Activation and developer keys: Difference between revisions
(Explain possible messages from disable-security) |
No edit summary |
||
(66 intermediate revisions by 10 users not shown) | |||
Line 1: | Line 1: | ||
<noinclude>{{Google Translations}}</noinclude>{{OLPC}} |
|||
<noinclude>{{ GoogleTrans-en | es =show | bg =show | zh-CN =show | zh-TW =show | hr =show | cs =show | da =show | nl =show | fi =show | fr =show | de =show | el =show | hi =show | it =show | ja =show | ko =show | no =show | pl =show | pt =show | ro =show | ru =show | sv =show }}</noinclude> |
|||
{{OLPC}} |
|||
{{Developers}} |
|||
{{Translations}} |
{{Translations}} |
||
{{TOCright}} |
|||
{{Persisent-Developer-Key}} |
|||
A developer key is a file containing cryptographic information tied to a specific XO laptop. |
|||
* A '''developer key''' is a file named '''develop.sig''' containing cryptographic information tied to a specific XO laptop that can be used to disable various security features. |
|||
== What you can do with a developer key == |
|||
If you don't have a developer key, and your laptop has firmware security enabled, it will not let you do anything except boot an OLPC-signed operating system, and use the OLPC-provided software. If you insert a USB flash drive or SD card, the boot firmware will only boot from it if the files are tested and cryptographically signed by OLPC. |
|||
* An '''activation key''' or '''activation''' is a file named '''lease.sig''' containing a cryptographic signature tied to a specific XO laptop and provides the ability for the system to run up until a set date and time. |
|||
If the boot [[firmware]] sees a developer key in <tt>/security/develop.sig</tt>, it makes the XO laptop work just like any ordinary PC-style laptop: |
|||
* it will let you interrupt the boot process and enter commands |
|||
* it will try to boot and run any program you supply to it, such as a Fedora or Debian Linux system, no matter whether the OLPC organization has tested, approved, or signed it. |
|||
The laptop also works this way if its firmware security is disabled. |
|||
* The activation system is part of the security system. Therefore, when the security system is disabled (with a developer key), activations become irrelevant: they are not needed for system operation. |
|||
OLPC produces many unsigned [[OS images|operating system images]] for development and testing, which will only work in your laptop if you have a developer key. Also, if your laptop refuses to boot because the clock is set wrong, or complains about an unsigned kernel, getting a developer key is a critical part of diagnosing and/or fixing the trouble. |
|||
* Laptops can have the security system active but also be '''preactivated''' meaning that they will never request or use an activation, even though the rest of the features of the security system remain active. |
|||
"Firmware Security" is what OLPC calls this feature. The classic term for it is "[[Wikipedia:Tivoization|Tivoization]]", and the generic term for this kind of deliberate manufacturer's restriction on ordinary people's use of their hardware is called "[[Wikipedia:Digital Rights Management|Digital Rights Management]]" or DRM. |
|||
The process of bypassing DRM systems is typically called "[[Wikipedia:Privilege escalation|Jailbreaking]]". [[Jailbreaking the XO]] hardware is relatively easy, if you have Internet access, because the OLPC organization explicitly allows it (today), via a complicated process described in this web page. |
|||
== Is your laptop secured? == |
|||
It appears that every XO laptop ever sent to schools in developing countries has had firmware security enabled. No country found itself able or willing to choose non-DRM'd XO laptops. Laptops that OLPC sent to [[G1G1|Give One, Get One]] donors also have firmware security enabled, despite widespread opposition (even inside the OLPC organization). Someone or something inside OLPC refuses to build or sell non-DRM'd laptops, for reasons OLPC has never been willing to reveal or justify. |
|||
* [[G1G1 2007|Give One, Get One 2007]] and [[G1G1 2008|Give One, Get One 2008]] customers received laptops with the security system fully enabled, but the laptops are also preactivated meaning that they do not require an activation. Developer keys are required for some operations. |
|||
# The firmware will look for a developer key on your laptop's internal flash memory; on any USB flash drive that's plugged in; and on any SD card that's plugged in. It needs to be in <tt>/security</tt>. (See [[Firmware security]] for the gory details.) |
|||
* If your laptop is part of a deployment, the choice of security, security + preactivation, or no security is defined by the deployment. When buying laptops from OLPC, the customer specifies their choice and the laptops are programmed accordingly at the factory (you may be able to determine this from the [[Manufacturing data]] page). In some cases, this choice is then changed manually by the customer after the laptops have been received. |
|||
# With a developer key, whenever the laptop boots, the firmware will give you the option to press the Escape key ((at the upper left, marked [[Image:Esc.png]])) and get an ok prompt, which lets you enter commands in Forth. If you don't press Escape, after a short countdown the firmware continues booting the operating system. |
|||
