Monday, August 25, 2014

flashing android mobiles on gentoo

This is just a quick tip in case you ever want to flash a mobile phone on gentoo.

If you look at the cyanogenmod howto [1] (in my case for a nexus s) you'll see that you need the tools "adb" and "fastboot" which usually comes with the android sdk. Naturally the howto suggests you to install this sdk, which isn't even available on gentoo.
However if you don't want java and all it's other dependencies on your computer (which is required for the sdk) there is package which installs only those two needed tools. It's called dev-util/android-tools - and it's in portage :)

This is all you need:
* dev-util/android-tools
     Available versions:  (~)0_p20130123
     Homepage:            https://android.googlesource.com/platform/system/core.git/
     Description:         Android platform tools (adb and fastboot)

[1] http://wiki.cyanogenmod.org/w/Install_CM_for_crespo

Sunday, August 10, 2014

jumping directly into found results in menuconfig

For those who still use menuconfig for configuring their kernel - there's a neat trick which let you jump directly into a found result.

For example you would like to add a new driver. Usually you go into menuconfig and start searching for it with the "/" shortcut. What you probably not know, after you found your module - like you searched for the "NetXen Multi port Gigabit Ehernet NIC" with just searching for "xen" - you can go directly to the particular config via it's number shortcut:
Search result for "xen"












Notice this line:


The "(5)" is the shortcut. Just press the number 5 on your keyboard and you'll jump directly into the QLogic devices config.
For every found entry there is a number shortcut which let you directly jump into the given config. If you go back with esc-esc you also go back to the search result.

I think not many people know this trick and i hope someone can use it for further kernel builds ;)

Tuesday, August 5, 2014

kmscon - next generation virtual terminals

KMSCON is a simple terminal emulator based on linux kernel mode setting (KMS). It can replace the in-kernel VT implementation with a userspace console. It's a pretty new project and still very experimental.
Even though gentoo provides a ebuild its rather rudiment and it's better to use the live ebuild form [1] plus the libtsm package, which is needed for kmscon, from [2]. Personally i've added those ebuilds into my private overlay.

Don't forget to unmask/keyword the live ebuild:
# emerge -av =sys-apps/kmscon-9999

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   *] sys-apps/kmscon-9999::local  USE="drm fbdev gles2 optimizations pango unicode -debug -doc -multiseat -pixman -static-libs -systemd" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

After successfully emerging kmscon it's pretty simple to start a new vt with (as root):
# kmscon --vt=8 --xkb-layout=de --hwaccel

This starts kmscon on vt8 with hardware-accel on and a german keyboard layout.

If your experimental you can add (or replace) an additional virtual terminal to your inittab. A line like following should suffice to start kmscon everytime you boot your system.
c11:2345:respawn:/usr/bin/kmscon --vt=8 --xkb-layout=de --hwaccel


I've tested it with my amd cards (r600g and radeonsi) and it worked with some minor output corruptions. However, in certain cases it works already faster than agetty, for example printing dmesg output. So far it looks really promising, sadly development seems to be really slow. You'll find the git repository here [3]

[1] https://bugs.gentoo.org/show_bug.cgi?id=490798
[2] https://bugs.gentoo.org/show_bug.cgi?id=487394
[3] http://cgit.freedesktop.org/~dvdhrm/kmscon/

Wednesday, April 2, 2014

howto - openvpn on gentoo

Today i gonna show you how to setup openvpn with self signed certificates and it's clients via cli or networkmanager (both using openvpn). I did made such setup a few days ago and i though i'll share my experience.

Server configuration:

Software:

I assume you have gentoo installed and running. Network should work too. Next we are going to install the needed packages. Depending on the openvpn version you also have to install easy-rsa. Openvpn prior to 2.3 have easy-rsa scripts included. I did install the latest unstable version, thus had to install easy-rsa as-well.
root # emerge -av openvpn
root # emerge -av easy-rsa

Since we need tun devices for openvpn you also have to make sure that tun devices are enabled in the kernel config (this is also needed on the clients):
root # cat /usr/src/linux/.config | grep CONFIG_TUN  
CONFIG_TUN=m


Certificates:

The scripts for generating the certificates are usually stored under /usr/share/easy-rsa/. Now edit following variables in the vars file: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Make sure these parameters are not left blank.

Edit vars file:
root # cd /usr/share/easy-rsa/
root # vim vars

Generate the ca file:
root # . ./vars  
root # ./clean-all  
root # ./build-ca  

The above sequence now defaults most parameters from the vars file. Only the common name has to be entered explicitly.

Generate the server certificate:
root # ./build-key-server server

Like in the previous step, most parameters are defaulted. When the Common Name is queried, enter "server". The last two queries require a positive responses:
Sign the certificate? [y/n]  
1 out of 1 certificate requests certified, commit? [y/n]

Generate client certificates:
root # ./build-key client1
root # ./build-key client2

Make sure using unique common names for each client. If you want password protected certificates use ./build-key-pass or if you want pkcs12 key files use ./build-key-pkcs12 instead. Again, the last two queries require a positive responses.

