manualshive.com logo in svg

Moxa Technologies UC-8100-LX, Руководство пользователя программного обеспечения, Страница: 43 / 90

Поделиться
Скачать
Moxa Technologies UC-8100-LX Скачать руководство пользователя страница 43

UC-8100-LX Software Manual 

Security On UC-8100-LX 

 

4-7 

89B

Sealing/Unsealing Data 

tpm_sealdata

 and 

tpm_unsealdata

 command are used to seal or unseal data .They are invoked with the 

following parameters: 

-i, --infile FILE 

                Filename containing key to seal/unseal. Default is STDIN. 

-o, --outfile FILE 

                Filename to write sealed/unseal key to.  Default is STDOUT. 

-p, --pcr NUMBER 

                PCR to seal data to.  Default is none.  This option can be specified 
multiple times to choose more than one PCR. 

After invoking the

 tpm_sealdata

 function,

 tpm_sealdata

 retrieves random data from the TPM. To do this, 

the

 tpmGetRandom

 function invokes the method Tspi_TPM_GetRandom() of the class TPM . Then 

tpm_sealdata sets the SRK policy using the classes Policy and Context. The next functions build an RSA key 
object that will be created by the TPM. Then, an RSA key is created and loaded. The subsequent functions build 
an encrypted data object that will hold the encrypted version of the symmetric key. The final functions encrypt 
the given data and seal it to the symmetric key. It is possible to invoke this command with several command 
line parameters. 

Sealing Data 

moxa@Moxa:~$ tpm_sealdata -i secrect -o secrect.enc -p 12 -p 14 
Enter SRK password: 

Unsealing Data 

moxa@Moxa:~$ tpm_unsealdata -i secrect.enc -o plain 

36B

SUDO Mechanism 

In the UC-8100-LX, the root account is disabled for better security. Sudo is a program designed to let system 
administrators allow some users to execute some commands as root (or another user). The basic philosophy is 
to give as few privileges as possible but still allow people to get their work done. Using sudo is better (safer) 
than opening a session as root for a number of reasons, including: 

Nobody needs to know the root password (sudo prompts for the current user's password). Extra privileges can 
be granted to individual users temporarily, and then taken away without the need for a password change. 

It is easy to run only the commands that require special privileges via sudo; the rest of the time, you work as 
an unprivileged user, which reduces the damage that mistakes can cause. 

The code below shows that some system level command is not accessable to user moxa directly. 

Содержание UC-8100-LX

Страница 1: ...UC 8100 LX Software Manual Second Edition March 2015 www moxa com product 2015 Moxa Inc All rights reserved...

Страница 2: ...this manual or to the products and or the programs described in this manual at any time Information provided in this manual is intended to be accurate and reliable However Moxa assumes no responsibil...

Страница 3: ...in a Linux Environment 3 7 Booting Up the UC 8100 LX for the first time 3 8 File system resizing 3 8 Booting from a MicroSD Card UC 8112 Model Only 3 8 The Push Button and the LED indicators 3 8 Diag...

Страница 4: ...thout Upgrading 5 19 Upgrade Specific Packages 5 19 Install Specific Package Version 5 19 Remove Packages Without Configuration 5 20 Completely Remove Packages 5 20 Clean Up Disk Space 5 20 Download O...

Страница 5: ...SD Card with Larger Capacity B 2 Tweak GNU Linux to Write to RAM Instead of the SD card B 3 Set the SD Card to Read only Mode B 3 C Copying Images on an SD MicroSD Card C 1 Using Win32 Disk Imager C...

Страница 6: ...8131 LX RISC based platform with 300 MHz CPU 2 Ethernet 1 Serial port 1 GB SD USB Port and Debian ARM 7 UC 8132 LX RISC based platform with 300 MHz CPU Mini PCIe socket for cellular 2 Ethernet 2 seri...

Страница 7: ...nsole 16BUser Account Management 62BSwitching to the Root Account 17BCreating and Deleting User Accounts 18BDisabling the Default User Account 19BNetwork Settings 63BConfiguring Ethernet Interfaces 64...

Страница 8: ...UC 8100 LX Software Getting Started 2 2...

Страница 9: ...following links for more information on EXT4 https wiki debian org Ext4 https ext4 wiki kernel org index php Ext4_Howto 14BSoftware Packages Please refer to Apendix A to for default installed softwar...

Страница 10: ...00 LX NOT to be done on the UC 8100 LX For Linux users you may follow these steps to connect to UC 8100 LX Series from your personal computer 1 Install minicom from the package repository of your oper...