#* This is the insecure boot process, and it will boot into any image you install on the xo. |
|||
#* Rather than drawing pretty pictures on the screen, lots of text messages will be displayed, and will eventually scroll up the screen. This is normal, and can be useful for diagnosing problems in your laptop. |
|||
#* The insecure boot process does not automatically upgrade firmware; you will be responsible for updating your firmware yourself. |
|||
== What the security system does == |
|||
==Getting a developer key for your running XO laptop== |
|||
* Unless the laptop is '''preactivated''', the system will only boot while it has a valid and non-expired '''activation'''. |
|||
# On your XO, open the [[Browse]] activity. |
|||
* The only operating systems images that can be installed are those that are signed by a trusted party (which can be OLPC, the deployment, etc, based on the laptop's configuration at the factory). |
|||
# There's a "Developer key request" web page on the XO to apply for a key. There are several ways to navigate to this page: |
|||
* The only firmware releases that can be installed are those that are signed by a trusted party. |
|||
#* In all builds, you can type '''file:///home/.devkey.html''' in the browse location field to get to the request page. |
|||
* The only kernels and initramfs (boot code) that can be booted are those that are signed by a trusted party. |
|||
#* In recent builds (including 8.2.0), "Get a developer key" is at the bottom of the Browse start page. |
|||
* You cannot gain access to Open Firmware's [[ok]] prompt. |
|||
#* In older builds (8.1, 703 and higher), click "activities" in the OLPC Library left-hand navigation, click on the sub-menu "find activities", and at the bottom of the page that displays is the "apply for developer key" link. Also, under "books" in the OLPC Library, click on the sub-menu "explore your xo", click "troubleshooting", and under "How do I get a developer key for my laptop" is a link to "submit this form" |
|||
#* In still older builds (7.1, 650, 653, and 656), click on the Library link "other" and then on "about your xo". Click on the "apply for a developer key" link at the very bottom of the page. (You can press the 'check mark' (✓) game key to quickly get to the bottom of the page.) |
|||
A developer key will disable all of these functions, providing no restrictions on what code can be ran and whether the laptop can or can't be used. |
|||
== Why you might want to unsecure your XO == |
|||
OLPC and others produce unsigned [[OS images|operating system images]] for development and testing. These will only work on unsecured laptops. |
|||
Various repair procedures, such as [[Fix clock|reprogramming the clock]] require the security system to be disabled (perhaps only temporarily). |
|||
== When "secured" laptops can be useful == |
|||
This security is part of the [[Bitfrost|Bitfrost security system]], and is used to ensure that unless the user has specifically opted out, their basic operating software remains unmodified, and provides various antitheft controls. Many OLPC customers express that security and antitheft systems are of high priority. |
|||
== How to tell if your laptop is secured == |
|||
[[Image:Ok-xo-1-q2f19-secure-with-check-key-and-escape.png|thumb|300px|secured; coloured icons, and no "ok" prompt]] |
|||
* [[Shutdown]] the laptop, |
|||
* Hold down the '✓' (check) game pad key and turn on the laptop, |
|||
* Wait for the message ''Release the game keys to continue'', |
|||
* Hold down the Escape key (the top left key on the laptop keyboard, marked with [[File:Esc.png]] or "esc"), |
|||
* Release the '✓' (check) game pad key, and watch closely. |
|||
If a message ''Secured, continuing'' appears, or three coloured icons, the laptop is secured. |
|||
If the laptop boots the operating system, the laptop is secured. |
|||
<br clear="right"> |
|||
[[Image:Ok-xo-1-q2f19-unlocked-with-escape.png|thumb|300px|secured, but unlocked; an unlock icon, and an "ok" prompt]] |
|||
If a message ''Devel key Signature valid'' appears, and an icon corresponding to the device the developer key is on, then the laptop is secured, but unlocked by the developer key. |
|||
In this situation, you can disable security. |
|||
<br clear="right"> |
|||
[[Image:Ok-xo-1-q2f19-unsecure.png|thumb|300px|not secured, the "ok" prompt is present]] |
|||
If an "ok" prompt appears straight away like this, the laptop is not secured. |
|||
In this situation, you do not need a developer key. |
|||
<br clear="right"> |
|||
== Getting a developer key == |
|||
To get a developer key you will: |
|||
*get two numbers from the laptop, the serial number and the UUID, |
|||
*send these numbers to us, |
|||
*wait for up to 24 hours, |
|||
*receive the response. |
|||
We provide several ways to do this, as subsections below: |
|||
*[[#Getting_a_developer_key_using_a_USB_drive|using a special USB drive]], |
|||
*[[#Getting_a_developer_key_for_your_running_XO_laptop|using the web browser on the laptop]], |
|||
*[[#Getting_a_developer_key_without_WiFi|without wireless, using a USB ethernet adapter]], |
