User:Cjl/Sandbox3: Difference between revisions
No edit summary |
m (Walter's rectum 23/Sandbox3 moved to User:Cjl/Sandbox3 over redirect: revert) |
||
(7 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
<noinclude>{{ GoogleTrans-en | es =show | bg =show | zh-CN =show | zh-TW =show | hr =show | cs =show | da =show | nl =show | fi =show | fr =show | de =show | el =show | hi =show | it =show | ja =show | ko =show | no =show | pl =show | pt =show | ro =show | ru =show | sv =show }}</noinclude>{{OLPC}} |
|||
{{OLPC}} |
|||
{{Developers}} |
|||
{{Translations}} |
{{Translations}} |
||
{{RightTOC}} |
|||
The primary OLPC '''communication channels''' are [[#Mailing lists|mailing lists]], [[#IRC|IRC channels]], and [[#Forums|discussion forums]]. |
|||
A developer key is a file containing cryptographic information tied to a specific XO laptop. |
|||
== What you can do with a developer key == |
|||
== Chat == |
|||
If you don't have a developer key, and your laptop has firmware security enabled, it will not let you do anything except boot an OLPC-signed operating system, and use the OLPC-provided software. If you insert a USB flash drive or SD card, the boot firmware will only boot from it if the files are tested and cryptographically signed by OLPC. |
|||
Most OLPC chat takes place on IRC (that's [http://en.wikipedia.org/wiki/IRC Internet Relay Chat]). You can either use a computer based client to log in to IRC (like [[XOirc]] on the XO) or a web interface like the one [http://en.forum.laptop.org/chat/ at our forum]. |
|||
If the boot [[firmware]] sees a developer key in <tt>/security/develop.sig</tt>, it makes the XO laptop work just like any ordinary PC-style laptop: |
|||
=== IRC === |
|||
* it will let you interrupt the boot process and enter commands |
|||
* it will try to boot and run any program you supply to it, such as a Fedora or Debian Linux system, no matter whether the OLPC organization has tested, approved, or signed it. |
|||
The laptop also works this way if its firmware security is [[#Disable_the_security_system|permanently disabled]]. |
|||
OLPC produces many unsigned [[OS images|operating system images]] for development and testing, which will only work in your laptop if you have a developer key. Also, if your laptop refuses to boot because the clock is set wrong, or complains about an unsigned kernel, getting a developer key is a critical part of diagnosing and/or fixing the trouble. |
|||
IRC is mainly designed for group communication in discussion 'channels', but allows for personal chat and data transfer as well. |
|||
This firmware security is part of the [[BitFrost|BitFrost security system]], and is used to ensure that unless the user has specifically opted out, their basic operating software remains unmodified. This feature is contentious (see [[Talk:Activation_and_developer_keys#Activation_and_Developer_Keys_as_DRM|discussion]]). Frequently referred to as "[[Wikipedia:Tivoization|Tivoization]]", this kind of deliberate manufacturer's restriction on ordinary people's use of their hardware is a form of "[[Wikipedia:Digital Rights Management|Digital Rights Management]]" or DRM. Bypassing the XO firmware security ([[Wikipedia:Privilege escalation|jailbreaking]]) is relatively easy because the OLPC organization explicitly allows it, via the process described in this web page. |
|||
The OLPC Community uses a series of ''channels'' in the '''<tt>irc.freenode.net</tt>''' and <tt>irc.oftc.net</tt> networks. If you have a user page on this wiki, use {{tl|User irc}} to indicate your participation in IRC channels, and to find the category where users are registered. |
|||
All production XO laptops have had firmware security enabled. This includes laptops obtained through the [[G1G1|Give One, Get One]] program. |
|||
==== irc.freenode.net channels ==== |
|||
The firmware will look for a developer key on your laptop's internal flash memory; on any USB flash drive that's plugged in; and on any SD card that's plugged in. It needs to be in <tt>/security</tt>. (See [[Firmware security]] for the gory details.) |
|||
{| |
|||
|- |
|||
| colspan=2 style="background:lightyellow; border:1px solid black;" | '''General:''' |
|||
|- valign="top" |
|||
| <tt>#olpc-help</tt> || Community help. If you need help using your XO, and you haven't asked anywhere else: try here first. You can access it [http://en.forum.laptop.org/chat/ from a web page right now]. |
|||
|- valign="top" |
|||
| <tt>#olpc-ayuda</tt> || The Spanish language (Español) version of #olpc-help. |
|||
|- valign="top" |
|||
| width=200px | <tt>#olpc</tt> || Contact point for all things olpc, ''and'' the core hardware development team's own channel. Picture a room where the knowledgeable core people are hard at work. It is a good place for authoritative answers, but people may be out, or too busy to respond, or don't want interruptions at the moment. '''Consider going to #olpc-help first.''' |
|||
|- valign="top" |
|||
| <tt>#olpc-content</tt> || [[content]] related matters and general discussion. |
|||
|- valign="top" |
|||
| <tt>#sugar</tt> || [[Sugar]] development. |
|||
|- |
|||
