Android/Security: Difference between revisions

From OLPC
Jump to navigation Jump to search
No edit summary
No edit summary
Line 3: Line 3:
* set up for signing using [[Firmware security#Making_New_Deployment_Keys|firmware security]] and the bios-crypto source,
* set up for signing using [[Firmware security#Making_New_Deployment_Keys|firmware security]] and the bios-crypto source,
* copy /boot/alt/vmlinuz and /boot/alt/initrd.img from the [[Android]] build,
* copy /boot/alt/vmlinuz and /boot/alt/initrd.img from the [[Android]] build,
* sign the Android kernel with the deployment operating system (o1) key,
* sign the Android kernel with the deployment operating system (o1) private key,
sign-os.sh os vmlinuz runos4.zip
sign-os.sh os vmlinuz runos4.zip
:*purpose: firmware will check signature using public key (o1) stored in manufacturing data.
* sign the Android ramdisk
* sign the Android ramdisk with the deployment operating system (o1) private key,
sign-os.sh os initrd.img runrd4.zip
sign-os.sh os initrd.img runrd4.zip
:*purpose: firmware will check signature using public key (o1) stored in manufacturing data.
* place both in /boot/alt,
* place both files in in /boot/alt,
:*purpose: firmware will load these files when [[Cheat codes|O game key]] is used.
* link the activation mode to the Sugar activation kernel and ramdisk,
* link the activation mode to the Sugar activation kernel and ramdisk,
ln -s ../runos4.zip actos4.zip
ln -s ../runos4.zip actos4.zip
Line 14: Line 17:
:*For a laptop that is never assigned activation leases, link actos4.zip to the Android runos4.zip, and link actrd4.zip to the Android runrd4.zip, and the firmware will boot Android without obtaining a lease.
:*For a laptop that is never assigned activation leases, link actos4.zip to the Android runos4.zip, and link actrd4.zip to the Android runrd4.zip, and the firmware will boot Android without obtaining a lease.
:*For a laptop preactivated with the {{code|ak}} tag, actrd4.zip is not used.
:*For a laptop preactivated with the {{code|ak}} tag, actrd4.zip is not used.
* sign the Q7B40 firmware release with the deployment firmware (w1) key,
* sign the Q7B40 firmware release with the deployment firmware (w1) key, and copy the signed bootfw4.zip file to /boot/
:*purpose: older firmware will check signature using public key (w1) stored in manufacturing data, and automatically reflash to Q7B40 if necessary.
* copy the signed bootfw4.zip file to /boot/
* test booting using the [[Cheat codes|O game key]] to select Android, or no O game key to select Sugar, using the X game key to enable security if it is not enabled,
* test booting using the [[Cheat codes|O game key]] to select Android, or no O game key to select Sugar, using the X game key to enable security if it is not enabled,
* test booting using the [[Cheat codes|rocker down key]] to display the boot menu.
* test booting using the [[Cheat codes|rocker down key]] to display the boot menu.

Revision as of 04:35, 24 September 2014

Firmware security for the Android and Sugar build.

  • set up for signing using firmware security and the bios-crypto source,
  • copy /boot/alt/vmlinuz and /boot/alt/initrd.img from the Android build,
  • sign the Android kernel with the deployment operating system (o1) private key,
sign-os.sh os vmlinuz runos4.zip
  • purpose: firmware will check signature using public key (o1) stored in manufacturing data.
  • sign the Android ramdisk with the deployment operating system (o1) private key,
sign-os.sh os initrd.img runrd4.zip
  • purpose: firmware will check signature using public key (o1) stored in manufacturing data.
  • place both files in in /boot/alt,
  • purpose: firmware will load these files when O game key is used.
  • link the activation mode to the Sugar activation kernel and ramdisk,
ln -s ../runos4.zip actos4.zip
ln -s ../actrd4.zip actrd4.zip
  • For a laptop with expired or missing activation lease, the supplied actrd4.zip must obtain a lease, write it to /security/lease.sig on the first partition, then reboot.
  • For a laptop that is never assigned activation leases, link actos4.zip to the Android runos4.zip, and link actrd4.zip to the Android runrd4.zip, and the firmware will boot Android without obtaining a lease.
  • For a laptop preactivated with the ak tag, actrd4.zip is not used.
  • sign the Q7B40 firmware release with the deployment firmware (w1) key, and copy the signed bootfw4.zip file to /boot/
  • purpose: older firmware will check signature using public key (w1) stored in manufacturing data, and automatically reflash to Q7B40 if necessary.
  • test booting using the O game key to select Android, or no O game key to select Sugar, using the X game key to enable security if it is not enabled,
  • test booting using the rocker down key to display the boot menu.