Antitheft HowTo: Difference between revisions
(draft) |
(Proper name for Open Firmware) |
||
(28 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
This document outlines antitheft-related procedures. |
This document outlines antitheft-related procedures. Please discuss edits on server-devel@lists.laptop.org . |
||
=Example scenarios= |
==Example scenarios== |
||
==Upgrade and activate a set of XOs== |
===Upgrade and activate a set of XOs=== |
||
To accomplish this, you need 3 machines in total. |
To accomplish this, you need 3 machines in total. |
||
* An XO acting as the Master Lease Signing Server ( |
* An XO acting as the Master Lease Signing Server (MSS) |
||
* An XS (can be XS-on-XO machine) |
* An XS (can be XS-on-XO machine) |
||
* An XO running as NANDBlast sender |
* An XO running as NANDBlast sender |
||
And your master keys. |
|||
Steps |
|||
====Steps==== |
|||
# On the MLSS, create a lease.sig file with leases for all the XOs you will upgrade and activate. |
|||
# On the MSS, create a lease.sig file with leases for all the XOs you will upgrade and activate. |
|||
# On the XS, load the lease.sig file so that xs-activation can use it |
# On the XS, load the lease.sig file so that xs-activation can use it |
||
# On the NANDBlast machine, prepare to run nb-secure, as described in [[ |
# On the NANDBlast machine, prepare to run nb-secure, as described in [[Nandblaster_for_XO-1#NANDblasting_a_Signed_NAND_Image_File|NANDblasting a Signed NAND Image File]] |
||
# Setup the XS and the NANDBlast machine in the "upgrade" room and commence the unpack/start process |
# Setup the XS and the NANDBlast machine in the "upgrade" room and commence the unpack/start process |
||
==Procedures== |
|||
B - XS-on-XO 'activador' |
|||
===Prepare an XO as the Master Signing Server (MSS)=== |
|||
Baja la imágen para XS-on-XO que indiqué la semana pasada, instálala |
|||
en un SD card como marcan las instrucciones. Con ese SD card pones a |
|||
andar la máquina B. |
|||
::''This machine is only used to generate leases, devkeys or delegations. In other words, it is of occassional use, and should be kept in a secure place at all times.'' |
|||
Cuando arrancas la máquina B tienes que hacer la configuración inicial |
|||
de dominio, como vimos cuando estuve en Managua, y reiniciarla. |
|||
# Grab an XO, with the standard OS image. These notes are based on XO OS 8.2.1, but should work on future versions. |
|||
Las activaciones que han creado en la máquina A, las pones en un disco |
|||
# Install the latest olpc-bios-crypto package: |
|||
USB, con el nombre 'lease.sig'. Cuando pones ese disco USB en la |
|||
## Download the latest one from [http://xs-dev.laptop.org/xsrepos/testing/olpc/9/i386/?C=M;O=D] |
|||
máquina B, la máquina las va a cargar automáticamente. |
|||
## Install it with <code>rpm -ivh olpc-bios-crypto-(version).rpm</code> |
|||
# Make a new directory to store the master keys: <code>mkdir /root/masterkeys</code> |
|||
# If you have the master keys, copy them into <code>/root/masterkeys</code> - you will normally have the files <code>developer.private developer.public fs.private fs.public fw.private fw.public lease.private lease.public oats.private oats.public os.private os.public</code> |
|||
Done! Now keep this machine in a safe location, and do _not_ connect it to any network. |
|||
Como les mostré cuando estaba en Managua, puedes monitorear eso |
|||
siguiendo el log /var/log/user.log -- |
|||
===Create your master keys on the MSS=== |
|||
C - XO 'emisor' NANDBlaster -- con un USB con la imagen a "emitir". |
|||
You first need to prepare your Master Signing Server. Logged in to the MSS, you want to create all the required keys: |
|||
=Procedures= |
|||
cd /root/masterkeys |
|||
==Prepare an XO as the Master Lease Signing Server (MLSS)== |
|||
obc-makekey os |
|||
obc-makekey developer |
|||
obc-makekey fs |
|||
obc-makekey fw |
|||
obc-makekey lease |
|||
obc-makekey oats |
|||
this will generate 2 files for each key; the private key, and the public key. The directory will now hold these 12 files: |
|||
# Grab an XO, with the standard OS image. These notes are based on XO OS 8.2.1, but should work on future versions. |
|||
developer.private |
|||
developer.public |
|||
fs.private |
|||
fs.public |
|||
fw.private |
|||
fw.public |
|||
lease.private |
|||
lease.public |
|||
oats.private |
|||
oats.public |
|||
os.private |
|||
os.public |
|||
Zip up all the keys, copy them to various storage mediums (USB keys, CD-ROMs) and store them in different safe locations. '''Do not email them or store them on computers that are connected to any network'''. |