Страница 11: ...100 LX For Windows users follow these steps 1 Download PuTTY http www chiark greenend org uk sgtatham putty download html to set up serial connection withr the UC 8100 LX in Windows environment The fo...

Страница 12: ...ecdsa_key ssh_host_rsa_key ssh_host_dsa_key pub ssh_host_ecdsa_key pub ssh_host_rsa_key pub sudo ssh keygen t rsa f etc ssh ssh_host_rsa_key sudo ssh keygen t dsa f etc ssh ssh_host_dsa_key sudo ssh k...

Страница 13: ...Be sure to reference the man page of these commands to set relevant previledge of the account Following example shows to create a test1 user in sudo group whose default login shell is bash and has hom...

Страница 14: ...n type Moxa cd etc network to change directories moxa Moxa cd etc network moxa Moxa etc network Type Moxa sudo vi interfaces to edit the network configuration file with vi editor You can configure Eth...

Страница 15: ...y use the command to connect First edit the APN name in etc qmi network conf moxa Moxa echo APN internet sudo tee etc qmi network conf And use the following command moxa Moxa sudo cell_mgmt start Plea...

Страница 16: ...e time is GMT and thus stored time values are correct world wide A simple change of the TZ variable prints local time correctly anywhere In the second case the reference time is Eastern Standard Time...

Страница 17: ...and write over the original local time file 21BDetermining Available Drive Space To know the available drive space remaining use df command with the h tag The system will return the amount of drive s...

Страница 18: ...ou to keep your system up to date with the newest UC 8100 LX packages moxa Moxa cat etc apt sources list deb http debian moxa com debian wheezy main deb http ftp us debian org debian wheezy main contr...

Страница 19: ...down a running Debian GNU Linux system you must not reboot with the reset switch on the front or back of your computer or just turn off the computer Debian GNU Linux should be shut down in a controll...

Страница 20: ...le The following topics are covered in this chapter Serial Ports 69BDisable the USB Port 26BUSB Port 69BDisable the USB Port 70BUSB Automount 27BSD and MicroSD Slot 71BEnabling Write Protection Error...

Страница 21: ...xa sudo setinterface dev ttyM0 UART Port 0 is in RS485 2W Mode 68Bstty stty command is used to manipulate the terminal settings You can view and modify the serial terminal settings with this command S...

Страница 22: ...xpansion 69BDisable the USB Port USB ports on the UC 8100 LX can be disabled This must be done via the bootloader before booting up To disable a USB port follow these steps 1 After powering on the UC...

Страница 23: ...pts on dev pts type devpts rw nosuid noexec relatime gid 5 mode 620 dev sdb1 on media usb0 type vfat rw nodev noexec noatime nodiratime sync fmask 0022 dmask 0022 codepage cp437 iocharset iso 8859 1 s...

Страница 24: ...first see the current write protection status on the storage and then you may select Enable or Disable write protect function Current Boot Storage Write Protect is Disabled Change to 0 Disabled 1 Enab...

Страница 25: ...ow these steps 1 Make sure the write protection switch of the SD card is unlocked 2 Insert the SD card into a Windows PC 3 Download win32diskimager from following link http sourceforge net projects wi...

Страница 26: ...For Linux users follow these steps 1 Make sure the write protection switch of the SD card is unlocked 2 Insert the SD card into a Linux PC 3 Use dmesg command to find out the device node 4 Use dd com...

Страница 27: ...tic LED indicators are activated as indicated in below table during resizing Please wait patiently until the diagnostic LEDs are put out System Status Diagnostic LED RED YELLOW GREEN Expanding root fi...

Страница 28: ...any of the hardware issues contact Moxa for further steps Status Red LED Yellow LED Green LED UART1 device issue On On Off UART2 device issue except UC 8131 On On Blink LAN 1 device issue On Off Off L...

Страница 29: ...l Strength Check the following table for the cellular signal strength and its relation to the signal indicator Signal Indicator Value RSSI dbm Condition 3 LEDs on red yellow green 20 to 30 73 to 53 Ex...

Страница 30: ...nterface of cellular connection is wwan0 moxa Moxa dhclient wwan0 Disconnecting from a Dial Up Network Be sure to hang up the connection if you don t need the service anymore To disconnect you many us...

Страница 31: ...do cell_mgmt power_off moxa Moxa sudo cell_mgmt power_on Sprint For Sprint users use the following commands to switch to correspondant profile for Sprint moxa Moxa echo n e ATE0 r n sudo tee dev ttyUS...