|||
*[[#Getting_a_developer_key_without_any_network_access|without network, using Terminal]], or |
|||
*[[#Getting_a_developer_key_by_postal_mail|by postal mail]]. |
|||
=== Getting a developer key using a USB drive === |
|||
A [[collection stick]] is a special USB drive that collects data so that you can request a developer key. See [[collection stick]] for how to prepare a USB drive and use it. |
|||
=== Getting a developer key for your running XO laptop === |
|||
There's a "Developer key request" web page on the XO to apply for a key. |
|||
# On your XO, open a new [[Browse]] activity, and navigate to the request page: |
|||
#* For release 8.2.0, 10.1.x, and later, click on the link "get a developer key" at the bottom of the Browse start page, |
|||
#* otherwise, type '''file:///home/.devkey.html''' in the browse location field and press enter. |
|||
# Follow the directions to apply for a developer key; it should be created in a day or two. |
# Follow the directions to apply for a developer key; it should be created in a day or two. |
||
# Go back to the request page when your key is ready, and follow the instructions to download your key to your XO. |
# Go back to the request page when your key is ready, and follow the instructions to download your key to your XO. |
||
#* Once your key has been created, you can return to this page at any time ''on your XO'' to re-download it; there will be no further creation delay. |
#* Once your key has been created, you can return to this page at any time ''on your XO'' to re-download it; there will be no further creation delay. |
||
# [[Reboot]] your XO. |
# [[Reboot]] your XO. |
||
Next, [[#Using_a_developer_key|using a developer key]]. |
|||
''Tip:'' if the typeface is too difficult to read easily, you can use Browse's Zoom options (in the View menu) to make it larger. Alternatively, you can copy the text and paste it into the Write activity, where you can resize it. |
''Tip:'' if the typeface is too difficult to read easily, you can use Browse's Zoom options (in the View menu) to make it larger. Alternatively, you can copy the text and paste it into the Write activity, where you can resize it. |
||
== |
==== How to get a developer key when Browse freezes ==== |
||
At times Browse can freeze when trying to activate your key. An alternative way of activating is by starting Terminal or by pressing Ctrl+Alt+[[Image:Friends key f2 small.png]] to get to a console and get the serial + uuid for activation. Once you see the terminal, you may need to type in "root" with no password to login. |
|||
Next type in: |
|||
=== Make back up copies! === |
|||
vi /home/.devkey.html |
|||
However you get a key, please '''''make a copy of it on some other computer''''', one that gets backed up regularly, in case this one is lost. Also, you should copy your developer key to <tt>/security/develop.sig</tt> on a USB flash drive, if you have one. |
|||
on line 16, there should be the serial_num (write down what it says under VALUE="....") and what it says on line 17 the uuid VALUE=...". You will need this information to register for your key. |
|||
===Disable the DRM "security" system=== |
|||
Once you have a developer key and have booted your system using it, one of the commands you can enter at the firmware 'ok' prompt will turn off the DRM permanently, even if your XO's developer key goes away. If you forget to do this, and you usually run ordinary free software distributions like Debian, Ubuntu, or Fedora on your XO, your XO will at some point refuse to boot. The only reason you might not want to disable the DRM permanently, after obtaining your developer key, is if you are a senior programmer who is testing the DRM system. |
|||
{{Activation.laptop.org}} |
|||
# [[Reboot]] the XO |
|||
Next, on a computer that has web access and click on: [https://activation.laptop.org/devkey/post/ https://activation.laptop.org/devkey/post/] and enter in the serial and uuid that you got from the .devkey.html file and click on "Request developer key". |
|||
# Press the Esc key during boot to get to the 'ok' prompt. |
|||
# Type 'disable-security' at the 'ok' prompt and press enter |
|||
You should then return to the web page after 24 hours. Your key will be ready for you. |
|||
This will permanently turn off firmware security (DRM) on your laptop. |
|||
=== Getting a developer key without WiFi === |
|||
(If disable-security says "No wp key", it means that security is already disabled. You can see the raw manufacturing data where the disable-security setting is stored, by typing ".mfg-data"; see [[Manufacturing data]] for details. If disable-security says "Restarting to enable SPI flash writing. Try again after the system restarts.", you'll need to start over with the Esc key again as above.) |
|||
If you have wired network access, you can: |
|||
* use a [[USB ethernet adaptors|USB-to-wired ethernet adapter]] to get your XO on the net, then follow the above instructions. |
|||
=== Getting a developer key without any network access === |
|||
* copy the file /home/.devkey.html from the XO to another (network-connected) machine, and perform the process from that machine. Entering the following command in the [[Terminal]] activity will copy it to any USB devices connected: |