| colspan=2 style="background:lightyellow; border:1px solid black;" | '''Primary Community Channels''' |
|||
|- valign="top" |
|||
| <tt>#olpc-groups</tt> || Global channel for all local communities (no language barriers) |
|||
|- valign="top" |
|||
| <tt>#olpc-health</tt> || Global channel for all health-related communities (English) |
|||
|- valign="top" |
|||
| <tt>#olpc-es</tt> || [[Spanish]] language channel |
|||
|- valign="top" |
|||
| <tt>#olpc-brasil</tt> || [[Portuguese_language|Portuguese]] language channel |
|||
|- valign="top" |
|||
| <tt>#olpc-europe</tt> || Regional discussions for [[OLPC Europe|Europe]] |
|||
|} |
|||
With a developer key, whenever the laptop boots, the firmware will give you the option to press the Escape key (at the upper left, marked [[Image:Esc.png]]) and get an ok prompt, which lets you enter commands in Forth. If you don't press the Escape key, after a short countdown the firmware continues booting the operating system. |
|||
==== irc.oftc.net channels ==== |
|||
* This is the insecure boot process, and it will boot into any image you install on the xo. |
|||
* Rather than drawing pretty pictures on the screen, lots of text messages will be displayed, and will eventually scroll up the screen. This is normal, and can be useful for diagnosing problems in your laptop. |
|||
* The insecure boot process does not automatically upgrade firmware; you will be responsible for updating your firmware yourself. |
|||
==Getting a developer key for your running XO laptop== |
|||
{| |
|||
|- |
|||
| colspan=2 style="background:lightyellow; border:1px solid black;" | '''Developer:''' |
|||
|- valign="top" |
|||
| <tt>#olpc-devel</tt> || Primary home of Developers conversation in IRC |
|||
|- valign="top" |
|||
| <tt>#fedora-olpc</tt> || The home of the [[Fedora]] interest group for OLPC |
|||
|- valign="top" |
|||
| <tt>#schoolserver</tt> || Development of the [[XS]] [[School server]] |
|||
|- |
|||
| colspan=2 style="background:lightyellow; border:1px solid black;" | '''Community:''' |
|||
|- valign="top" |
|||
| <tt>#olpc-admin</tt> || Home of the Volunteer sys-admin squad: [[Infrastructure gang]] |
|||
|} |
|||
# On your XO, open the [[Browse]] activity. |
|||
[[Communication_channels/IRC_other|other channels]] |
|||
# There's a "Developer key request" web page on the XO to apply for a key. There are several ways to navigate to this page: |
|||
#* In all builds, you can type '''file:///home/.devkey.html''' in the browse location field to get to the request page. |
|||
#* In recent builds (including 8.2.0), "Get a developer key" is at the bottom of the Browse start page. |
|||
#* In older builds (8.1, 703 and higher), click "activities" in the OLPC Library left-hand navigation, click on the sub-menu "find activities", and at the bottom of the page that displays is the "apply for developer key" link. Also, under "books" in the OLPC Library, click on the sub-menu "explore your xo", click "troubleshooting", and under "How do I get a developer key for my laptop" is a link to "submit this form" |
|||
#* In still older builds (7.1, 650, 653, and 656), click on the Library link "other" and then on "about your xo". Click on the "apply for a developer key" link at the very bottom of the page. (You can press the 'check mark' (✓) game key to quickly get to the bottom of the page.) |
|||
# Follow the directions to apply for a developer key; it should be created in a day or two. |
|||
# Go back to the request page when your key is ready, and follow the instructions to download your key to your XO. |
|||
#* Once your key has been created, you can return to this page at any time ''on your XO'' to re-download it; there will be no further creation delay. |
|||
# [[Reboot]] your XO. |
|||
''Tip:'' if the typeface is too difficult to read easily, you can use Browse's Zoom options (in the View menu) to make it larger. Alternatively, you can copy the text and paste it into the Write activity, where you can resize it. |
|||
=== How to use irc channels === |
|||
== After you get a developer key == |
|||
# For the #olpc-help channel you can visit the [http://forum.laptop.org/chat/ Live Web Chat]. |
|||
=== Make back up copies! === |
|||
# Another web-based chat for all channels is [http://www.mibbit.com mibbit], with nickname: (whatever you like), server: irc.freenode.net, and channel: #olpc-help (or whatever other channel you're trying to get into). |
|||
However you get a key, please '''''make a copy of it on some other computer''''', one that gets backed up regularly, in case this one is lost. Also, you should copy your developer key to <tt>/security/develop.sig</tt> on a USB flash drive, if you have one. |
|||
# Some helpful resources are [http://www.mirc.com/irc.html here], and [http://www.irchelp.org/irchelp/irctutorial.html this tutorial], which also includes basic commands. |
|||
# Learn about IRC etiquette. Try [http://www.ircbeginner.com/ircinfo/etiquette.html here], [http://www.livinginternet.com/r/ru_chatq.htm here], or [http://www.wxwidgets.org/wiki/index.php/IRC_Etiquette here], or [http://www.nerdfest.org/lh_rules.html this link] specifically about asking questions on channels like #olpc-help. |
|||