Generate Diffie Hellman parameters (needed by the server).
root # ./build-dh

Now we generated lots of files in the keys sub-directory. For the server we need following files: ca.crt, server.crt, server.pem and dh1024.pem

Now create a new folder in the openvpn configuration directory and copy those files into this folder:
root # mkdir -p /etc/openvpn/vpn  
root # cd keys  
root # cp ca.crt dh1024.pem server.crt server.key /etc/openvpn/vpn  


Configuration:

First open the server config:
root # vim /etc/openvpn/openvpn.conf

Below my example configuration:
An overview about all server configuration possibilities can be found at [1].
port 11194
proto tcp
dev tun
ca vpn/ca.crt
cert vpn/server.crt
key vpn/server.key
dh vpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 20 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
verb 3
client-to-client
Some descriptions:
ca, cert, key, dh - options which should point to the certification files which we copied before. As seen on my example configuration you don't have to set the full path, just the relative path to /etc/openvpn/.
server - supplies a subnet range for the clients
client-to-client - vpn clients can "see" each other


Client configuration:

First you have to copy separately for every client following files from the keys directory (/usr/share/easy-rsa/keys) to the client (like via usb-stick): ca.crt, client1.crt and client1.key. Save it somewhere secure, ideally under /usr/openvnp/vpn.
root # mkdir -p /etc/openvpn/vpn
root # cp ca.crt client1.crt client1.key /etc/openvpn/vpn/


KDE-Networkmanager:

Make sure you have both networkmanagement and networkmanager-openvpn installed:
root # emerge -av networkmanagement networkmanager-openvpn

Next, Networkmanager:

Open Network Settings, switch to the VPN tab and add a new OpenVPN Connection.







Here you can give your connection an unique name. You also have to enter the Gateway which is the public ip address of your openvpn server. Also point to the right location of your ca, client certificate and client key file.

Under Opttional Settings you have to add the correct port of your server. Since openvpn runs on tcp with support for lzo compression you also has to check "Use LZO compression" and "Use TCP connection".










In the IPv4 Address tab you can add an additional DNS Server. This is useful if you have an local dns-server which is used to resolve local computer names.

If you don't want to have all trafic routed over the vpn tunnel, check "Use only for resources on this connection" under Routes.











That's all - now you can simple connect to your vpn with clicking on your vpn connection.


Openvpn init-Script:

Like any client you need to install openvpn first:
root # emerge -av openvpn

On Gentoo it's possible to create more tunnels by replacing VPN with other names. Each connection has its own configuration and can be stopped and started individually. The default is simply to use openvpn.conf and not symlink the service. You can of course use both methods. I'm going to show it with a separate openvpn configuration. First link the the new connection to the openvpn init-Script.
root # ln -s /etc/init.d/openvpn /etc/init.d/openvpn.VPN

Now create your config as /etc/openvpn/VPN.conf An overview about all client configuration possibilities can be found at: [2]
client  
dev tun  
proto tcp  
remote 1.2.3.4 11194
resolv-retry infinite
nobind  
user nobody  
group nobody  
persist-key  
persist-tun  
ca vpn/ca.crt  
cert vpn/client1.crt  
key vpn/client1.key  
comp-lzo  
remote-cert-tls server
Again ca, cert and key options are relative paths to /etc/openvpn.

After finishing the configuration you can start your openvpn connection with:
root # /etc/init.d/openvpn.VPN start

Done!


For the future it might be also interesting how to revoke someone's key. Below is a short howto for revoking certificates:

Revoking client certificates:

First switch do the easy-rsa directory:
root # cd /usr/share/easy-rsa/

Following command will generates a CRL file (crl.pem - certificate revocation list) and adds client's certificate to the revoke list.
root # . vars
root # ./revoke-full client

After doing so your output should be similar like:
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Revoking Certificate 04.
Data Base Updated
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
client.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client/emailAddress=me@myhost.mydomain
error 23 at 0 depth lookup:certificate revoked

In order that openvpn is really going to drop connections from those certificates you have to add following to the server configuration.
crl-verify crl.pem

Make sure openvpn have access to this file. I suggest to copy this file directly to the openvpn configuration directory (/etc/openvpn)



Further help can be found here: Official Openvpn howto: https://openvpn.net/index.php/open-source/documentation/howto.html
Gentoo wiki openvpn guide: http://wiki.gentoo.org/wiki/OpenVPN
Revoking certificates: http://openvpn.net/index.php/open-source/documentation/howto.html#revoke
[1] https://openvpn.net/index.php/open-source/documentation/howto.html#server
[2] https://openvpn.net/index.php/open-source/documentation/howto.html#client

Tuesday, March 18, 2014

tor and chromium

Caution: I know using tor with chromium isn't actually a good idea - see [1]. Hopefully that changes in the near future.

