Android/Security

Firmware security for the Android and Sugar build.

• set up for signing using firmware security and the bios-crypto source,
• copy /boot/alt/vmlinuz and /boot/alt/initrd.img from the Android build,
• sign the Android kernel with the deployment operating system (o1) private key:

sign-os.sh os vmlinuz runos4.zip

• purpose: firmware will check signature using public key (o1) stored in manufacturing data.

• sign the Android ramdisk with the deployment operating system (o1) private key:

sign-os.sh os initrd.img runrd4.zip

• purpose: firmware will check signature using public key (o1) stored in manufacturing data.

• place both files in in /boot/alt,

• purpose: firmware will load these files when O game key is used.

• link the activation mode to the Sugar activation kernel and ramdisk:

ln -s ../runos4.zip actos4.zip
ln -s ../actrd4.zip actrd4.zip

• purpose: for laptops with expired or missing activation lease, the supplied actrd4.zip must obtain a lease, write it to /security/lease.sig on the first partition, then reboot.

or, for laptops that are never assigned activation leases, link actos4.zip to the Android runos4.zip, and link actrd4.zip to the Android runrd4.zip, and the firmware will boot Android without obtaining a lease:

ln -s runos4.zip actos4.zip
ln -s runrd4.zip actrd4.zip

or, for laptops preactivated with the ak tag, no action is needed, because actrd4.zip is not used.

• sign the Q7B40 firmware release with the deployment firmware (w1) key, and copy the signed bootfw4.zip file to /boot/

• purpose: older firmware will check signature using public key (w1) stored in manufacturing data, and automatically reflash to Q7B40 if necessary.

• test booting using the O game key to select Android, or no O game key to select Sugar, using the X game key to enable security if it is not enabled,
• test booting using the rocker down key to display the boot menu.