#* For IRC on your XO, install the latest '''[[XoIRC]]''' activity. |
|||
# Connect to one of the above channels, and say hello. (To do this, choose irc.freenode.net as your server, and then /join a channel... if you're new to IRC, the [irc://freenode/#olpc-help #olpc-help] channel is probably the place you want to go first). |
|||
# Note [[OLPC growing pains]]. |
|||
===Disable the security system=== |
|||
== Forums == |
|||
Once you have a developer key and have booted your system using it, it is possible to permanently disable the firmware security system, even if your XO's developer key goes away. If you forget to do this, and you usually run ordinary free software distributions like Debian, Ubuntu, or Fedora on your XO, your XO will at some point refuse to boot. |
|||
To will permanently turn off firmware security on your laptop: |
|||
There are a number of active OLPC forums, including |
|||
# [[Reboot]] the XO |
|||
* http://forum.laptop.org/ |
|||
# Press the Esc key during boot to get to the 'ok' prompt. |
|||
:total posts 6.887 • Total topics 1.324 • Total members 1.609 <sub>[[User:Yamaplos|Yamaplos]] 22:56, 20 April 2008 (EDT)</sub> |
|||
# Type 'disable-security' at the 'ok' prompt and press enter |
|||
* http://olpcnews.com/forum/ |
|||
:total posts 20.765 • Total topics 2.332 • Total members 2.754 <sub>[[User:Yamaplos|Yamaplos]] 22:56, 20 April 2008 (EDT)</sub> |
|||
If disable-security says "Restarting to enable SPI flash writing. Try again after the system restarts.", you'll need to start over with the Esc key again as above. If disable-security says "No wp key", it means that security is already disabled. |
|||
* When security is disabled, you can still re-enable it for a single boot by [[Cheat codes|pressing the X gamepad key]] while turning the power on. This is useful to do firmware upgrades from signed builds. It can also help to test secure boot on release candidates. |
|||
* You can reverse the 'disable-security' command by entering 'enable-security' at the 'ok' prompt. |
|||
* You can see the raw manufacturing data where the disable-security setting is stored by typing ".mfg-data". See [[Manufacturing data]] for details. |
|||
==Troubleshooting disabling of the security system== |
|||
== [[Mailing lists]] == |
|||
Some of us have had some issues with disabling the security when the developer key is on a USB drive. If you experience this problem, try using an SD card instead. It should be vfat formatted. |
|||
;<big> See: [[Mailing lists]] </big> |
|||
If you are on Linux: |
|||
mkfs.vfat -I /dev/sdX |
|||
then mount the SD card |
|||
mount -t vfat /dev/sdX /media/yourmountpoint |
|||
cp develop.sig /media/yourmountpoint |
|||
Once you are done unmount your SD card: |
|||
The full list of mailing lists is at '''http://lists.laptop.org'''. Sometimes they multiply when one isn't watching. |
|||
umount /dev/sdX |
|||
then stick the SD into the XO (it is under the screen, you need to turn it -- it is on the right side) |
|||
Lists can be searched [http://www.google.com/custom?hl=en&cof=&domains=lists.laptop.org&btnG=Search&sitesearch=lists.laptop.org with google]. |
|||
reboot and hold down [[Image:Esc.png]] -- then you will get to an {ok} prompt |
|||
type: |
|||
disable-security |
|||
it will automatically reboot and write what it needs to to disk |
|||
There are also many other [[Outside mailing lists|mailing lists]] on topics related to the OLPC project. |
|||
Once you boot up - then copy the key to the disk |
|||
===Starting a new list=== |
|||
cd /media/$some-automatically-mounted-name |
|||
The best way to start a new mailing list is to begin a discussion on a related list that already exists, and once the discussion becomes active, to ask for a separate list for that topic or that sort of traffic. |
|||
su |
|||
cp develop.sig /security |
|||
Now you can reboot and take out the SD card |
|||
When you have a critical mass of people regularly talking about the same topic, request a mailing list by emailing the following information to '''sysadmin''' at '''laptop''' dot '''org''': |
|||
if you hit [[Image:Esc.png]] it will bring you to the {ok} prompt |
|||
# The name you want for your mailing list, with alternative names if the first one is taken |
|||
# A description of the list, its purpose, and why it's needed (being able to say "we've been talking on this other list for a while, and the discussion has grown too big - see these archive links" is helpful) |
|||
# The name/email of the list admin, and of at least one other moderator (minimum one admin and one moderator) |
|||
# At least 10 names/emails of people who want to be the initial subscribers |
|||
=== If you wipe out your developer key === |
|||
It may take a while (usually several days) to hear a response back, so please be patient! |
|||
If you reflash your XO you will remove <tt>/security/develop.sig</tt>. |
|||
One way this can happen is if you ever do a fresh install of an operating system image using the [[clean-install procedure]] (rather than [[olpc-update]]). |
|||
If you haven't disabled security and the OS image that overwrote flash is unsigned, then your laptop won't boot. But you have several options: |