Since the Snowden revelations we know that basically everything on the internet is being monitored by the NSA and probably other security agencies. Many times i was thinking what i could do to improve my privacy and i guess tor over chromium is a small step in the right direction.


TOR [2] wasn't something new to me but i never felt to play with it. However now i had a good reason to look at it and make it as easy as possible to use. TOR isn't actual difficult to use - just install, start and setup up the proxy in your favorite browser.
However, i doesn't want it to use it all the time since quite often you have enter captchas in order to enter some sites (i know it's not tor's fault - shame on you google). Furthermore disabling the proxy every time when i wanted to surf without TOR wasn't something which i would call simple. So i created a special shortcut, which not just starts chromium with the tor proxy enabled, but also starts it in incognito mode and as another user.

First install and start tor:
 emerge -av tor  
 rc-update add tor default  
 /etc/init.d/tor start  

Next, set up a new user:
 useradd -m anonymous  

Set the password for the user: (i choose to use a extra password as this means bookmarks in my "tor-browser" are extra secured to others)
 passwd anonymous  

Now create a new shortcut (mine was done via KDE Systemsettings - Shortcuts and Gestures - Custom Shortcut):
 kdesu -u anonymous chromium --incognito --proxy-server="socks://localhost:9050"  

This starts chromium in incognito mode, as user "anonymous" with tor! Bookmarks are stored under the user anonymous and are only available if you start the "tor-browser" or login as user anonymous.


[1] https://www.torproject.org/docs/faq#TBBOtherBrowser
[2] https://www.torproject.org/

Wednesday, February 19, 2014

turn off monitor when locking the screen

Recently i was looking for a convince way to lock and turn off my screens. The reason behind was that sometimes i only want to listen to music while doing something else which doesn't involve the PC. Usually i could wait for the screen to turn off by itself which happens usually after around 10 minutes. However, since i don't even use an screensaver i just wanted it to immediately turned off.
Now i found a nice way todo that...

I've created a new shortcut with following command:
 xset dpms force off; qdbus org.kde.ksmserver /ScreenSaver Lock  

Bound to META+L it does exactly what it should do: It turns off the screen and locks it.

Tuesday, February 11, 2014

simplescreenrecorder - awesome sreen capturing software

Some time ago i was looking for a good screen capturing software for linux. The only one which i was aware of was recordmydesktop and ffmpeg. However, since my experiences with those were rather bad i was looking for something else. Luckily i found simplescreenrecorder [1].



Simplescreenrecorder, or shortly SSR, is a quite powerful screen recorder. Especially the possibility capturing games via it's glinject library is, i think, something unique. Even capturing 32bit games on a 64bit system is possible since you can build the glinject libary for 32bit too. On the official homepage there is a good howto capture steam games. [2]


Gentoo:
For those who want to test ssr, there is also a good overlay from Anders Larsson which provides a ebuild for simplesreenrecorder. [3]


Issues - not really ;)
Unfortunately i also came across two limitations which however isn't ssr's fault but are simply sane restrictions - not everyone has a triple monitor setup. Fortunately the author was really helpful with my "issues" and helped me to get around those restrictions.


Issue 1 - triple monitor:
My first issue [4] was that i couldn't capture all screens on my triple monitor setup. The reason was because i was hitting the size limit of shared memory segments, as set by:
 /proc/sys/kernel/shmmax  
Simple increasing the size via:
 echo 67108864 | sudo tee /proc/sys/kernel/shmmax  
fixed this issue for me. However, MaartenBaert (the author of ssr) said i could hit other limitations as well so this might not work everywhere.


Issue 2 - high resolution (2560x1600):
My second issue [5] was rather a silly one. I simply couldn't capture any game with glinject, which just printed following error:
 [SSR-GLInject] GLFrameGrabber for [0x13cde30-0x180000f-0x180000f] frame is too large to capture!  
Fortunately i only had to increase the "Maximum image sice (megapixels):" to 4 (default was 2).



Thx again to MaartenBaert for explaining the issue to me!


Videos:
I also created 3 videos, showing the possibilities of ssr. Even though the quality of the videos are quite bad, it shows three games on my triple-monitor setup. You can find those videos on youtube:

Amnesia: https://www.youtube.com/watch?v=1ZmplYgezGg
Anomaly warzone earth: https://www.youtube.com/watch?v=vlbMB6n6VSU
Defcon: https://www.youtube.com/watch?v=QSOcXYGL8L0 (i don't know why but on youtube the video had a wrong resolution for me - had to download it to get the correct one)



[1] http://www.maartenbaert.be/simplescreenrecorder/
[2] http://www.maartenbaert.be/simplescreenrecorder/recording-steam-games/
[3] https://github.com/anders-larsson/gentoo-overlay
[4] https://github.com/MaartenBaert/ssr/issues/63
[5] https://github.com/MaartenBaert/ssr/issues/66