|||
zip allkeys.zip *.public *.private |
|||
# - define which XOs / boxes will be sent to the school you are planning... |
|||
# - open spreadsheet in OpenOffice Calc or similar |
|||
Zip up the public keys, you will need to send them to the OLPC team to include them on the manufacturing process, and possibly for a keyjector for your existing XOs. |
|||
# - find them in the spreadsheet |
|||
# - make a new page in the existing spreadsheet - give that page the |
|||
zip publickeys.zip *.public |
|||
===Test the new keys=== |
|||
To test the keys on an XO we will need to |
|||
* Get an XO that is unlocked / devkeyed. |
|||
* Install the new keys as additional keys. |
|||
* Sign an OS image, its kernel and firmware with the new keys -- install the OS image. |
|||
* Generate leases and devkeys from the new keys, and use them to activate and unlock the machine. |
|||
====Install the new keys==== |
|||
The filenames are too long for a FAT USB disk, so |
|||
mkdir /root/pubkeys.short |
|||
cp /root/master/*.public /root/pubkeys.short |
|||
cd /root/pubkeys.short |
|||
rename .public .pub *.public |
|||
mv developer.pub dev.pub |
|||
Now copy them to a USB disk: |
|||
cp *.pub /media/mydisk/ |
|||
umount /media/mydisk/ |
|||
To install the new keys -- boot on an unlocked XO, hold the Escape key to get to the Open Firmware prompt, and then: |
|||
ok add-tag-from-file d1 u:\dev.pub |
|||
ok add-tag-from-file w1 u:\fw.pub |
|||
ok add-tag-from-file s1 u:\fs.pub |
|||
ok add-tag-from-file o1 u:\os.pub |
|||
ok add-tag-from-file a1 u:\lease.pub |
|||
ok add-tag-from-file t1 u:\oats.pub |
|||
===Generate activation leases on the MSS=== |
|||
You will usually have a spreadsheet provided by OLPC with the serial numbers, uuids and box number. You need to select those XOs you will be generating activations for |
|||
==== Stage 1 - create the CSV file ==== |
|||
# open spreadsheet in OpenOffice Calc |
|||
# find them relevant XOs in the spreadsheet |
|||
# make a new page in the existing spreadsheet - give that page the |
|||
name of the school |
name of the school |
||
# |
# copy/paste the SN/UUID region to the new page, remove the "extra" |
||
columns we don't need. Also make sure you don't include the 'column |
columns we don't need. Also make sure you don't include the 'column |
||
headers' row. |
headers' row. |
||
# |
# '''Save the document''' |
||
# |
# Make sure you are on the spreadsheet page for the right school |
||
# |
# Now use the "File->Save As..." menu option to create a new file. |
||
The file format must be CSV. The file name must be the name of the |
The file format must be '''CSV'''. The file name must be the name of the |
||
school. |
school. |
||
# |
# OpenOffice will offer a "Text export / field options" dialogue... |
||
## Character set: leave it as it is (Unicode UTF-8). |
|||
exporting the 'current page'. Perfect, that's _exactly_ what we want |
|||
## Field separator: leave it as it is(comma). |
|||
:-) |
|||
## Text separator: '''Delete it''', so that the option is empty. |
|||
# OpenOffice will warn you that it is only exporting the 'current page'. Perfect, ''that's exactly what we want''' |
|||
Now you should have a CSV file that is just serial numbers and uuids. The command <code>head myfile.csv</code> should give you five lines, each looking like: |
|||
SCH9950296C,377F6B80-DDA9-4A89-9C73-8C500C79AA8A |
|||
==== Stage 2 - generating lease.sig ==== |
|||
'''Preparations''': Copy the generated CSV file to a USB stick. |
|||
On the MSS |
|||
# If it doesn't exist, make a "/root/laptops/" directory: <code>mkdir /root/laptops</code> |
|||
# Make a directory for the files related to this school: <code>mkdir /root/laptops/schoolname</code> |
|||
# Plug the USB stick into the machine, it will be mounted under the /media directory. Copy the CSV file to your /root/laptops/schoolname directory. |
|||
Things are in place now. Decide the number of days of validity for the leases (we'll use 10 in this example). The command to generate the leases will be (in one line): |
|||
obc-make-lease-from-csv --signingkey /root/masterkeys/lease /root/laptops/schoolname/schoolname.csv 10 | \ |
|||
obc-format_as_cjson_leases > /root/laptops/schoolname/lease.sig |
|||
Now you have a lease.sig file in the /root/laptops/schoolname/ directory. To use it... |
|||
* To use it directly on XOs, copy it to the top directory of a USB stick. |
|||
* To use it in an XS, you will want to see the instructions that follow (in the "Load a lease.sig file on an XS") |
|||
=== Loading activation-related files on an XS === |