|||
* Revert to a previous OS image. Try pressing the 'O' (circle) gamepad key while booting. That will attempt to boot a previous version of the OS, and if it was signed it will succeed. |
|||
* Reflash again with a signed OS image. |
|||
* Insert a USB flash drive or SD card with your developer key on it in <tt>/security/develop.sig</tt> (this is why you should always be sure to backup <tt>develop.sig</tt>), which will allow booting of the unsigned OS image and/or let you get to the 'ok' prompt to disable security. |
|||
Once boot completes you can restore your developer key back to NAND flash by typing in a [[Terminal Activity|terminal]] something like |
|||
cp -pi /media/''MY_USB_NAME''/security/develop.sig /security |
|||
or you can re-visit the "Developer key request" form and re-download your developer key. But you would be better off if you immediately disabled security, as described above; that never expires, unlike developer keys in NAND flash that often get overwritten. |
|||
==Getting a developer key without WiFi== |
|||
====List subscribers==== |
|||
If you have some network access, you can: |
|||
The subscribers for many lists with non-private rosters can be viewed by visiting this web address, <nowiki>http://lists.laptop.org/mailman/roster/</nowiki><listname>. (Community-news and Devel, at least, have private rosters.) One must first have joined a list and signed in at the <nowiki>http://lists.laptop.org/options/</nowiki><listname> address. (The "Visit Subscriber List" button on the listinfo page (<nowiki>http://lists.laptop.org/listinfo/</nowiki><listname>) does not currently work.) |
|||
* use a [[USB ethernet adaptors|USB-to-wired ethernet adapter]] to get your XO on the net, then follow the above instructions. |
|||
* copy the file /home/.devkey.html from the XO to another (network-connected) machine, and perform the process from that machine. Entering the following command in the [[Terminal]] activity will copy it to any USB devices connected: |
|||
** <tt>cp -p /home/.devkey.html /media/*/devkey.html</tt> |
|||
== How to get a developer key when Browse freezes == |
|||
At times Browse can freeze when trying to activate your key. An alternative way of activating is by starting Terminal or by pressing Ctrl+Alt+[[Image:Friends key f2 small.png]] to get to a console and get the serial + uuid for activation. Once you see the terminal, you may need to type in "root" with no password to login. |
|||
Next type in: |
|||
[[Category:General Public]] |
|||
vi /home/.devkey.html |
|||
[[Category:Developers]] |
|||
[[Category:Sugar]] |
|||
on line 16, there should be the serial_num (write down what it says under VALUE="....") and what it says on line 17 the uuid VALUE=...". You will need this information to register for your key. |
|||
[[Category:Community]] |
|||
[[Category:IRC]] |
|||
Next start a browser on a computer that has web access and type in: [https://activation.laptop.org/devkey/post/| https://activation.laptop.org/devkey/post/] and enter in the serial and uuid that you got from the .devkey.html file and select "Get developer key". |
|||
You should then return to the web page after 24 hours. Your key will be ready for you. |
|||
== Getting a developer key without network == |
|||
=== Via snail mail === |
|||
You can submit a written request via snail mail to: |
|||
: One Laptop per Child<br/>P.O. Box 425087 |
|||
: Cambridge, MA 02142 |
|||
Your key will be mailed back to you. |
|||
=== If the machine won't boot === |
|||
==== Revert to a previous OS image ==== |
|||
First, try booting with the 'O' (circle) gamepad key held down. That will attempt to boot a previous version of the OS, after which you can use one of the options above. |
|||
==== Generate a laptops.dat file ==== |
|||
See [[#Getting_devkey_data_via_USB_stick|the USB stick method]] directly below. You can collect a laptops.dat file with the UUID information of your machine, or of many machines, with a single stick. This method will sometimes work when simply submitting the serial number to OLPC doesn't. This is because the laptops.dat file contains additional information about the system (the system date and UUID) which must be correct but is looked up or assumed when only a serial number is submitted. |
|||
=== Getting devkey data via USB stick === |
|||
This requires a USB memory stick, and manual assistance from someone at OLPC. The memory stick must be set up to work as a ''collection stick'' by adding code that at boot time copies information from the XO to itself. After using it, you should send the resulting file to OLPC. |
|||
<!--To start the process, you will need to provide OLPC with both the Serial Number of your machine, and its UUID. The Serial Number is conveniently printed on a sticker in the battery compartment, and looks like "CSN74701E2F". The UUID is unfortunately only stored internally. |
|||
To get it, you'll have to --> |
|||
* Set up a [[Activation_and_developer_keys#Setting_up_a_collection_stick | collection stick]] |
|||
* Plug the stick it into your laptop and power it on |
|||