|||
** <tt>cp -p /home/.devkey.html /var/run/media/*/devkey.html</tt> |
|||
=== Getting a developer key by postal mail === |
|||
* When security is disabled, you can still re-enable it for a single boot by [[Cheat codes|pressing the X gamepad key]] while turning the power on. This is useful to do firmware upgrades from signed builds. It can also help to test secure boot on release candidates. |
|||
* You can reverse the 'disable-security' command by entering 'enable-security' at the 'ok' prompt. |
|||
You can write postal mail to OLPC, see the addresses on the [[OLPC:Contact_us|contact page]]. |
|||
=== If you wipe out your developer key === |
|||
If you reflash your XO you will remove <tt>/security/develop.sig</tt>. |
|||
One way this can happen is if you ever do a fresh install of an operating system image using the [[clean-install procedure]] (rather than [[olpc-update]]). |
|||
If you haven't disabled security and the OS image that overwrote flash is unsigned, then your laptop won't boot. But you have several options: |
|||
* Revert to a previous OS image. Try pressing the 'O' (circle) gamepad key while booting. That will attempt to boot a previous version of the OS, and if it was signed it will succeed. |
|||
* Reflash again with a signed OS image. |
|||
* Insert a USB flash drive or SD card with your developer key on it in <tt>/security/develop.sig</tt> (this is why you should always be sure to backup <tt>develop.sig</tt>), which will allow booting of the unsigned OS image and/or let you get to the 'ok' prompt to disable security. |
|||
You must include your serial number, a return address, and that you are asking for a developer key. |
|||
Once boot completes you can restore your developer key back to NAND flash by typing in a [[Terminal Activity|terminal]] something like |
|||
cp -pi /media/''MY_USB_NAME''/security/develop.sig /security |
|||
or you can re-visit the "Developer key request" form and re-download your developer key. But you would be better off if you immediately disabled security, as described above; that never expires, unlike developer keys in NAND flash that often get overwritten. |
|||
Your developer key will be mailed back to you on paper. You will have to type it in to a develop.sig file. This is prone to error, so try hard to use other methods. |
|||
==Getting a developer key without WiFi== |
|||
If you have some network access, you can: |
|||
* use a [[USB ethernet adaptors|USB-to-wired ethernet adapter]] to get your XO on the net, then follow the above instructions. |
|||
* copy the file /home/.devkey.html from the XO to another (network-connected) machine, and perform the process from that machine. Entering the following command in the [[Terminal]] activity will copy it to any USB devices connected: |
|||
** <tt>cp -p /home/.devkey.html /media/*/devkey.html</tt> |
|||
Next, [[#Using_a_developer_key|using a developer key]]. |
|||
== |
== Using a developer key == |
||
Our response will be a small file {{code|develop.sig}} containing a large number. When you give this file to the laptop in the right way, it will be temporarily unlocked. |
|||
=== Via snail mail === |
|||
You can submit a written request via snail mail to: |
|||
: One Laptop per Child<br/>P.O. Box 425087 |
|||
: Cambridge, MA 02142 |
|||
=== Make back up copies! === |
|||
Your key will be mailed back to you. |
|||
However you get a key, please '''''make a copy of it on some other computer''''', one that gets backed up regularly, in case this one is lost. Also, you should copy your developer key to <tt>/security/develop.sig</tt> on a USB drive, if you have one. |
|||
=== Where the developer key can be placed === |
|||
When the XO boots, its [[firmware]] checks to see if security is enabled or [[#Disable_the_security_system|permanently disabled]] (a system parameter). If it is enabled, it looks for the a developer key, at <tt>/security/develop.sig</tt>, on any USB flash drive or SD card that's plugged in, and on the internal storage. (See [[Firmware security]] for the details.) |
|||
=== If the machine won't boot === |
|||
==== Revert to a previous OS image ==== |
|||
First, try booting with the 'O' (circle) gamepad key held down. That will attempt to boot a previous version of the OS, after which you can use one of the options above. |
|||
If that file is there and contains the right number, the XO will act as though it is unsecured: |
|||
==== Generate a laptops.dat file ==== |
|||
* You will be able to interrupt the boot process and enter commands, |
|||
See [[#Collecting serial numbers with a USB stick|the USB stick method]] described below. You can collect a laptops.dat file with the UUID information of your machine, or of many machines, with a single stick. |
|||
* You can run any compatible operating system, not only the signed operating system, |
|||
* You will be able to disable the security permanently. |
|||
=== |
=== Disabling the security system=== |
||
Once you have a developer key: |
|||
This requires a USB memory stick, and manual assistance from someone at OLPC. The memory stick must be set up to work as a ''collection stick'' by adding code that at boot time copies information from the XO to itself. After using it, you should send the resulting file to OLPC. |