Страница 32: ...50 67 F0 61 2D 7A Protocol 802 11b g ESSID MIS WAP 1 Mode Managed Frequency 2 412 GHz Channel 1 Quality 81 100 Signal level 58 dBm Noise level 92 dBm Encryption key on Bit Rates 54 Mb s 81BConfigurin...

Страница 33: ...unction type usr sbin wifi_mgmt stop NOTE For more information about wpa_supplicant conf go to the following websites http www daemon systems org man wpa_supplicant conf 5 html http linux die net man...

Страница 34: ...EEE802 11i D7 0 TKIP Temporal Key Integrity Protocol IEEE802 11i D7 0 WEP104 WEP with 104 bit key EP40 WEP with 40 bit key The default value is CCMP TKIP WEP104 WEP40 psk preshared key WPA preshared k...

Страница 35: ...XA AP OK root Moxa home wpa_cli i wlan0 set_network 1 proto WPA WPA2 RSN OK root Moxa home wpa_cli i wlan0 set_network 1 key_mgmt WPA PSK OK root Moxa home wpa_cli i wlan0 set_network 1 pairwise TKIP...

Страница 36: ...wpa_cli i wlan0 remove_network Remove a network Network id can be received from the LIST_NETWORKS command output Special network id all can be used to remove all networks wpa_cli i wlan0 reconfigure...

Страница 37: ...latform Module gives the user more solid protection to the platform The following topics are covered in this chapter 34BSecure Boot 35BTrusted Platform Module TPM and TrouSerS 85BEnabling TPM via the...

Страница 38: ...UC 8100 LX Software Manual Security On UC 8100 LX 4 2...

Страница 39: ...secure platform that whoever copies the kernel file cannot understand or to add malicious code easily Next during boot up the ciphered kernel will be checked and decrypted into to plain kernel In cas...

Страница 40: ...air in the TPM tpm_getpubek Display the public portion of the Endoresement Key in the TPM tpm_resetdalock Reset the dictionary attack lock for the user requires owner authentication tpm_restrictpubek...

Страница 41: ...sable Command 0 1 2 TPM Chip Type SLB9645TT Device ID 0x1a TPM status check is enabled and activated Please reboot the system to complete the operation 4 After setting power off and then power on the...

Страница 42: ...he Endorsement Key is typically a 2 048 bit RSA public and private key pair which is created randomly on the chip at manufacture time and cannot be changed The private key never leaves the chip while...

Страница 43: ...ncrypt the given data and seal it to the symmetric key It is possible to invoke this command with several command line parameters Sealing Data moxa Moxa tpm_sealdata i secrect o secrect enc p 12 p 14...

Страница 44: ...es 0 0 0 B eth1 Link encap Ethernet HWaddr 00 90 e8 00 00 08 inet addr 192 168 4 127 Bcast 192 168 4 255 Mask 255 255 255 0 UP BROADCAST ALLMULTI MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 drop...

Страница 45: ...ation File 92BSyntax of the Selector 40BOpenSSL 93BCiphers 94BCryptographic Hash Functions 41BThe Apache Web Server 95BEdit ServerName in Apache Configuration File 42BSFTP 43BDNS 44BIPTABLES 96BObserv...

Страница 46: ...should be run at that time Whenever cron executes a command a report is automatically mailed to the owner of the crontab or to the user named in the MAILTO environment variable in the crontab if such...

Страница 47: ...th and authpriv for authentication cron comes from task scheduling services cron and atd daemon affects a daemon without any special classification DNS NTP etc ftp concerns the FTP server kern message...

Страница 48: ...nformation on rsyslog https wiki debian org Rsyslog http www rsyslog com doc 40BOpenSSL UC8100 supports hardware accelerator with openssl Type lsmod to make sure the cryptodev module is loaded Module...

Страница 49: ...enssl is built by MOXA or the hardware accelerator function will not work in other version 41BThe Apache Web Server The Apache HTTP Server Project is an effort to develop and maintain an open source H...

Страница 50: ...a Moxa sudo usermod s bin false sftp 2 Then a modification to the current user made in the debian installation fase In this example we use ftpuser as the user moxa Moxa sudo mkdir home sftp upload mox...

Страница 51: ...packet filter rule tables Several different tables are defined with each table containing built in chains and user defined chains Each chain is a list of rules that apply to a certain type of packet E...

