Collection stick: Difference between revisions

From OLPC
Jump to navigation Jump to search
(→‎Collecting with a Collection stick: Note current bug/limitation due to original proposed workflow)
No edit summary
Line 4: Line 4:
[[Category:Deployment]]
[[Category:Deployment]]
<noinclude>
<noinclude>
A '''Collection stick''' is a USB storage device (USB stick) that you use to collect data (serial numbers and system UUIDs) in order to request [[developer key|developer keys]]. Developer keys are the unique cryptographic signatures for XO laptops that permit access to the system [[Firmware|firmware]].
A [[Collection stick]] is a USB drive with a program on it that collects data in order to request [[developer key|developer keys]]. Developer keys are the unique cryptographic signatures for XO laptops that permit access to the system [[Firmware|firmware]].

''Collection sticks were called collection keys, but the word key was overloaded with two meanings (a device vs data on a device) and this led to confusion.''


== Making a Collection stick ==
== Making a Collection stick ==


You'll need a FAT-formatted or FAT32-formatted USB storage device for this, as well as a computer with Internet access. The USB storage device does not need to be empty.
You'll need a FAT-formatted [[USB drive]], as well as a computer with Internet access. The USB drive does not need to be empty. On the computer with Internet access:

# Insert the USB drive,
# Delete any directory with name <code>boot</code>,
# Create a new directory with name <code>boot</code> in the top level of your USB drive.
# Download [[media:Actos.zip|Actos.zip]] and [[media:Runos.zip|Runos.zip]] into that <code>/boot</code> directory.


You should now have a USB drive containing a directory <code>boot</code> which contains two files <code>Actos.zip</code>, and <code>Runos.zip</code>. This is a collection stick ready to use.
# Create a <code>/boot</code> directory in the root of your USB storage device. If such a directory already exists, it should be empty. (Exception: if you have already used this Collection stick to gather data from a number of XOs, there may be a <code>laptops.dat</code> file in the <code>/boot</code> directory. Do not delete <code>laptops.dat</code>.)
# On the computer with Internet access, [[media:Actos.zip|Actos.zip]] and [[media:Runos.zip|Runos.zip]] [http://dev.laptop.org/git/users/cscott/actkey (source code)] into that <code>/boot</code> directory. You should now have 2 files (3, if you have <code>laptops.dat</code> in a <code>/boot</code> directory on the root of your USB storage device.


== Collecting with a Collection stick ==
== Collecting with a Collection stick ==

'''Note:''' The collection stick must not already have a lease.sig file on it. The presence of a lease.sig file will cause collection to be skipped.


For each XO for which you need a Developer key:
For each XO for which you need a Developer key:


# Make sure the XO is powered off.
# Make sure the XO is powered off.
# Plug the USB storage device into the XO, then power it on.
# Plug the USB drive into the XO, then power it on.
# You will see a graphical "XO" screen and then a short message like "SHFxxxxxxxx nnnnnnnnnnnnnnn; Laptop data recorded successfully". The XO will then power itself off or otherwise indicate that it is done.
# You will see a graphical "XO" screen and then a short message like "SHFxxxxxxxx nnnnnnnnnnnnnnn; Laptop data recorded successfully". The XO will then power itself off or otherwise indicate that it is done.
# Remove the USB storage device from the XO.
# Remove the USB drive from the XO.


(Note that this step will not record the data if the laptop is unlocked already -- to make this work on an unlocked laptop, hold the '×' game pad key to force "secure" booting.)
(This step will not record the data if the laptop is unlocked already -- to make this work on an unlocked laptop, hold the '×' game pad key to force "secure" booting.)


When you have finished this process on all the XOs you need Developer keys for, plug the USB storage device into the computer with Internet access and then either:
When you have done this on all the XOs you need Developer keys for, plug the USB drive into the computer with Internet access and then either:


* for individuals and small groups, open <code>laptops.dat</code>, treat the first number as a serial number and the second as UUID, and enter them on [http://activation.laptop.org/devkey/post/ OLPC Activation Service], and follow the instructions there to generate a developer key,
* for individuals and small groups, open <code>laptops.dat</code>, treat the first number as a serial number and the second as UUID, and enter them on [http://activation.laptop.org/devkey/post/ OLPC Activation Service], and follow the instructions there to generate each developer key,
* for larger groups, attach the <code>laptops.dat</code> file from the USB storage device to an email to your OLPC contact.
* for larger groups, attach the <code>laptops.dat</code> file from the USB drive to an email to your OLPC or deployment contact. This may take several days.


== Making an Unlock stick ==
== Making an Unlock stick ==
(formerly called an Unlock key)
(formerly called an Unlock key)


You will receive back one or two files from OLPC after submitting your <code>laptops.dat</code> file (this may take several days). Here is what to do once you get these files.
You will receive back one or two files from OLPC after submitting your <code>laptops.dat</code> file. Here is what to do once you get these files.


# Insert a USB drive.
# Get a USB storage device. This can be your old Collection stick; you will have to rename the <tt>/boot</tt> directory to something else like <tt>/collection</tt>. If you don't do this, your laptop will just re-run the collection script.
** This can be your old Collection stick; but you must rename the <tt>/boot</tt> directory to something else like <tt>/collection</tt>. If you don't do this, your laptop will just re-run the collection.
# '''If you requested a Developer key:''' You will get a file called <tt>'''develop.sig'''</tt>. Make a directory called <tt>'''security/'''</tt> in the root directory of your USB storage device and copy this file into it.
# '''If you requested a Developer key:''' You will get a file called <tt>'''develop.sig'''</tt>. Make a directory called <tt>'''security/'''</tt> in the root directory of your USB storage device and copy this file into it.
# '''If you requested an activation key:''' You will get a file called <tt>'''lease.sig'''</tt>. Copy this file into the root directory of your USB storage device.
# '''If you requested an activation key:''' You will get a file called <tt>'''lease.sig'''</tt>. Copy this file into the root directory of your USB storage device.


You should now have a USB drive containing a directory <code>security</code> which contains either <code>develop.sig</code>, or <code>lease.sig</code>. This is an unlock stick ready to use.
You are now ready to use your Unlock stick.


== Unlocking with an Unlock stick ==
== Unlocking with an Unlock stick ==
Line 71: Line 72:
The firmware checks for the Developer key on all available storage, which is why an Unlock stick works the way it does. But this means you would need to keep the Unlock stick handy to use it.
The firmware checks for the Developer key on all available storage, which is why an Unlock stick works the way it does. But this means you would need to keep the Unlock stick handy to use it.


Alternatively, you can copy Developer key to your laptop's internal flash memory. Copy <tt>security/develop.sig</tt> from the USB storage device into <tt>'''/security/develop.sig'''</tt> on the XO. You'll need to be [[root]] in a [[Terminal activity]] to do that:
Alternatively, you can copy Developer key to your laptop's internal flash memory. Copy <tt>security/develop.sig</tt> from the USB drive into <tt>'''/security/develop.sig'''</tt> on the XO. You'll need to be [[root]] in a [[Terminal activity]] to do that:

cp /run/media/olpc/USBDRIVE/security/develop.sig /security/develop.sig

Where USBDRIVE is the label of the USB drive.


*(Note that ''/media'' was used instead of ''/run/media/olpc'' before 12.1.0).
cp /media/USBDRIVE/security/develop.sig /security/develop.sig


== See Also ==
Where USBDRIVE is the name of the mount point for your Unlock stick.


*[http://dev.laptop.org/git/users/cscott/actkey source code]
*(Note that ''/media'' changes to ''/run/media/olpc'' for Fedora 17 based builds used in 12.1.0 and later).

Revision as of 01:37, 17 August 2013

A Collection stick is a USB drive with a program on it that collects data in order to request developer keys. Developer keys are the unique cryptographic signatures for XO laptops that permit access to the system firmware.

Making a Collection stick

You'll need a FAT-formatted USB drive, as well as a computer with Internet access. The USB drive does not need to be empty. On the computer with Internet access:

  1. Insert the USB drive,
  2. Delete any directory with name boot,
  3. Create a new directory with name boot in the top level of your USB drive.
  4. Download Actos.zip and Runos.zip into that /boot directory.

You should now have a USB drive containing a directory boot which contains two files Actos.zip, and Runos.zip. This is a collection stick ready to use.

Collecting with a Collection stick

For each XO for which you need a Developer key:

  1. Make sure the XO is powered off.
  2. Plug the USB drive into the XO, then power it on.
  3. You will see a graphical "XO" screen and then a short message like "SHFxxxxxxxx nnnnnnnnnnnnnnn; Laptop data recorded successfully". The XO will then power itself off or otherwise indicate that it is done.
  4. Remove the USB drive from the XO.

(This step will not record the data if the laptop is unlocked already -- to make this work on an unlocked laptop, hold the '×' game pad key to force "secure" booting.)

When you have done this on all the XOs you need Developer keys for, plug the USB drive into the computer with Internet access and then either:

  • for individuals and small groups, open laptops.dat, treat the first number as a serial number and the second as UUID, and enter them on OLPC Activation Service, and follow the instructions there to generate each developer key,
  • for larger groups, attach the laptops.dat file from the USB drive to an email to your OLPC or deployment contact. This may take several days.

Making an Unlock stick

(formerly called an Unlock key)

You will receive back one or two files from OLPC after submitting your laptops.dat file. Here is what to do once you get these files.

  1. Insert a USB drive.
    • This can be your old Collection stick; but you must rename the /boot directory to something else like /collection. If you don't do this, your laptop will just re-run the collection.
  1. If you requested a Developer key: You will get a file called develop.sig. Make a directory called security/ in the root directory of your USB storage device and copy this file into it.
  2. If you requested an activation key: You will get a file called lease.sig. Copy this file into the root directory of your USB storage device.

You should now have a USB drive containing a directory security which contains either develop.sig, or lease.sig. This is an unlock stick ready to use.

Unlocking with an Unlock stick

For each XO you are trying to unlock:

  1. Make sure the XO is powered off.
  2. Plug the USB storage device into the XO, then power it on.
  3. That's it!
  4. Note that this process only unlocks your XO for one boot - if you want to unlock your XO permanently without needing to plug in the USB storage device every time you boot, see #Permanently unlocking with an Unlock stick.

Activation keys

No action is required. Activation keys are automatically copied to /security/lease.sig on your XO. Keep the activation key around (or copy it to your School Server) in case you later need to reflash the XO.

Developer keys

When the XO boots the first time, you should see a textual prompt, which you will see within the first few seconds of booting (along with a short countdown to give you time to hit the Esc.png, Escape key). This is your indication that the Developer key on the Unlock stick has been found.

Permanently unlocking with an Unlock stick

To permanently disable secure booting, with the Unlock stick inserted, obtain the Ok prompt, type "disable-security", then power cycle the laptop and repeat the sequence. See Activation and developer keys.

Once you do this, you will not need the Developer key on the laptop, but you can keep it in case security is ever enabled.

Unlocking only until the next reinstall or upgrade

The firmware checks for the Developer key on all available storage, which is why an Unlock stick works the way it does. But this means you would need to keep the Unlock stick handy to use it.

Alternatively, you can copy Developer key to your laptop's internal flash memory. Copy security/develop.sig from the USB drive into /security/develop.sig on the XO. You'll need to be root in a Terminal activity to do that: 

cp /run/media/olpc/USBDRIVE/security/develop.sig /security/develop.sig

Where USBDRIVE is the label of the USB drive.

  • (Note that /media was used instead of /run/media/olpc before 12.1.0).

See Also

Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Collection_stick&oldid=291518"