|||
* Make sure it is in the <tt>/security/</tt> directory on your USB drive or SD card. |
|||
<!--To start the process, you will need to provide OLPC with both the Serial Number of your machine, and its UUID. The Serial Number is conveniently printed on a sticker in the battery compartment, and looks like "CSN74701E2F". The UUID is unfortunately only stored internally. |
|||
* Plug it into your XO before booting it. Boot your XO with that drive/card plugged in. |
|||
To get it, you'll have to --> |
|||
* You can now either immediately install unsigned software, or interact with the firmware -- including permanently disabling the firmware security system. (Once this is turned off, you will no longer need your XO's developer key to run the machine in "unsecured" mode.) |
|||
To '''permanently turn off firmware security''': |
|||
* Set up a [[Activation_and_developer_keys#Setting_up_a_collection_stick | collection stick]] |
|||
* Boot the XO as above, with a USB drive or SD card with the developer key plugged in. Interrupt the boot sequence: press the [[File:Esc.png]] ''Escape'' key a few times during the startup sound, just after turning the laptop on, to bring up the firmware [[Ok|Ok prompt]]. (for other ways to reach the prompt, see [[Ok prompt]].) |
|||
* Plug the stick it into your laptop and power it on |
|||
* Type <tt>''disable-security''</tt>. Press enter. |
|||
* It will display a pretty "XO" screen and then a short message like "SHFxxxxxxxx nnnnnnnnnnnnnnn; Laptop data recorded successfully". After a few seconds it will power itself off or indicate it is done. |
|||
* Remove the USB stick and move the file to a different computer |
|||
* Email the <tt>laptops.dat</tt> file to help@laptop.org . Please describe your problem, including the serial number (printed inside your battery compartment, visible when you remove the battery), and attach the resulting <tt>laptops.dat</tt> file. |
|||
# If ''disable-security'' says "No wp tag", it means that security is already disabled. |
|||
==== Setting up a collection stick ==== |
|||
#: |
|||
# Download [[media:Actos.zip|Actos.zip]] and [[media:Runos.zip|Runos.zip]] (its source code in Forth, if you're interested, is at http://dev.laptop.org/git?p=users/cscott/actkey; it will only run if it's put into a signed zip file.) |
|||
# If ''disable-security'' says "Restarting to enable SPI flash writing. Try again after the system restarts.", you'll need to start over with the Esc key again as above. |
|||
# Put these files into the <big><tt>'''/boot/'''</tt></big> directory on a FAT-formatted or FAT32-formatted USB flash drive. |
|||
#: |
|||
#* Most USB flash drives use FAT or FAT32 when you buy them (except "U2" memory sticks which probably won't work; they contain their own ugly DRM stuff). |
|||
# Your USB flash drive should contain these files (and nothing else in the boot directory): |
|||
#:boot/ |
|||
#:boot/Actos.zip |
|||
#:boot/Runos.zip |
|||
# If there is an old <tt>laptops.dat</tt> file on the USB flash drive from an earlier collection of laptops, you can delete it. However, see below : if you are gathering data from a number of laptops, '''do not''' delete the file in between XOs. The USB flash drive can have any other files on it that you like. |
|||
* When security is disabled, you can re-enable it for a single boot (say, to test how a secured machine would work) by [[Cheat codes|pressing the X gamepad key]] while powering on. This is useful to do firmware upgrades from signed builds. It can also help to test secure boot on release candidates. |
|||
==== Getting devkey data for many XOs at once ==== |
|||
* You can reverse the ''disable-security'' command by entering ''enable-security'' at the 'ok' prompt. Security will then be permanently enabled until disabled again. |
|||
For each laptop that you want to get a Developer Key for: |
|||
* You can see the raw manufacturing data where the ''disable-security'' setting is stored by typing ".mfg-data". See [[Manufacturing data]] for details. |
|||
==== Troubleshooting disabling of the security system ==== |
|||
# Repeat the above process, inserting your collection stick and powering on the laptop, for each XO in turn. |
|||
Some have had some issues with disabling the security when the developer key is on a USB drive. This may happen if the USB drive is incompatible with the firmware. If you experience this problem, try [[upgrading firmware]], or try using an SD card instead. It should be vfat formatted, for which you can use ''gparted''. |
|||
#* This will combine metadata for each laptop into one laptops.dat file, so do not delete the <tt>laptops.dat</tt> file in between. |
|||
# Email the resulting file to help@laptop.org, indicating the # of laptops you need keys for. |
|||
Then stick the SD into the XO (it is under the screen, you need to turn it -- it is on the right side), reboot and hold down [[Image:Esc.png]] -- then you will get to an [[ok]] prompt |
|||
Then wait for OLPC to send you your Developer key(s) and/or Activation key(s). |
|||
type: |
|||
<pre> |
|||
=== What to do when you receive your activation or developer keys === |
|||
disable-security |
|||
''NB: OLPC may also send you other files to put on the USB flash drive, to help to patch or circumvent whatever problem is preventing your laptop from booting properly.'' |
|||
</pre> |
|||
it will automatically reboot to enable access to internal data, and you must repeat this step, then it will update the internal data and reboot again. |
|||
# You can use the same USB flash drive that you used as collector stick. <!-- but rename the <tt>boot</tt> directory to something else (perhaps ''<tt>collboot</tt>''), otherwise your laptop will just re-run the collection script. --> |
|||
# You'll receive one or two files from OLPC. Extract the file or files using your email program. |
|||
#* If you receive a <tt>'''lease.sig'''</tt> file, it's your activation key. (G1G1 laptops don't need one.) Copy the file into the root directory of your USB flash drive. |
|||
# Make a directory called <tt>'''security/'''</tt> in the root directory of your USB flash drive, and copy the developer key <tt>'''develop.sig'''</tt> file into it. |
|||
# You should now have these files on your key: |
|||
#: <tt>lease.sig</tt> (if received) |
|||
#: <tt>security/</tt> |
|||
#: <tt>security/develop.sig</tt> |
|||
# With the laptop powered off, insert the key into a USB port and power it on. |
|||
#: If the laptop wasn't previously activated, it will now boot. |
|||
#: Any activation key provided will be copied to <tt>'''/security/lease.sig'''</tt> on the XO. Keep the activation key around (or copy it to your school server) in case you later need to reflash the XO. |
|||
# If you have a developer key, you should see a textual prompt, which you will see within the first few seconds of booting (along with a short countdown to give you time to hit the Escape key). This is your indication that the developer key has been found. |
|||
#* To permanently disable secure booting, press ''Escape'' and type "<tt>disable-security</tt>", then power cycle and repeat that command. (see [[#Disabling security|Disabling Security]], above.) |
|||
# The developer key is not automatically copied to your laptop's internal flash memory. You can do that by copying <tt>security/develop.sig</tt> from the USB flash drive into <tt>'''/security/develop.sig'''</tt> on the XO. You'll need to be [[root]] in a [[Terminal activity]] to do that. |
|||
Now you can reboot and take out the SD card if you hit [[Image:Esc.png]] it will bring you to the {ok} prompt |
|||
If you requested keys for more than one laptop, you can use the same process and the same USB key for each laptop. |
|||
=== If you wipe out your developer key === |
|||
If you reflash your XO you will remove <tt>/security/develop.sig</tt>. |
|||
One way this can happen is if you ever do a fresh install of an operating system image using the [[clean-install procedure]] (rather than [[olpc-update]]). |
|||
If you haven't disabled security and the OS image that overwrote flash is unsigned, then your laptop won't boot. But you have several options: |
|||
* Ask us for the developer key again, and there won't be a 24 hour delay. |
|||
* Revert to a previous OS image. Try pressing the 'O' (circle) gamepad key while booting. That will attempt to boot a previous version of the OS, and if it was signed it will succeed. |
|||
* Reflash again with a signed OS image. |
|||
* Insert a USB drive or SD card with your developer key on it in <tt>/security/develop.sig</tt> (this is why you should always be sure to backup <tt>develop.sig</tt>), which will allow booting of the unsigned OS image and/or let you get to the 'ok' prompt to disable security. |
|||
Once boot completes you can restore your developer key back to NAND flash by typing in a [[Terminal Activity|terminal]] something like |
|||
cp -pi /media/''MY_USB_NAME''/security/develop.sig /security |
|||
or you can re-visit the "Developer key request" form and re-download your developer key. But you would be better off if you immediately disabled security, as described above; that never expires, unlike developer keys in NAND flash that often get overwritten. |
|||
== See also == |
== See also == |
||
Line 157: | Line 200: | ||
''Note: the Developer key page generated by the OLPC Activation Service (in response to a developer key request from the XO) links to this page.'' |
''Note: the Developer key page generated by the OLPC Activation Service (in response to a developer key request from the XO) links to this page.'' |
||
[[Category:Developers]] [[Category:Firmware]] [[Category:Copyright]] [[Category:OLPC FAQ]] [[Category:OS]] [[Category:Security]] [[Category:Software development]] [[Category:Repair]] [[Category:Wiki pages that XO content links to]] |
[[Category:Developers]] [[Category:Firmware]] [[Category:Copyright]] [[Category:OLPC FAQ]] [[Category:OS]] [[Category:Security]] [[Category:Software development]] [[Category:Repair]] [[Category:Wiki pages that XO content links to]] |
Latest revision as of 02:22, 2 October 2021
Note: as of October 2021, OLPC has released Persistent developer key firmware to disable the activation and developer key system on a laptop.
- A developer key is a file named develop.sig containing cryptographic information tied to a specific XO laptop that can be used to disable various security features.
