Antitheft HowTo: Difference between revisions
Line 43: | Line 43: | ||
=Procedures= |
=Procedures= |
||
==Prepare an XO as the Master |
==Prepare an XO as the Master Signing Server (MSS)== |
||
::''This machine is only used to generate leases, devkeys or delegations. In other words, it is of occassional use, and should be kept in a secure place at all times.'' |
::''This machine is only used to generate leases, devkeys or delegations. In other words, it is of occassional use, and should be kept in a secure place at all times.'' |
||
Line 54: | Line 54: | ||
# Copy the master keys into <code>/root/masterkeys</code> - you will normally have the files <code>developer.private developer.public fs.private fs.public fw.private fw.public lease.private lease.public oats.private oats.public os.private os.public</code> |
# Copy the master keys into <code>/root/masterkeys</code> - you will normally have the files <code>developer.private developer.public fs.private fs.public fw.private fw.public lease.private lease.public oats.private oats.public os.private os.public</code> |
||
Done! Now keep this machine in a safe location. |
|||
==Generate activation leases on the MSS== |
|||
You will usually have a spreadsheet provided by OLPC with the serial numbers, uuids and box number. You need to define which XOs / boxes activated... |
|||
# - define which XOs / boxes will be sent to the school you are planning... |
|||
⚫ | |||
=== Stage 1 - create the CSV file === |
|||
⚫ | |||
⚫ | |||
# find them relevant XOs in the spreadsheet |
|||
⚫ | |||
name of the school |
name of the school |
||
# |
# copy/paste the SN/UUID region to the new page, remove the "extra" |
||
columns we don't need. Also make sure you don't include the 'column |
columns we don't need. Also make sure you don't include the 'column |
||
headers' row. |
headers' row. |
||
# |
# '''Save the document''' |
||
# |
# Make sure you are on the spreadsheet page for the right school |
||
# |
# Now use the "File->Save As..." menu option to create a new file. |
||
The file format must be CSV. The file name must be the name of the |
The file format must be '''CSV'''. The file name must be the name of the |
||
school. |
school. |
||
# |
# OpenOffice will offer a "Text export / field options" dialogue... |
||
## Character set: leave it as it is (Unicode UTF-8). |
|||
⚫ | |||
## Field separator: leave it as it is(comma). |
|||
:-) |
|||
## Text separator: '''Delete it''', so that the option is empty. |
|||
⚫ | |||
Now you should have a CSV file that is just serial numbers and uuids. The command <code>head myfile.csv</code> should give you five lines, each looking like: |
|||
SCH9950296C,377F6B80-DDA9-4A89-9C73-8C500C79AA8A |
|||
=== Stage 2 - generating lease.sig === |
|||
On the MSS... |
|||
Bájate el RPM de olpc-bios-crypto que indiqué en el email anterior, |
|||
instálalo en esta máquina. Copia las llaves "maestras" de Nicaragua a |
|||
esta máquina. |
|||
En ésta máquina -- que hay que tener guardada bajo llave -- puedes |
En ésta máquina -- que hay que tener guardada bajo llave -- puedes |
Revision as of 14:14, 17 September 2009
This document outlines antitheft-related procedures.
Example scenarios
Upgrade and activate a set of XOs
To accomplish this, you need 3 machines in total.
- An XO acting as the Master Lease Signing Server (MLSS)
- An XS (can be XS-on-XO machine)
- An XO running as NANDBlast sender
as well as your master keys.
Steps
- On the MLSS, create a lease.sig file with leases for all the XOs you will upgrade and activate.
- On the XS, load the lease.sig file so that xs-activation can use it
- On the NANDBlast machine, prepare to run nb-secure, as described in Multicast_NAND_FLASH_Update#NANDblasting_a_Signed_NAND_Image_File
- Setup the XS and the NANDBlast machine in the "upgrade" room and commence the unpack/start process
B - XS-on-XO 'activador'
Baja la imágen para XS-on-XO que indiqué la semana pasada, instálala en un SD card como marcan las instrucciones. Con ese SD card pones a andar la máquina B.
Cuando arrancas la máquina B tienes que hacer la configuración inicial de dominio, como vimos cuando estuve en Managua, y reiniciarla.
Las activaciones que han creado en la máquina A, las pones en un disco USB, con el nombre 'lease.sig'. Cuando pones ese disco USB en la máquina B, la máquina las va a cargar automáticamente.
Como les mostré cuando estaba en Managua, puedes monitorear eso siguiendo el log /var/log/user.log --
C - XO 'emisor' NANDBlaster -- con un USB con la imagen a "emitir".
Procedures
Prepare an XO as the Master Signing Server (MSS)
- This machine is only used to generate leases, devkeys or delegations. In other words, it is of occassional use, and should be kept in a secure place at all times.
- Grab an XO, with the standard OS image. These notes are based on XO OS 8.2.1, but should work on future versions.
- Install the latest olpc-bios-crypto package:
- Download the latest one from [1]
- Install it with
rpm -ivh olpc-bios-crypto-(version).rpm
- Make a new directory to store the master keys:
mkdir /root/masterkeys
- Copy the master keys into
/root/masterkeys
- you will normally have the filesdeveloper.private developer.public fs.private fs.public fw.private fw.public lease.private lease.public oats.private oats.public os.private os.public
Done! Now keep this machine in a safe location.
Generate activation leases on the MSS
You will usually have a spreadsheet provided by OLPC with the serial numbers, uuids and box number. You need to define which XOs / boxes activated...
Stage 1 - create the CSV file
- open spreadsheet in OpenOffice Calc
- find them relevant XOs in the spreadsheet
- make a new page in the existing spreadsheet - give that page the
name of the school
- copy/paste the SN/UUID region to the new page, remove the "extra"
columns we don't need. Also make sure you don't include the 'column headers' row.
- Save the document
- Make sure you are on the spreadsheet page for the right school
- Now use the "File->Save As..." menu option to create a new file.
The file format must be CSV. The file name must be the name of the school.
- OpenOffice will offer a "Text export / field options" dialogue...
- Character set: leave it as it is (Unicode UTF-8).
- Field separator: leave it as it is(comma).
- Text separator: Delete it, so that the option is empty.
- OpenOffice will warn you that it is only exporting the 'current page'. Perfect, that's exactly what we want'
Now you should have a CSV file that is just serial numbers and uuids. The command head myfile.csv
should give you five lines, each looking like:
SCH9950296C,377F6B80-DDA9-4A89-9C73-8C500C79AA8A
Stage 2 - generating lease.sig
On the MSS...
En ésta máquina -- que hay que tener guardada bajo llave -- puedes generar las activaciones, usando la llave 'a1' y el archivo CSV, con el programa obc-make-lease-from-csv.sh .
Ésta máquina sólo la van a usar ocasionalmente para generar más activaciones. El resto del tiempo, bien guardada.