20.08.1_Zeropi_bionic_current_5.8.5.img.xz.asc gpg: assuming signed data in 'Armbian_20.08.1_Zeropi_bionic_current_5.8.5.img.xz' gpg: Signature made Thu 03 Sep 2020 04:20:28 PM CEST gpg: using RSA key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: Good signature from "Igor Pecovnik <igor@armbian.com>" [unknown] gpg: aka "Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF00 FAF1 C577 104B 50BF 1D00 93D6 889F 9F0E 78D5 What it says is Armbian_20.08.1_Zeropi_bionic_current_5.8.5.img.xz is signed by Igor Pecovnik. If any bit is flipped in the xz after being signed (after download or modified on server) verification will fail. The only weakness in this is the public key (as shown by WARNING above); you have to assume this is really Igor's pubkey and not compromised (but the keyserver's version and https://apt.armbian.com/apt/armbian.key match, the only thing more assuring would be if @Igor posts his fingerprint). You can trust this key as follows to remove the warning message; % gpg --edit-key 93D6889F9F0E78D5 gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/93D6889F9F0E78D5 created: 2015-03-16 expires: never usage: SC trust: undefined validity: unknown sub rsa4096/9D465D88C70F53E4 created: 2015-03-16 expires: never usage: E [ unknown] (1). Igor Pecovnik <igor@armbian.com> [ unknown] (2) Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com> gpg> trust pub rsa4096/93D6889F9F0E78D5 created: 2015-03-16 expires: never usage: SC trust: undefined validity: unknown sub rsa4096/9D465D88C70F53E4 created: 2015-03-16 expires: never usage: E [ unknown] (1). Igor Pecovnik <igor@armbian.com> [ unknown] (2) Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub rsa4096/93D6889F9F0E78D5 created: 2015-03-16 expires: never usage: SC trust: ultimate validity: unknown sub rsa4096/9D465D88C70F53E4 created: 2015-03-16 expires: never usage: E [ unknown] (1). Igor Pecovnik <igor@armbian.com> [ unknown] (2) Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com> Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> save Key not changed so no update needed Hope this helps
  6. The transcoding is handled by the jellyfin-ffmpeg package, which is basically a fork of ffmpeg. You can specify your own path to ffmpeg binary in settings, as the supplied binary is linked with raspberry libs (which is the only rpi specific code of jellyfin). Raspberry pi is ok for VPU. @Wernertry jellyfin on your NEO3 and compile ffmpeg with --enable-version3 --enable-rkmpp --enable-drm Personally I don't use transcoding but leave it all to the RPI3 (LibreElec) which happily plays all formats from SMB except for 10bit x265.
  7. Does thermal throttling work? At night cronjobs start which might overheat the board. Nonetheless, /etc/fake-hwclock.data should update by the hour, could you include hwclock -r and /etc/fake-hwclock.data?
  8. The fingerprint is a crypto hash over the public key which makes it easier to identify due to the smaller size.
  9. It's not a checksum, it's a cryptographic hash (SHA). If you're able to change the image and keep the same hash, you've found a weakness in the SHA algorithm because it's not bruteforceable in our lifetime.
  10. I had similar issues with both dhcp clients enabled for ipv4 and ipv6 on the pihole, it's an issue with dhclient ipv6. My solution; Disable DHCP4/6 on the router and enable it on the pihole (SLAAC+RA,rapid commit), add static addresses for IPV6 and IPV4 (include router as gateway for both instances). in the router, set the dns4/dns6 settings to pihole and enable RFC5006 to allow for DNSv6 advertisement.
  11. Allwinner H3 for headless low-demanding tasks, excellent support/stability and surprisingly tough for a low end dirt-cheap soc.
  12. Fake hwclock saves/restores the date on SD in Armbian between reboots, don't know about the specifics in Android.
  13. This is because the realtime clock of the Pi is not battery-powered, i.e. after powercycle it resets to factory default. The ds1307/3231 do have battery but need i2c in kernel and additional configuration to be used as main RTC instead of the Pi RTC. In other words, by default the time is stored/restored on Pi RTC.
  14. Don't think so either, considering reports about high load freezing on rk3288/rk3328 I suspect there's also some design issue wrt interrupt handling.
  15. Try and build the kernel (see https://docs.armbian.com/Developer-Guide_Build-Preparation) with custom configuration; set the Allwinner SOC sound drivers (sun4i-codec, sun8i-codec) to M instead of the default.
  16. Mainline only. Legacy runs stable at 73-81C, apart from GLES/GBM/FBDEV issues with mali blobs. Must say I've experienced some lockups with WiFi on H3 also with 5.8.x this week (RTL8189FS), one kernel panic on zeropi H3
  17. update; to get the system reasonably stable I've been forced to use active cooling, high load with 70+C temps make the board hang. This is pretty obnoxious as this temp is reached easily (fanless) in idle state even when limiting cpu frequency, so my intention of running even simple emulation is a no-go.
  18. Setting default card (https://www.alsa-project.org/main/index.php/Setting_the_default_device) without messing with indexes does not help?
  19. Retropie has a fork (https://github.com/RetroPie/mesa-drm) which builds libkms for this purpose.
  20. On a computer where the SD is not the root filesystem, shrink the ext4 filesystem, resize the partition to match the new size, (check if it runs to be sure), dump the SD card and hen write the image to the new SD card. This should work without any modifications to the image itself.
  21. you can use https://github.com/Caesar-github/libdrm-rockchip/tree/rockchip-2.4.101-2-ubuntu18.04 as an example; copy the libkms entry from debian/control over to the libdrm sources, set libkms=true in debian/rules, add dh_makeshlibs -plibkms1 -V'libkms1 (>= 2.4.89)' -- -c4 to rules after override_dh_makeshlibs.
  22. I flashed a 4.4 buster image to emmc, replaced the rk322x-box.dtb inside linux-dtb-current, removed linux-dtb-legacy/linux-image-legacy, installed linux-dtb-current/linux-image-current, and ... It works! Thanks very much. Will do some testing with GBM/GLES now edit: in 5.18 I see a mtd raw rockchip controller available? (not for me)
  23. Unfortunately later kernels (just tried rk322x 5.8.14 debs from apt.armbian, but also 5.x images) drop to initramfs, which I do not how to resolve; Loading, please wait.... Starting version 241 -etc- Begin: Running /scripts/local-block ... done -repeated ~20 times- done. Gave up waiting for root files system device. Common problems: -Boot args -check rootdelay -missing modules ALERT! UUID=.... does not exist Dropping to a shell! (initramfs) The UUID mentioned is correct.
  24. There's no added security. If you're able to generate a SHA hash of the image and sign the SHA hash with the GPG-key both security measures are compromised at once, unless you want @Igor to sign every image and package manually at home.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines