Collection stick: Difference between revisions

From OLPC
Jump to navigation Jump to search
Line 91: Line 91:
== Permanently unlocking with an Unlock stick ==
== Permanently unlocking with an Unlock stick ==


To permanently disable secure booting, with the Unlock stick inserted, obtain the [[Ok]] prompt, type {{Code|disable-security}}, then power cycle the laptop and repeat the sequence. See [[Activation_and_developer_keys#Disable_the_security_system|Activation and developer keys]].
To permanently disable secure booting on each laptop, add this text to a file {{Code||olpc.fth}} in the {{Code|boot}} directory on the Unlock stick:
\ Open Firmware
disable-security
Then insert the USB drive into each laptop and turn it on. Watch. The laptop will reboot once or twice. Wait for the [[Ok]] prompt to appear on screen. The laptop is now unlocked permanently.

It works like this; when the laptop turns on, it searches for the {{Code|security/develop.sig}} file, validates it, then switches to unsecure mode, then searches for the {{Code|boot/olpc.fth}} file and runs it. The {{Code|boot/olpc.fth}} contains the {{Code|disable-security}} command, which disables the security system and reboots. One the second boot, with the security system already disabled, {{Code|disable-security}} does nothing, and so the [[Ok]] prompt appears.

You can also do this manually by inserting the Unlock stick, obtaining the [[Ok]] prompt, and then typing {{Code|disable-security}} once or twice. See [[Activation_and_developer_keys#Disable_the_security_system|Activation and developer keys]] for more detail.


Once you do this, you will not need the Developer key on the laptop, but you can keep it in case security is ever enabled.
Once you do this, you will not need the Developer key on the laptop, but you can keep it in case security is ever enabled.

Revision as of 06:12, 17 August 2013

A Collection stick is a USB drive with a program on it that collects data in order to request developer keys. Developer keys are the unique cryptographic signatures for XO laptops that permit access to the system firmware.

What you will need:

  • a USB drive, preferably FAT formatted, does not need to be empty,
  • a computer with Internet access, and;
  • the group of XO laptops, which may be nearby or distant.

What you do is:

Making

On the computer with Internet access:

  1. Insert the USB drive,
  2. Delete any file with name laptops.dat left over from previous use,
  3. Delete any directory with name boot,
  4. Create a new directory with name boot in the top level of your USB drive.
  5. Download Actos.zip and Runos.zip into that boot directory.

You should now have a USB drive containing a directory boot which contains two files Actos.zip, and Runos.zip. This is a collection stick ready to use.

Collecting

For each XO in the group:

  • make sure the laptop is off, (e.g. check for a blinking power indicator),
  • plug the USB drive into the laptop,
  • turn on the laptop,
  • wait about ten seconds for a short message that looks like this:
SHC016013D1 20241124T122000Z
Laptop data recorded successfully.
Powering off ...
  • wait for the laptop to turn off,
  • remove the USB drive from the laptop.

(The collection stick may do nothing if the laptop is unlocked already, hold the '×' game pad key to force "secure" booting.)

When you have done this on all the XOs you need keys for, move to the next step below.

Request keys

Plug the USB drive into the computer with Internet access and then either:

  • for individuals and small groups, open laptops.dat, treat the first number as a serial number and the second as UUID, and enter them on OLPC Activation Service, and follow the instructions there to generate each developer key, saving them as separate files,
  • for larger groups, attach the laptops.dat file from the USB drive to an email to your OLPC or deployment contact. This may take several days.

Receive keys

You will receive back one or two files from OLPC after submitting your laptops.dat file.

  1. If you requested a developer key: You will get a file called develop.sig. It contains a developer key for each laptop.
  2. If you requested an activation key: You will get a file called lease.sig. It contains an activation key for each laptop.

You are now ready to make an unlock stick.

Unlock stick

  1. Insert a USB drive (this can be the Collection stick; but you must rename the boot directory to something else like collection. If you don't do this, your laptop will just re-run the collection.)
  2. If you have a file called develop.sig, make a directory called security at the top of your USB drive and copy this file into it.
  3. If you have a file called lease.sig, copy this file into the top of your USB drive.

You should now have a USB drive containing either a directory security which contains develop.sig, or lease.sig in the top of the drive. This is an unlock stick ready to use.

Unlocking

For each XO in the group:

  1. Make sure the XO is powered off.
  2. Plug the USB drive into the XO, then power it on.

That's it! Note that this process only unlocks your XO for one boot - if you want to unlock your XO permanently without needing to plug in the USB drive every time you boot, see #Permanently unlocking with an Unlock stick.

Activation keys

No action is required. Activation keys are automatically copied to /security/lease.sig on your XO. Keep the activation key around (or copy it to your School Server) in case you later need to reflash the XO.

Developer keys

When the XO boots the first time, you should see a textual prompt, which you will see within the first few seconds of booting (along with a short countdown to give you time to hit the Esc.png, Escape key). This is your indication that the Developer key on the Unlock stick has been found.

Permanently unlocking with an Unlock stick

To permanently disable secure booting on each laptop, add this text to a file in the boot directory on the Unlock stick:

\ Open Firmware
disable-security

Then insert the USB drive into each laptop and turn it on. Watch. The laptop will reboot once or twice. Wait for the Ok prompt to appear on screen. The laptop is now unlocked permanently.

It works like this; when the laptop turns on, it searches for the security/develop.sig file, validates it, then switches to unsecure mode, then searches for the boot/olpc.fth file and runs it. The boot/olpc.fth contains the disable-security command, which disables the security system and reboots. One the second boot, with the security system already disabled, disable-security does nothing, and so the Ok prompt appears.

You can also do this manually by inserting the Unlock stick, obtaining the Ok prompt, and then typing disable-security once or twice. See Activation and developer keys for more detail.

Once you do this, you will not need the Developer key on the laptop, but you can keep it in case security is ever enabled.

Unlocking only until the next reinstall or upgrade

The firmware checks for the Developer key on all available storage, which is why an Unlock stick works the way it does. But this means you would need to keep the Unlock stick handy to use it.

Alternatively, you can copy Developer key to your laptop's internal flash memory. Copy security/develop.sig from the USB drive into /security/develop.sig on the XO. In a Terminal activity type:

sudo cp /run/media/olpc/USBDRIVE/security/develop.sig /security/develop.sig

Where USBDRIVE is the volume label of the USB drive.

  • (Note that /media was used instead of /run/media/olpc before 12.1.0).

See Also