Страница 52: ...efined Targets of rule ACCEPT DROP REJECT LOG SNAT DNAT MASQUERADE POSTROUTING OUTPUT Filter Default Packet filtering INPUT OUTPUT FORWARD Mangle Packet header modification PREROUTING INPUT FORWARD OU...

Страница 53: ...the UC 8100 LX series Use modprobe to insert and enable the module Use the following command to load the modules iptable_filter iptable_mangle iptable_nat modprobe iptable_filter Use iptables iptables...

Страница 54: ...e accepted automatically and all connections are accepted without being filtered iptables F iptables X iptables Z 97BDefine Policy for Chain Rules Usage iptables t tables P INPUT OUTPUT FORWARD PREROU...

Страница 55: ...e packet Examples Example 1 Accept all packets from lo interface iptables A INPUT i lo j ACCEPT Example 2 Accept TCP packets from 192 168 0 1 iptables A INPUT i eth0 p tcp s 192 168 0 1 j ACCEPT Examp...

Страница 56: ...exact same if one host were out on the internet somewhere just note that port 22 or whatever port you have SSH configured on would need to be forwarded on any network equipment on the server s side of...

Страница 57: ...ces on a network and maps local inside network addresses to one or more global outside IP addresses and un maps the global IP addresses on incoming packets back into local IP addresses ATTENTION Click...

Страница 58: ...T sbin iptables t nat P POSTROUTING ACCEPT sbin iptables t nat P OUTPUT ACCEPT Step 3 Enable IP masquerade ehco 1 proc sys net ipv4 ip_forward modprobe ipt_MASQUERADE iptables t nat A POSTROUTING o et...

Страница 59: ...will need to start stop the service with following command Start snmpd manually sudo etc init d snmpd start Stop snmpd manually sudo etc init d snmpd stop Enable snmpd insserv d snmpd Disable snmpd i...

Страница 60: ...1 1 9 1 4 1 Timeticks 3 0 00 00 03 iso 3 6 1 2 1 1 9 1 4 2 Timeticks 3 0 00 00 03 iso 3 6 1 2 1 1 9 1 4 3 Timeticks 3 0 00 00 03 iso 3 6 1 2 1 1 9 1 4 4 Timeticks 4 0 00 00 04 iso 3 6 1 2 1 1 9 1 4 5...

Страница 61: ...tic key Copy this static key to the clients etc openvpn directory using a secure channel like scp or sftp On the server create a new etc openvpn tun0 conf file and add the following dev tun0 ifconfig...

Страница 62: ...lable packages moxa Moxa sudo apt cache pkgnames 108BFind Out Package Name and Description of Software To find out the package name and the description use the search flag Using search with apt cache...

Страница 63: ...You can add more than one package name along with the command in order to install multiple packages at the same time For example the following command will install packages vim and goaccess moxa Moxa...

Страница 64: ...particular package use the option download only source with package name as shown moxa Moxa sudo apt get download only source wget 124BDownload and Unpack a Package To download and unpack source code...

Страница 65: ...in the local repository it will return an error code moxa Moxa sudo apt get build dep wget 130BAuto Clean Apt Get Cache The autoclean command deletes all deb files from var cache apt archives to free...

Страница 66: ...UC 8100 LX The following topics are covered in this chapter 51BLinux Tool Chain Introduction 132BNative Compilation 133BCross Compilation 134BObtaining Help 52BTest Program Developing Hello c 135BCom...

Страница 67: ...ese steps to update package menu 1 Make sure network connection is available 2 Use apt get update to update Debian package list moxa Moxa sudo apt get update 3 Install native compiler and necessary pa...

Страница 68: ...linux gnueabihf 4 7 20130415 bin arm linux gnueabihf gcc ranlib usr local arm linux gnueabihf 4 7 20130415 bin arm linux gnueabihf ld usr local arm linux gnueabihf 4 7 20130415 bin arm linux gnueabihf...

Страница 69: ...gnueabihf 4 7 20130415 share doc gcc linaro arm linux gnueab ihf man man1 arm linux gnueabihf gcc 1 Cross Compiling Applications and Libraries To compile a simple C application just use the cross comp...

Страница 70: ...found continue with Step 7 7 Back up the user directory distribute the program to additional UC 8100 series units if needed The package CD contains several example programs Here we use Hello c as an...

Страница 71: ...dbus Modbus Protocol is a messaging structure which is used to establish master slave client server communication between intelligent devices It is a de facto standard truly open and the most widely u...