* It will display a pretty "XO" screen and then a short message like "SHFxxxxxxxx nnnnnnnnnnnnnnn; Laptop data recorded successfully". After a few seconds it will power itself off or indicate it is done. |
|||
* Remove the USB stick and move the file to a different computer |
|||
* Open <tt>laptops.dat</tt> in a text editor and take a look. |
|||
* Enter your Serial Number (EG. CSNxxxxxxxx, SHFxxxxxxxx, or SHCxxxxxxxx) and UUID (nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn) from <tt>laptops.dat</tt> into https://activation.laptop.org/devkey/post/ |
|||
* Return to https://activation.laptop.org/devkey/post/ 24hrs later and your Developer Key should be ready! |
|||
* Problems? Email the <tt>laptops.dat</tt> file to help@laptop.org . Please describe your problem, including the serial number (printed inside your battery compartment, visible when you remove the battery), and attach the resulting <tt>laptops.dat</tt> file. |
|||
==== Setting up a collection stick ==== |
|||
# Download [[media:Actos.zip|Actos.zip]] and [[media:Runos.zip|Runos.zip]] (its source code in Forth, if you're interested, is at http://dev.laptop.org/git?p=users/cscott/actkey; it will only run if it's put into a signed zip file.) |
|||
# Put these files into the <big><tt>'''/boot/'''</tt></big> directory on a FAT-formatted or FAT32-formatted USB flash drive. |
|||
#* Most USB flash drives use FAT or FAT32 when you buy them (except "U2" memory sticks which probably won't work; they contain their own ugly DRM stuff). |
|||
# Your USB flash drive should contain these files (and nothing else in the boot directory): |
|||
#:boot/ |
|||
#:boot/Actos.zip |
|||
#:boot/Runos.zip |
|||
# If there is an old <tt>laptops.dat</tt> file on the USB flash drive from an earlier collection of laptops, you can delete it. However, see below : if you are gathering data from a number of laptops, '''do not''' delete the file in between XOs. The USB flash drive can have any other files on it that you like. |
|||
==== Getting devkey data for many XOs at once ==== |
|||
For each laptop that you want to get a Developer Key for: |
|||
# Repeat the above process, inserting your collection stick and powering on the laptop, for each XO in turn. |
|||
#* This will combine metadata for each laptop into one laptops.dat file, so do not delete the <tt>laptops.dat</tt> file in between. |
|||
# Enter all Serial Numbers (EG. CSNxxxxxxxx, SHFxxxxxxxx, or SHCxxxxxxxx) and UUID's (nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn) from <tt>laptops.dat</tt> into self-service site https://activation.laptop.org/devkey/post/ as described above. |
|||
# If problems, email the resulting <tt>laptops.dat</tt> file to help@laptop.org, indicating the # of laptops you need keys for, and explaining extenuating circumstances. |
|||
Then wait for OLPC to send you your Developer key(s) and/or Activation key(s). |
|||
=== What to do when you receive your activation or developer keys === |
|||
''NB: OLPC may also send you other files to put on the USB flash drive, to help to patch or circumvent whatever problem is preventing your laptop from booting properly.'' |
|||
# You can use the same USB flash drive that you used as collector stick. <!-- but rename the <tt>boot</tt> directory to something else (perhaps ''<tt>collboot</tt>''), otherwise your laptop will just re-run the collection script. --> |
|||
# You'll receive one or two files from OLPC. Extract the file or files using your email program. |
|||
#* If you receive a <tt>'''lease.sig'''</tt> file, it's your activation key. (G1G1 laptops don't need one.) Copy the file into the root directory of your USB flash drive. |
|||
# Make a directory called <tt>'''security/'''</tt> in the root directory of your USB flash drive, and copy the developer key <tt>'''develop.sig'''</tt> file into it. |
|||
# You should now have these files on your key: |
|||
#: <tt>lease.sig</tt> (if received) |
|||
#: <tt>security/</tt> |
|||
#: <tt>security/develop.sig</tt> |
|||
# With the laptop powered off, insert the key into a USB port and power it on. |
|||
#: If the laptop wasn't previously activated, it will now boot. |
|||
#: Any activation key provided will be copied to <tt>'''/security/lease.sig'''</tt> on the XO. Keep the activation key around (or copy it to your school server) in case you later need to reflash the XO. |
|||
# If you have a developer key, you should see a textual prompt, which you will see within the first few seconds of booting (along with a short countdown to give you time to hit the Escape key). This is your indication that the developer key has been found. |
|||
#* To permanently disable secure booting, press ''Escape'' and type "<tt>disable-security</tt>", then power cycle and repeat that command. (see [[#Disabling security|Disabling Security]], above.) |
|||
# The developer key is not automatically copied to your laptop's internal flash memory. You can do that by copying <tt>security/develop.sig</tt> from the USB flash drive into <tt>'''/security/develop.sig'''</tt> on the XO. You'll need to be [[root]] in a [[Terminal activity]] to do that. |
|||
Remove the USB key as usual -- via the Journal or after you are at an "ok" prompt in the boot firmware. |
|||
