Antitheft HowTo: Difference between revisions

This document outlines antitheft-related procedures. Please discuss edits on server-devel@lists.laptop.org .

Example scenarios

Upgrade and activate a set of XOs

To accomplish this, you need 3 machines in total.

• An XO acting as the Master Lease Signing Server (MSS)
• An XS (can be XS-on-XO machine)
• An XO running as NANDBlast sender

And your master keys.

Steps

1. On the MSS, create a lease.sig file with leases for all the XOs you will upgrade and activate.
2. On the XS, load the lease.sig file so that xs-activation can use it
3. On the NANDBlast machine, prepare to run nb-secure, as described in Multicast_NAND_FLASH_Update#NANDblasting_a_Signed_NAND_Image_File
4. Setup the XS and the NANDBlast machine in the "upgrade" room and commence the unpack/start process

Procedures

Prepare an XO as the Master Signing Server (MSS)

This machine is only used to generate leases, devkeys or delegations. In other words, it is of occassional use, and should be kept in a secure place at all times.

1. Grab an XO, with the standard OS image. These notes are based on XO OS 8.2.1, but should work on future versions.
2. Install the latest olpc-bios-crypto package:
   1. Download the latest one from [1]
   2. Install it with rpm -ivh olpc-bios-crypto-(version).rpm
3. Make a new directory to store the master keys: mkdir /root/masterkeys
4. Copy the master keys into /root/masterkeys - you will normally have the files developer.private developer.public fs.private fs.public fw.private fw.public lease.private lease.public oats.private oats.public os.private os.public

Done! Now keep this machine in a safe location.

Generate activation leases on the MSS

You will usually have a spreadsheet provided by OLPC with the serial numbers, uuids and box number. You need to define which XOs / boxes activated...

Stage 1 - create the CSV file

1. open spreadsheet in OpenOffice Calc
2. find them relevant XOs in the spreadsheet
3. make a new page in the existing spreadsheet - give that page the

name of the school

1. copy/paste the SN/UUID region to the new page, remove the "extra"

columns we don't need. Also make sure you don't include the 'column headers' row.

1. Save the document
2. Make sure you are on the spreadsheet page for the right school
3. Now use the "File->Save As..." menu option to create a new file.

The file format must be CSV. The file name must be the name of the school.

1. OpenOffice will offer a "Text export / field options" dialogue...
   1. Character set: leave it as it is (Unicode UTF-8).
   2. Field separator: leave it as it is(comma).
   3. Text separator: Delete it, so that the option is empty.
2. OpenOffice will warn you that it is only exporting the 'current page'. Perfect, that's exactly what we want'

Now you should have a CSV file that is just serial numbers and uuids. The command head myfile.csv should give you five lines, each looking like:

SCH9950296C,377F6B80-DDA9-4A89-9C73-8C500C79AA8A

Stage 2 - generating lease.sig

Preparations: Copy the generated CSV file to a USB stick.

On the MSS

1. If it doesn't exist, make a "/root/laptops/" directory: mkdir /root/laptops
2. Make a directory for the files related to this school: mkdir /root/laptops/schoolname
3. Plug the USB stick into the machine, it will be mounted under the /media directory. Copy the CSV file to your /root/laptops/schoolname directory.

Things are in place now. Decide the number of days of validity for the leases (we'll use 10 in this example). The command to generate the leases will be (in one line):

obc-make-lease-from-csv --signingkey /root/masterkeys/lease /root/laptops/schoolname/schoolname.csv 10 | obc-format_as_cjson_leases > /root/laptops/schoolname/lease.sig

Now you have a lease.sig file in the /root/laptops/schoolname/ directory. To use it...

• To use it directly on XOs, copy it to the top directory of a USB stick.
• To use it in an XS, you will want to see the instructions that follow (in the "Load a lease.sig file on an XS")

Loading activation-related files on an XS

This technique is to load any lease.sig d-lease.sig d-oats.sig server.pri server.pub files into an XS.

For more details, see XS-activation

If you are dealing with a single XS

For example, you have a lease.sig file containing leases for a number of XOs, and you want to load it on an XS.

 # On a USB stick, make an 'xs-activation' directory
 mkdir /media/MYDISK/xs-activation
 # Copy the lease.sig file in there...
 cp /path/to/lease.sig /media/MYDISK/xs-activation/
 # Change to the directory
 cd /media/MYDISK/xs-activation/
 # Generate the manifest 
 M=`sha1sum lease.sig` && echo "$M" > manifest.sha1
 # Check that the manifest is OK
 sha1sum -c manifest.sha1

If you have several files, list them all when generating the manifest, like this:

 M=`sha1sum d-oats.sig d-lease.sig server.pri server.pub` && echo "$M" > manifest.sha1

If your are dealing with many XSs

The process is the same as for one server, but must be made in a subdirectory with a name that matches the name given to the server. For example for a server where hostname -f returns schoolserver.fidelcoloma.fundacion.org.ni, we do:

 # On a USB stick, make an 'xs-activation' directory
 mkdir /media/MYDISK/xs-activation
 mkdir /media/MYDISK/xs-activation/fidelcoloma
 # Copy the lease.sig file in there...
 cp /path/to/lease.sig /media/MYDISK/xs-activation/fidelcoloma
 # Change to the directory
 cd /media/MYDISK/xs-activation/fidelcoloma
 # Generate the manifest 
 M=`sha1sum lease.sig` && echo "$M" > manifest.sha1
 # Check that the manifest is OK
 sha1sum -c manifest.sha1

This allows the preparation of a single USB stick with different files for each School Server.

Following the process

This is only for debugging the process if you find problems.

Before you insert the USB stick into the XS, login and run

tail -f /var/log/user.log

When you insert the USB stick messages will appear there as the XS reads the contents. This same log shows the activity of the lease server.