Страница 72: ...LM_READ rtc_tm Function RTC_IRQP_SET Description Set IRQ rate Usage unsigned long tmp 2 int ioctl fd RTC_IRQP_SET tmp value 2 4 8 16 32 64 Hz Function RTC_IRQP_READ Description Read IRQ rate Usage uns...

Страница 73: ...LIVE Description Write to the watchdog device to keep watchdog alive Usage int ioctl fd WDIOC_KEEPALIVE 0 Function WDIOC_SETTIMEOUT Description Modify the watchdog timeout Min 1second Max 1day Default...

Страница 74: ...We provide diagnostic LEDs library which name is libmx_led so to show the status of device but we also provide diagnostic LED API to let your own application be able to use these LEDs 137BTurn on LEDs...

Страница 75: ...serial port if fd open device O_RDWR O_NOCTTY 1 return 1 fcntl fd F_SETFL 0 tcgetattr fd options cfsetispeed options speed B115200 cfsetospeed options speed B115200 cfmakeraw options options c_cflag C...

Страница 76: ...iles base passwd 3 5 26 armhf Debian base system master password and group bash 4 2 dfsg 0 1 armhf GNU Bourne Again SHell bsdmainutils 9 0 3 armhf collection of more utilities from FreeBSD bsdutils 1...

Страница 77: ...armhf high level tools to configure network interf initscripts 2 88dsf 41 deb7u1 armhf scripts for initializing and shutting down t insserv 1 14 0 5 armhf boot sequence organizer using LSB init d scr...

Страница 78: ...Linux Kernel Device Mapper userspace library libedit2 armhf 2 11 20080614 5 armhf BSD editline and history libraries libevent 2 0 5 armhf 2 0 19 stable 3 armhf Asynchronous event notification library...

Страница 79: ...bus5 3 0 3 1 armhf library for the Modbus protocol libmount1 2 20 1 5 3 armhf block device id library libmysqlclient18 armhf 5 5 37 0 wheezy1 armhf MySQL database client library libncurses5 armhf 5 9...

Страница 80: ...b7u1 armhf Cyrus SASL pluggable authentication module libselinux1 armhf 2 1 9 5 armhf SELinux runtime shared libraries libsemanage common 2 1 6 6 all Common files for SELinux policy management l libse...

Страница 81: ...library libwrap0 armhf 7 6 q 24 armhf Wietse Venema s TCP wrappers library libwvstreams4 6 base 4 6 1 5 armhf C network libraries for rapid application libwvstreams4 6 extras 4 6 1 5 armhf C network...

Страница 82: ...er 1 6 0p1 4 deb7u1 armhf secure shell SSH server for secure access openssl 1 0 1e 2 deb7u11 uc8100 armhf Secure Socket Layer SSL binary and related openvpn 2 2 1 8 deb7u2 armhf virtual private networ...

Страница 83: ...server metapackage sudo 1 8 5p2 1 nmu1 armhf Provide limited super user privileges to spe sysv rc 2 88dsf 41 deb7u1 all System V like runlevel change mechanism sysvinit 2 88dsf 41 deb7u1 armhf System...

Страница 84: ...Common files vim runtime 2 7 3 547 7 all Vi IMproved Runtime files watchdog 5 12 1 armhf system health checker and software hardware wget 1 13 4 3 deb7u1 armhf retrieves files from the web whiptail 0...

Страница 85: ...lifetime of the SD card The following topics are covered in this appendix 3BOverview SD Flash Types 4BTips for Running GNU Linux on an SD Card Use SLC SD Card Use an SD Card with Larger Capacity Twea...

Страница 86: ...C solid state flash memory and is commonly used in various cosumer devices that use solid state storage Comparison Table for Flash Types Flash type SLC Single Level Cell 1 bit MLC Multilevel Cell 2 bi...

Страница 87: ...d Avail Use Mounted on tmpfs 100M 596K 100M 1 var log There are a variety of locations that GNU Linux likes to make frequent writes This is a list of entries below that I use as a starting point that...

Страница 88: ...8100 LX Software Manual Extending the Lifetime of the SD Card B 4 NOTE Click the following links for more information on minicom http www gnu org software coreutils manual html_node dd invocation htm...

Страница 89: ...ther computer 2 Start Win32 Disk imager and complete the following steps a From the Device drop down list select the drive letter for the SD card for example L b In the Image File field enter the loca...

Страница 90: ...an start using the image 6BUsing the dd command 1 Insert the SD or microSD card into another computer 2 Check the device folder for the SD or microSD card for example dev sdd and the directory and fil...

Отзывы:

Нет отзывов