- An activation key or activation is a file named lease.sig containing a cryptographic signature tied to a specific XO laptop and provides the ability for the system to run up until a set date and time.
- The activation system is part of the security system. Therefore, when the security system is disabled (with a developer key), activations become irrelevant: they are not needed for system operation.
- Laptops can have the security system active but also be preactivated meaning that they will never request or use an activation, even though the rest of the features of the security system remain active.
Is your laptop secured?
- Give One, Get One 2007 and Give One, Get One 2008 customers received laptops with the security system fully enabled, but the laptops are also preactivated meaning that they do not require an activation. Developer keys are required for some operations.
- If your laptop is part of a deployment, the choice of security, security + preactivation, or no security is defined by the deployment. When buying laptops from OLPC, the customer specifies their choice and the laptops are programmed accordingly at the factory (you may be able to determine this from the Manufacturing data page). In some cases, this choice is then changed manually by the customer after the laptops have been received.
What the security system does
- Unless the laptop is preactivated, the system will only boot while it has a valid and non-expired activation.
- The only operating systems images that can be installed are those that are signed by a trusted party (which can be OLPC, the deployment, etc, based on the laptop's configuration at the factory).
- The only firmware releases that can be installed are those that are signed by a trusted party.
- The only kernels and initramfs (boot code) that can be booted are those that are signed by a trusted party.
- You cannot gain access to Open Firmware's ok prompt.
A developer key will disable all of these functions, providing no restrictions on what code can be ran and whether the laptop can or can't be used.
Why you might want to unsecure your XO
OLPC and others produce unsigned operating system images for development and testing. These will only work on unsecured laptops.
Various repair procedures, such as reprogramming the clock require the security system to be disabled (perhaps only temporarily).
When "secured" laptops can be useful
This security is part of the Bitfrost security system, and is used to ensure that unless the user has specifically opted out, their basic operating software remains unmodified, and provides various antitheft controls. Many OLPC customers express that security and antitheft systems are of high priority.
How to tell if your laptop is secured
- Shutdown the laptop,
- Hold down the '✓' (check) game pad key and turn on the laptop,
- Wait for the message Release the game keys to continue,
- Hold down the Escape key (the top left key on the laptop keyboard, marked with or "esc"),
- Release the '✓' (check) game pad key, and watch closely.
If a message Secured, continuing appears, or three coloured icons, the laptop is secured.
If the laptop boots the operating system, the laptop is secured.
If a message Devel key Signature valid appears, and an icon corresponding to the device the developer key is on, then the laptop is secured, but unlocked by the developer key.
In this situation, you can disable security.
If an "ok" prompt appears straight away like this, the laptop is not secured.
In this situation, you do not need a developer key.
Getting a developer key
To get a developer key you will:
- get two numbers from the laptop, the serial number and the UUID,
- send these numbers to us,
- wait for up to 24 hours,
- receive the response.
We provide several ways to do this, as subsections below:
- using a special USB drive,
- using the web browser on the laptop,
- without wireless, using a USB ethernet adapter,
- without network, using Terminal, or
- by postal mail.
Getting a developer key using a USB drive
A collection stick is a special USB drive that collects data so that you can request a developer key. See collection stick for how to prepare a USB drive and use it.
Getting a developer key for your running XO laptop
There's a "Developer key request" web page on the XO to apply for a key.
- On your XO, open a new Browse activity, and navigate to the request page:
- For release 8.2.0, 10.1.x, and later, click on the link "get a developer key" at the bottom of the Browse start page,
- otherwise, type file:///home/.devkey.html in the browse location field and press enter.
- Follow the directions to apply for a developer key; it should be created in a day or two.
- Go back to the request page when your key is ready, and follow the instructions to download your key to your XO.
- Once your key has been created, you can return to this page at any time on your XO to re-download it; there will be no further creation delay.
- Reboot your XO.
Next, using a developer key.
Tip: if the typeface is too difficult to read easily, you can use Browse's Zoom options (in the View menu) to make it larger. Alternatively, you can copy the text and paste it into the Write activity, where you can resize it.
How to get a developer key when Browse freezes
At times Browse can freeze when trying to activate your key. An alternative way of activating is by starting Terminal or by pressing Ctrl+Alt+ to get to a console and get the serial + uuid for activation. Once you see the terminal, you may need to type in "root" with no password to login.
Next type in:
vi /home/.devkey.html
on line 16, there should be the serial_num (write down what it says under VALUE="....") and what it says on line 17 the uuid VALUE=...". You will need this information to register for your key.
Next, on a computer that has web access and click on: https://activation.laptop.org/devkey/post/ and enter in the serial and uuid that you got from the .devkey.html file and click on "Request developer key".
You should then return to the web page after 24 hours. Your key will be ready for you.