|||
This technique is to load any <code>lease.sig d-lease.sig d-oats.sig server.pri server.pub</code> files into an XS. |
|||
For more details, see [[XS-activation]] |
|||
==== If you are dealing with a single XS ==== |
|||
For example, you have a lease.sig file containing leases for a number of XOs, and you want to load it on an XS. |
|||
# On a USB stick, make an 'xs-activation' directory |
|||
mkdir /media/MYDISK/xs-activation |
|||
# Copy the lease.sig file in there... |
|||
cp /path/to/lease.sig /media/MYDISK/xs-activation/ |
|||
# Change to the directory |
|||
cd /media/MYDISK/xs-activation/ |
|||
# Generate the manifest |
|||
M=`sha1sum lease.sig` && echo "$M" > manifest.sha1 |
|||
# Check that the manifest is OK |
|||
sha1sum -c manifest.sha1 |
|||
If you have several files, list them all when generating the manifest, like this: |
|||
M=`sha1sum d-oats.sig d-lease.sig server.pri server.pub` && echo "$M" > manifest.sha1 |
|||
==== If your are dealing with many XSs ==== |
|||
The process is the same as for one server, but must be made ''in a subdirectory with a name that matches the name given to the server''. For example for a server where <code>hostname -f</code> returns <code>schoolserver.'''fidelcoloma'''.fundacion.org.ni</code>, we do: |
|||
# On a USB stick, make an 'xs-activation' directory |
|||
mkdir /media/MYDISK/xs-activation |
|||
mkdir /media/MYDISK/xs-activation/'''fidelcoloma''' |
|||
# Copy the lease.sig file in there... |
|||
cp /path/to/lease.sig /media/MYDISK/xs-activation/'''fidelcoloma''' |
|||
# Change to the directory |
|||
cd /media/MYDISK/xs-activation/'''fidelcoloma''' |
|||
# Generate the manifest |
|||
M=`sha1sum lease.sig` && echo "$M" > manifest.sha1 |
|||
# Check that the manifest is OK |
|||
sha1sum -c manifest.sha1 |
|||
This allows the preparation of a single USB stick with different files for each School Server. |
|||
==== Following the process ==== |
|||
This is only for debugging the process if you find problems. |
|||
Before you insert the USB stick into the XS, login and run |
|||
tail -f /var/log/user.log |
|||
When you insert the USB stick messages will appear there as the XS reads the contents. This same log shows the activity of the lease server. |
|||
=Discussion= |
|||
== RTC sync == |
|||
With OS 8.2.2 and newer, the laptop can -- in some cases -- sync its RTC (Real Time Clock) to a signed timestamp sent by the server. |
|||
For this to work with the local XS, the pre-requisites are... |
|||
* XO OS 8.2.2 or newer |
|||
* XS 0.6 or newer |
|||
* The XS must be running with delegated keys -- that is, have its own local OATS key and a delegation from the master OATS key to its local OATS key ''for the laptop involved''. This is specially important for the ''port 191'' part of the OATS protocol. |
|||
** In the future, this may be simplified for XSs that have reliable internet connectivity by using a proxy OATS server that forwards all requests to a central server for easier administration. |
|||
There are 2 situations where this can happen: during initramfs execution and during olpc-update-query. |
|||
'''Initramfs''': If the initramfs requests a new lease via the wireless network (usually because there is no lease, or the lease is expired), it will also request a signed time. If the server responds with a valid signed timestamp, the RTC is sync'ed to it. This uses the ''port 191'' part of the OATS protocol. |
|||
The initramfs implementation can help deal with laptops with marginal RTC batteries. |
|||
'''olpc-update-query''': when olpc-update-query hits the server (initially the local XS, then if possible the country-wide antitheft server), the response will contain a signed timestamp. If the difference between the signed timestamp and the RTC is more than 24hs, olpc-update-query will sync the RTC. If the difference is smaller, it will let ntpd handle the correction. |
|||
Bájate el RPM de olpc-bios-crypto que indiqué en el email anterior, |
|||
instálalo en esta máquina. Copia las llaves "maestras" de Nicaragua a |
|||
esta máquina. |
|||
[[Category:SchoolServer]] |
|||
En ésta máquina -- que hay que tener guardada bajo llave -- puedes |
|||
generar las activaciones, usando la llave 'a1' y el archivo CSV, con |
|||
el programa obc-make-lease-from-csv.sh . |
|||
[[Category:Security]] |
|||
Ésta máquina sólo la van a usar ocasionalmente para generar más |
|||
activaciones. El resto del tiempo, bien guardada. |
Latest revision as of 23:34, 6 October 2012
This document outlines antitheft-related procedures. Please discuss edits on server-devel@lists.laptop.org .