If you requested keys for more than one laptop, you can use the same process and the same USB key for each laptop. |
|||
== See also == |
|||
* [[OLPC on free/open source software]] |
|||
* [[olpc-update]] |
|||
* [[Updates]] |
|||
* [[Software update]] |
|||
''Note: the Developer key page generated by the OLPC Activation Service (in response to a developer key request from the XO) links to this page.'' |
|||
[[Category:Developers]] [[Category:Firmware]] [[Category:Copyright]] [[Category:OLPC FAQ]] [[Category:OS]] [[Category:Security]] [[Category:Software development]] [[Category:Repair]] [[Category:Wiki pages that XO content links to]] |
Latest revision as of 15:32, 20 December 2009
Translate this page with Google -español -български -中文(中国大陆) -中文(臺灣) -hrvatski -čeština -dansk -Nederlands -suomi -français -Deutsch -Ελληνικά -हिन्दी -italiano -日本語 -한국어 -norsk -polski -português -română -русский -svenska
Please copy/paste "{{Translationlist | xx | origlang=en | translated={{{translated}}}}}" (where xx is ISO 639 language code for your translation) to User:Cjl/Sandbox3/translations | HowTo [ID# 228488] +/- |
A developer key is a file containing cryptographic information tied to a specific XO laptop.
What you can do with a developer key
If you don't have a developer key, and your laptop has firmware security enabled, it will not let you do anything except boot an OLPC-signed operating system, and use the OLPC-provided software. If you insert a USB flash drive or SD card, the boot firmware will only boot from it if the files are tested and cryptographically signed by OLPC.
If the boot firmware sees a developer key in /security/develop.sig, it makes the XO laptop work just like any ordinary PC-style laptop:
- it will let you interrupt the boot process and enter commands
- it will try to boot and run any program you supply to it, such as a Fedora or Debian Linux system, no matter whether the OLPC organization has tested, approved, or signed it.
The laptop also works this way if its firmware security is permanently disabled.
OLPC produces many unsigned operating system images for development and testing, which will only work in your laptop if you have a developer key. Also, if your laptop refuses to boot because the clock is set wrong, or complains about an unsigned kernel, getting a developer key is a critical part of diagnosing and/or fixing the trouble.
This firmware security is part of the BitFrost security system, and is used to ensure that unless the user has specifically opted out, their basic operating software remains unmodified. This feature is contentious (see discussion). Frequently referred to as "Tivoization", this kind of deliberate manufacturer's restriction on ordinary people's use of their hardware is a form of "Digital Rights Management" or DRM. Bypassing the XO firmware security (jailbreaking) is relatively easy because the OLPC organization explicitly allows it, via the process described in this web page.
All production XO laptops have had firmware security enabled. This includes laptops obtained through the Give One, Get One program.
The firmware will look for a developer key on your laptop's internal flash memory; on any USB flash drive that's plugged in; and on any SD card that's plugged in. It needs to be in /security. (See Firmware security for the gory details.)
With a developer key, whenever the laptop boots, the firmware will give you the option to press the Escape key (at the upper left, marked ) and get an ok prompt, which lets you enter commands in Forth. If you don't press the Escape key, after a short countdown the firmware continues booting the operating system.
- This is the insecure boot process, and it will boot into any image you install on the xo.
- Rather than drawing pretty pictures on the screen, lots of text messages will be displayed, and will eventually scroll up the screen. This is normal, and can be useful for diagnosing problems in your laptop.
- The insecure boot process does not automatically upgrade firmware; you will be responsible for updating your firmware yourself.
Getting a developer key for your running XO laptop
- On your XO, open the Browse activity.
- There's a "Developer key request" web page on the XO to apply for a key. There are several ways to navigate to this page:
- In all builds, you can type file:///home/.devkey.html in the browse location field to get to the request page.
- In recent builds (including 8.2.0), "Get a developer key" is at the bottom of the Browse start page.
- In older builds (8.1, 703 and higher), click "activities" in the OLPC Library left-hand navigation, click on the sub-menu "find activities", and at the bottom of the page that displays is the "apply for developer key" link. Also, under "books" in the OLPC Library, click on the sub-menu "explore your xo", click "troubleshooting", and under "How do I get a developer key for my laptop" is a link to "submit this form"
- In still older builds (7.1, 650, 653, and 656), click on the Library link "other" and then on "about your xo". Click on the "apply for a developer key" link at the very bottom of the page. (You can press the 'check mark' (✓) game key to quickly get to the bottom of the page.)