Getting a developer key without WiFi
If you have wired network access, you can:
- use a USB-to-wired ethernet adapter to get your XO on the net, then follow the above instructions.
Getting a developer key without any network access
- copy the file /home/.devkey.html from the XO to another (network-connected) machine, and perform the process from that machine. Entering the following command in the Terminal activity will copy it to any USB devices connected:
- cp -p /home/.devkey.html /var/run/media/*/devkey.html
Getting a developer key by postal mail
You can write postal mail to OLPC, see the addresses on the contact page.
You must include your serial number, a return address, and that you are asking for a developer key.
Your developer key will be mailed back to you on paper. You will have to type it in to a develop.sig file. This is prone to error, so try hard to use other methods.
Next, using a developer key.
Using a developer key
Our response will be a small file develop.sig containing a large number. When you give this file to the laptop in the right way, it will be temporarily unlocked.
Make back up copies!
However you get a key, please make a copy of it on some other computer, one that gets backed up regularly, in case this one is lost. Also, you should copy your developer key to /security/develop.sig on a USB drive, if you have one.
Where the developer key can be placed
When the XO boots, its firmware checks to see if security is enabled or permanently disabled (a system parameter). If it is enabled, it looks for the a developer key, at /security/develop.sig, on any USB flash drive or SD card that's plugged in, and on the internal storage. (See Firmware security for the details.)
If that file is there and contains the right number, the XO will act as though it is unsecured:
- You will be able to interrupt the boot process and enter commands,
- You can run any compatible operating system, not only the signed operating system,
- You will be able to disable the security permanently.
Disabling the security system
Once you have a developer key:
- Make sure it is in the /security/ directory on your USB drive or SD card.
- Plug it into your XO before booting it. Boot your XO with that drive/card plugged in.
- You can now either immediately install unsigned software, or interact with the firmware -- including permanently disabling the firmware security system. (Once this is turned off, you will no longer need your XO's developer key to run the machine in "unsecured" mode.)
To permanently turn off firmware security:
- Boot the XO as above, with a USB drive or SD card with the developer key plugged in. Interrupt the boot sequence: press the Escape key a few times during the startup sound, just after turning the laptop on, to bring up the firmware Ok prompt. (for other ways to reach the prompt, see Ok prompt.)
- Type disable-security. Press enter.
- If disable-security says "No wp tag", it means that security is already disabled.
- If disable-security says "Restarting to enable SPI flash writing. Try again after the system restarts.", you'll need to start over with the Esc key again as above.
- When security is disabled, you can re-enable it for a single boot (say, to test how a secured machine would work) by pressing the X gamepad key while powering on. This is useful to do firmware upgrades from signed builds. It can also help to test secure boot on release candidates.
- You can reverse the disable-security command by entering enable-security at the 'ok' prompt. Security will then be permanently enabled until disabled again.
- You can see the raw manufacturing data where the disable-security setting is stored by typing ".mfg-data". See Manufacturing data for details.
Troubleshooting disabling of the security system
Some have had some issues with disabling the security when the developer key is on a USB drive. This may happen if the USB drive is incompatible with the firmware. If you experience this problem, try upgrading firmware, or try using an SD card instead. It should be vfat formatted, for which you can use gparted.
Then stick the SD into the XO (it is under the screen, you need to turn it -- it is on the right side), reboot and hold down -- then you will get to an ok prompt type:
disable-security
it will automatically reboot to enable access to internal data, and you must repeat this step, then it will update the internal data and reboot again.
Now you can reboot and take out the SD card if you hit it will bring you to the {ok} prompt
If you wipe out your developer key
If you reflash your XO you will remove /security/develop.sig. One way this can happen is if you ever do a fresh install of an operating system image using the clean-install procedure (rather than olpc-update). If you haven't disabled security and the OS image that overwrote flash is unsigned, then your laptop won't boot. But you have several options:
- Ask us for the developer key again, and there won't be a 24 hour delay.
- Revert to a previous OS image. Try pressing the 'O' (circle) gamepad key while booting. That will attempt to boot a previous version of the OS, and if it was signed it will succeed.
- Reflash again with a signed OS image.
- Insert a USB drive or SD card with your developer key on it in /security/develop.sig (this is why you should always be sure to backup develop.sig), which will allow booting of the unsigned OS image and/or let you get to the 'ok' prompt to disable security.
Once boot completes you can restore your developer key back to NAND flash by typing in a terminal something like
cp -pi /media/MY_USB_NAME/security/develop.sig /security
or you can re-visit the "Developer key request" form and re-download your developer key. But you would be better off if you immediately disabled security, as described above; that never expires, unlike developer keys in NAND flash that often get overwritten.
See also
Note: the Developer key page generated by the OLPC Activation Service (in response to a developer key request from the XO) links to this page.