Example scenarios
Upgrade and activate a set of XOs
To accomplish this, you need 3 machines in total.
- An XO acting as the Master Lease Signing Server (MSS)
- An XS (can be XS-on-XO machine)
- An XO running as NANDBlast sender
And your master keys.
Steps
- On the MSS, create a lease.sig file with leases for all the XOs you will upgrade and activate.
- On the XS, load the lease.sig file so that xs-activation can use it
- On the NANDBlast machine, prepare to run nb-secure, as described in NANDblasting a Signed NAND Image File
- Setup the XS and the NANDBlast machine in the "upgrade" room and commence the unpack/start process
Procedures
Prepare an XO as the Master Signing Server (MSS)
- This machine is only used to generate leases, devkeys or delegations. In other words, it is of occassional use, and should be kept in a secure place at all times.
- Grab an XO, with the standard OS image. These notes are based on XO OS 8.2.1, but should work on future versions.
- Install the latest olpc-bios-crypto package:
- Download the latest one from [1]
- Install it with
rpm -ivh olpc-bios-crypto-(version).rpm
- Make a new directory to store the master keys:
mkdir /root/masterkeys
- If you have the master keys, copy them into
/root/masterkeys
- you will normally have the filesdeveloper.private developer.public fs.private fs.public fw.private fw.public lease.private lease.public oats.private oats.public os.private os.public
Done! Now keep this machine in a safe location, and do _not_ connect it to any network.
Create your master keys on the MSS
You first need to prepare your Master Signing Server. Logged in to the MSS, you want to create all the required keys:
cd /root/masterkeys obc-makekey os obc-makekey developer obc-makekey fs obc-makekey fw obc-makekey lease obc-makekey oats
this will generate 2 files for each key; the private key, and the public key. The directory will now hold these 12 files:
developer.private developer.public fs.private fs.public fw.private fw.public lease.private lease.public oats.private oats.public os.private os.public
Zip up all the keys, copy them to various storage mediums (USB keys, CD-ROMs) and store them in different safe locations. Do not email them or store them on computers that are connected to any network.
zip allkeys.zip *.public *.private
Zip up the public keys, you will need to send them to the OLPC team to include them on the manufacturing process, and possibly for a keyjector for your existing XOs.
zip publickeys.zip *.public
Test the new keys
To test the keys on an XO we will need to
- Get an XO that is unlocked / devkeyed.
- Install the new keys as additional keys.
- Sign an OS image, its kernel and firmware with the new keys -- install the OS image.
- Generate leases and devkeys from the new keys, and use them to activate and unlock the machine.
Install the new keys
The filenames are too long for a FAT USB disk, so
mkdir /root/pubkeys.short cp /root/master/*.public /root/pubkeys.short cd /root/pubkeys.short rename .public .pub *.public mv developer.pub dev.pub
Now copy them to a USB disk:
cp *.pub /media/mydisk/ umount /media/mydisk/
To install the new keys -- boot on an unlocked XO, hold the Escape key to get to the Open Firmware prompt, and then:
ok add-tag-from-file d1 u:\dev.pub ok add-tag-from-file w1 u:\fw.pub ok add-tag-from-file s1 u:\fs.pub ok add-tag-from-file o1 u:\os.pub ok add-tag-from-file a1 u:\lease.pub ok add-tag-from-file t1 u:\oats.pub
Generate activation leases on the MSS
You will usually have a spreadsheet provided by OLPC with the serial numbers, uuids and box number. You need to select those XOs you will be generating activations for
Stage 1 - create the CSV file
- open spreadsheet in OpenOffice Calc
- find them relevant XOs in the spreadsheet
- make a new page in the existing spreadsheet - give that page the
name of the school
- copy/paste the SN/UUID region to the new page, remove the "extra"
columns we don't need. Also make sure you don't include the 'column headers' row.
- Save the document
- Make sure you are on the spreadsheet page for the right school
- Now use the "File->Save As..." menu option to create a new file.
The file format must be CSV. The file name must be the name of the school.
- OpenOffice will offer a "Text export / field options" dialogue...
- Character set: leave it as it is (Unicode UTF-8).