- Follow the directions to apply for a developer key; it should be created in a day or two.
- Go back to the request page when your key is ready, and follow the instructions to download your key to your XO.
- Once your key has been created, you can return to this page at any time on your XO to re-download it; there will be no further creation delay.
- Reboot your XO.
Tip: if the typeface is too difficult to read easily, you can use Browse's Zoom options (in the View menu) to make it larger. Alternatively, you can copy the text and paste it into the Write activity, where you can resize it.
After you get a developer key
Make back up copies!
However you get a key, please make a copy of it on some other computer, one that gets backed up regularly, in case this one is lost. Also, you should copy your developer key to /security/develop.sig on a USB flash drive, if you have one.
Disable the security system
Once you have a developer key and have booted your system using it, it is possible to permanently disable the firmware security system, even if your XO's developer key goes away. If you forget to do this, and you usually run ordinary free software distributions like Debian, Ubuntu, or Fedora on your XO, your XO will at some point refuse to boot.
To will permanently turn off firmware security on your laptop:
- Reboot the XO
- Press the Esc key during boot to get to the 'ok' prompt.
- Type 'disable-security' at the 'ok' prompt and press enter
If disable-security says "Restarting to enable SPI flash writing. Try again after the system restarts.", you'll need to start over with the Esc key again as above. If disable-security says "No wp key", it means that security is already disabled.
- When security is disabled, you can still re-enable it for a single boot by pressing the X gamepad key while turning the power on. This is useful to do firmware upgrades from signed builds. It can also help to test secure boot on release candidates.
- You can reverse the 'disable-security' command by entering 'enable-security' at the 'ok' prompt.
- You can see the raw manufacturing data where the disable-security setting is stored by typing ".mfg-data". See Manufacturing data for details.
Troubleshooting disabling of the security system
Some of us have had some issues with disabling the security when the developer key is on a USB drive. If you experience this problem, try using an SD card instead. It should be vfat formatted.
If you are on Linux:
mkfs.vfat -I /dev/sdX
then mount the SD card
mount -t vfat /dev/sdX /media/yourmountpoint cp develop.sig /media/yourmountpoint
Once you are done unmount your SD card:
umount /dev/sdX
then stick the SD into the XO (it is under the screen, you need to turn it -- it is on the right side) reboot and hold down -- then you will get to an {ok} prompt type:
disable-security
it will automatically reboot and write what it needs to to disk
Once you boot up - then copy the key to the disk
cd /media/$some-automatically-mounted-name su cp develop.sig /security
Now you can reboot and take out the SD card
if you hit it will bring you to the {ok} prompt
If you wipe out your developer key
If you reflash your XO you will remove /security/develop.sig. One way this can happen is if you ever do a fresh install of an operating system image using the clean-install procedure (rather than olpc-update). If you haven't disabled security and the OS image that overwrote flash is unsigned, then your laptop won't boot. But you have several options:
- Revert to a previous OS image. Try pressing the 'O' (circle) gamepad key while booting. That will attempt to boot a previous version of the OS, and if it was signed it will succeed.
- Reflash again with a signed OS image.
- Insert a USB flash drive or SD card with your developer key on it in /security/develop.sig (this is why you should always be sure to backup develop.sig), which will allow booting of the unsigned OS image and/or let you get to the 'ok' prompt to disable security.
Once boot completes you can restore your developer key back to NAND flash by typing in a terminal something like
cp -pi /media/MY_USB_NAME/security/develop.sig /security
or you can re-visit the "Developer key request" form and re-download your developer key. But you would be better off if you immediately disabled security, as described above; that never expires, unlike developer keys in NAND flash that often get overwritten.
Getting a developer key without WiFi
If you have some network access, you can:
- use a USB-to-wired ethernet adapter to get your XO on the net, then follow the above instructions.
- copy the file /home/.devkey.html from the XO to another (network-connected) machine, and perform the process from that machine. Entering the following command in the Terminal activity will copy it to any USB devices connected:
- cp -p /home/.devkey.html /media/*/devkey.html
How to get a developer key when Browse freezes
At times Browse can freeze when trying to activate your key. An alternative way of activating is by starting Terminal or by pressing Ctrl+Alt+ to get to a console and get the serial + uuid for activation. Once you see the terminal, you may need to type in "root" with no password to login.
Next type in:
vi /home/.devkey.html
on line 16, there should be the serial_num (write down what it says under VALUE="....") and what it says on line 17 the uuid VALUE=...". You will need this information to register for your key.
Next start a browser on a computer that has web access and type in: https://activation.laptop.org/devkey/post/ and enter in the serial and uuid that you got from the .devkey.html file and select "Get developer key".
You should then return to the web page after 24 hours. Your key will be ready for you.
Getting a developer key without network
Via snail mail
You can submit a written request via snail mail to:
- One Laptop per Child
P.O. Box 425087 - Cambridge, MA 02142
Your key will be mailed back to you.
