Antitheft HowTo: Difference between revisions
Line 8: | Line 8: | ||
To accomplish this, you need 3 machines in total. |
To accomplish this, you need 3 machines in total. |
||
* An XO acting as the Master Lease Signing Server ( |
* An XO acting as the Master Lease Signing Server (MSS) |
||
* An XS (can be XS-on-XO machine) |
* An XS (can be XS-on-XO machine) |
||
* An XO running as NANDBlast sender |
* An XO running as NANDBlast sender |
||
And your master keys. |
|||
===Steps=== |
===Steps=== |
||
# On the |
# On the MSS, create a lease.sig file with leases for all the XOs you will upgrade and activate. |
||
# On the XS, load the lease.sig file so that xs-activation can use it |
# On the XS, load the lease.sig file so that xs-activation can use it |
||
# On the NANDBlast machine, prepare to run nb-secure, as described in [[Multicast_NAND_FLASH_Update#NANDblasting_a_Signed_NAND_Image_File]] |
# On the NANDBlast machine, prepare to run nb-secure, as described in [[Multicast_NAND_FLASH_Update#NANDblasting_a_Signed_NAND_Image_File]] |
||
# Setup the XS and the NANDBlast machine in the "upgrade" room and commence the unpack/start process |
# Setup the XS and the NANDBlast machine in the "upgrade" room and commence the unpack/start process |
||
B - XS-on-XO 'activador' |
|||
Baja la imágen para XS-on-XO que indiqué la semana pasada, instálala |
|||
en un SD card como marcan las instrucciones. Con ese SD card pones a |
|||
andar la máquina B. |
|||
Cuando arrancas la máquina B tienes que hacer la configuración inicial |
|||
de dominio, como vimos cuando estuve en Managua, y reiniciarla. |
|||
Las activaciones que han creado en la máquina A, las pones en un disco |
|||
USB, con el nombre 'lease.sig'. Cuando pones ese disco USB en la |
|||
máquina B, la máquina las va a cargar automáticamente. |
|||
Como les mostré cuando estaba en Managua, puedes monitorear eso |
|||
siguiendo el log /var/log/user.log -- |
|||
C - XO 'emisor' NANDBlaster -- con un USB con la imagen a "emitir". |
|||
=Procedures= |
=Procedures= |
Revision as of 15:32, 17 September 2009
This document outlines antitheft-related procedures.
Example scenarios
Upgrade and activate a set of XOs
To accomplish this, you need 3 machines in total.
- An XO acting as the Master Lease Signing Server (MSS)
- An XS (can be XS-on-XO machine)
- An XO running as NANDBlast sender
And your master keys.
Steps
- On the MSS, create a lease.sig file with leases for all the XOs you will upgrade and activate.
- On the XS, load the lease.sig file so that xs-activation can use it
- On the NANDBlast machine, prepare to run nb-secure, as described in Multicast_NAND_FLASH_Update#NANDblasting_a_Signed_NAND_Image_File
- Setup the XS and the NANDBlast machine in the "upgrade" room and commence the unpack/start process
Procedures
Prepare an XO as the Master Signing Server (MSS)
- This machine is only used to generate leases, devkeys or delegations. In other words, it is of occassional use, and should be kept in a secure place at all times.
- Grab an XO, with the standard OS image. These notes are based on XO OS 8.2.1, but should work on future versions.
- Install the latest olpc-bios-crypto package:
- Download the latest one from [1]
- Install it with
rpm -ivh olpc-bios-crypto-(version).rpm
- Make a new directory to store the master keys:
mkdir /root/masterkeys
- Copy the master keys into
/root/masterkeys
- you will normally have the filesdeveloper.private developer.public fs.private fs.public fw.private fw.public lease.private lease.public oats.private oats.public os.private os.public
Done! Now keep this machine in a safe location.
Generate activation leases on the MSS
You will usually have a spreadsheet provided by OLPC with the serial numbers, uuids and box number. You need to define which XOs / boxes activated...
Stage 1 - create the CSV file
- open spreadsheet in OpenOffice Calc
- find them relevant XOs in the spreadsheet
- make a new page in the existing spreadsheet - give that page the
name of the school
- copy/paste the SN/UUID region to the new page, remove the "extra"
columns we don't need. Also make sure you don't include the 'column headers' row.
- Save the document
- Make sure you are on the spreadsheet page for the right school
- Now use the "File->Save As..." menu option to create a new file.
The file format must be CSV. The file name must be the name of the school.
- OpenOffice will offer a "Text export / field options" dialogue...
- Character set: leave it as it is (Unicode UTF-8).
- Field separator: leave it as it is(comma).
- Text separator: Delete it, so that the option is empty.
- OpenOffice will warn you that it is only exporting the 'current page'. Perfect, that's exactly what we want'
Now you should have a CSV file that is just serial numbers and uuids. The command head myfile.csv
should give you five lines, each looking like:
SCH9950296C,377F6B80-DDA9-4A89-9C73-8C500C79AA8A
Stage 2 - generating lease.sig
On the MSS...
En ésta máquina -- que hay que tener guardada bajo llave -- puedes generar las activaciones, usando la llave 'a1' y el archivo CSV, con el programa obc-make-lease-from-csv.sh .
Ésta máquina sólo la van a usar ocasionalmente para generar más activaciones. El resto del tiempo, bien guardada.