- Field separator: leave it as it is(comma).
- Text separator: Delete it, so that the option is empty.
- OpenOffice will warn you that it is only exporting the 'current page'. Perfect, that's exactly what we want'
Now you should have a CSV file that is just serial numbers and uuids. The command head myfile.csv
should give you five lines, each looking like:
SCH9950296C,377F6B80-DDA9-4A89-9C73-8C500C79AA8A
Stage 2 - generating lease.sig
Preparations: Copy the generated CSV file to a USB stick.
On the MSS
- If it doesn't exist, make a "/root/laptops/" directory:
mkdir /root/laptops
- Make a directory for the files related to this school:
mkdir /root/laptops/schoolname
- Plug the USB stick into the machine, it will be mounted under the /media directory. Copy the CSV file to your /root/laptops/schoolname directory.
Things are in place now. Decide the number of days of validity for the leases (we'll use 10 in this example). The command to generate the leases will be (in one line):
obc-make-lease-from-csv --signingkey /root/masterkeys/lease /root/laptops/schoolname/schoolname.csv 10 | \ obc-format_as_cjson_leases > /root/laptops/schoolname/lease.sig
Now you have a lease.sig file in the /root/laptops/schoolname/ directory. To use it...
- To use it directly on XOs, copy it to the top directory of a USB stick.
- To use it in an XS, you will want to see the instructions that follow (in the "Load a lease.sig file on an XS")
This technique is to load any lease.sig d-lease.sig d-oats.sig server.pri server.pub
files into an XS.
For more details, see XS-activation
If you are dealing with a single XS
For example, you have a lease.sig file containing leases for a number of XOs, and you want to load it on an XS.
# On a USB stick, make an 'xs-activation' directory mkdir /media/MYDISK/xs-activation # Copy the lease.sig file in there... cp /path/to/lease.sig /media/MYDISK/xs-activation/ # Change to the directory cd /media/MYDISK/xs-activation/ # Generate the manifest M=`sha1sum lease.sig` && echo "$M" > manifest.sha1 # Check that the manifest is OK sha1sum -c manifest.sha1
If you have several files, list them all when generating the manifest, like this:
M=`sha1sum d-oats.sig d-lease.sig server.pri server.pub` && echo "$M" > manifest.sha1
If your are dealing with many XSs
The process is the same as for one server, but must be made in a subdirectory with a name that matches the name given to the server. For example for a server where hostname -f
returns schoolserver.fidelcoloma.fundacion.org.ni
, we do:
# On a USB stick, make an 'xs-activation' directory mkdir /media/MYDISK/xs-activation mkdir /media/MYDISK/xs-activation/fidelcoloma # Copy the lease.sig file in there... cp /path/to/lease.sig /media/MYDISK/xs-activation/fidelcoloma # Change to the directory cd /media/MYDISK/xs-activation/fidelcoloma # Generate the manifest M=`sha1sum lease.sig` && echo "$M" > manifest.sha1 # Check that the manifest is OK sha1sum -c manifest.sha1
This allows the preparation of a single USB stick with different files for each School Server.
Following the process
This is only for debugging the process if you find problems.
Before you insert the USB stick into the XS, login and run
tail -f /var/log/user.log
When you insert the USB stick messages will appear there as the XS reads the contents. This same log shows the activity of the lease server.
Discussion
RTC sync
With OS 8.2.2 and newer, the laptop can -- in some cases -- sync its RTC (Real Time Clock) to a signed timestamp sent by the server.
For this to work with the local XS, the pre-requisites are...
- XO OS 8.2.2 or newer
- XS 0.6 or newer
- The XS must be running with delegated keys -- that is, have its own local OATS key and a delegation from the master OATS key to its local OATS key for the laptop involved. This is specially important for the port 191 part of the OATS protocol.
- In the future, this may be simplified for XSs that have reliable internet connectivity by using a proxy OATS server that forwards all requests to a central server for easier administration.
There are 2 situations where this can happen: during initramfs execution and during olpc-update-query.
Initramfs: If the initramfs requests a new lease via the wireless network (usually because there is no lease, or the lease is expired), it will also request a signed time. If the server responds with a valid signed timestamp, the RTC is sync'ed to it. This uses the port 191 part of the OATS protocol.
The initramfs implementation can help deal with laptops with marginal RTC batteries.
olpc-update-query: when olpc-update-query hits the server (initially the local XS, then if possible the country-wide antitheft server), the response will contain a signed timestamp. If the difference between the signed timestamp and the RTC is more than 24hs, olpc-update-query will sync the RTC. If the difference is smaller, it will let ntpd handle the correction.