If the machine won't boot
Revert to a previous OS image
First, try booting with the 'O' (circle) gamepad key held down. That will attempt to boot a previous version of the OS, after which you can use one of the options above.
Generate a laptops.dat file
See the USB stick method directly below. You can collect a laptops.dat file with the UUID information of your machine, or of many machines, with a single stick. This method will sometimes work when simply submitting the serial number to OLPC doesn't. This is because the laptops.dat file contains additional information about the system (the system date and UUID) which must be correct but is looked up or assumed when only a serial number is submitted.
Getting devkey data via USB stick
This requires a USB memory stick, and manual assistance from someone at OLPC. The memory stick must be set up to work as a collection stick by adding code that at boot time copies information from the XO to itself. After using it, you should send the resulting file to OLPC.
- Set up a collection stick
- Plug the stick it into your laptop and power it on
- It will display a pretty "XO" screen and then a short message like "SHFxxxxxxxx nnnnnnnnnnnnnnn; Laptop data recorded successfully". After a few seconds it will power itself off or indicate it is done.
- Remove the USB stick and move the file to a different computer
- Open laptops.dat in a text editor and take a look.
- Enter your Serial Number (EG. CSNxxxxxxxx, SHFxxxxxxxx, or SHCxxxxxxxx) and UUID (nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn) from laptops.dat into https://activation.laptop.org/devkey/post/
- Return to https://activation.laptop.org/devkey/post/ 24hrs later and your Developer Key should be ready!
- Problems? Email the laptops.dat file to help@laptop.org . Please describe your problem, including the serial number (printed inside your battery compartment, visible when you remove the battery), and attach the resulting laptops.dat file.
Setting up a collection stick
- Download Actos.zip and Runos.zip (its source code in Forth, if you're interested, is at http://dev.laptop.org/git?p=users/cscott/actkey; it will only run if it's put into a signed zip file.)
- Put these files into the /boot/ directory on a FAT-formatted or FAT32-formatted USB flash drive.
- Most USB flash drives use FAT or FAT32 when you buy them (except "U2" memory sticks which probably won't work; they contain their own ugly DRM stuff).
- Your USB flash drive should contain these files (and nothing else in the boot directory):
- boot/
- boot/Actos.zip
- boot/Runos.zip
- If there is an old laptops.dat file on the USB flash drive from an earlier collection of laptops, you can delete it. However, see below : if you are gathering data from a number of laptops, do not delete the file in between XOs. The USB flash drive can have any other files on it that you like.
Getting devkey data for many XOs at once
For each laptop that you want to get a Developer Key for:
- Repeat the above process, inserting your collection stick and powering on the laptop, for each XO in turn.
- This will combine metadata for each laptop into one laptops.dat file, so do not delete the laptops.dat file in between.
- Enter all Serial Numbers (EG. CSNxxxxxxxx, SHFxxxxxxxx, or SHCxxxxxxxx) and UUID's (nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn) from laptops.dat into self-service site https://activation.laptop.org/devkey/post/ as described above.
- If problems, email the resulting laptops.dat file to help@laptop.org, indicating the # of laptops you need keys for, and explaining extenuating circumstances.
Then wait for OLPC to send you your Developer key(s) and/or Activation key(s).
What to do when you receive your activation or developer keys
NB: OLPC may also send you other files to put on the USB flash drive, to help to patch or circumvent whatever problem is preventing your laptop from booting properly.
- You can use the same USB flash drive that you used as collector stick.
- You'll receive one or two files from OLPC. Extract the file or files using your email program.
- If you receive a lease.sig file, it's your activation key. (G1G1 laptops don't need one.) Copy the file into the root directory of your USB flash drive.
- Make a directory called security/ in the root directory of your USB flash drive, and copy the developer key develop.sig file into it.
- You should now have these files on your key:
- lease.sig (if received)
- security/
- security/develop.sig
- With the laptop powered off, insert the key into a USB port and power it on.
- If the laptop wasn't previously activated, it will now boot.
- Any activation key provided will be copied to /security/lease.sig on the XO. Keep the activation key around (or copy it to your school server) in case you later need to reflash the XO.
- If you have a developer key, you should see a textual prompt, which you will see within the first few seconds of booting (along with a short countdown to give you time to hit the Escape key). This is your indication that the developer key has been found.
- To permanently disable secure booting, press Escape and type "disable-security", then power cycle and repeat that command. (see Disabling Security, above.)
- The developer key is not automatically copied to your laptop's internal flash memory. You can do that by copying security/develop.sig from the USB flash drive into /security/develop.sig on the XO. You'll need to be root in a Terminal activity to do that.
Remove the USB key as usual -- via the Journal or after you are at an "ok" prompt in the boot firmware.
If you requested keys for more than one laptop, you can use the same process and the same USB key for each laptop.
See also
Note: the Developer key page generated by the OLPC Activation Service (in response to a developer key request from the XO) links to this page.