Activation and developer keys
- A developer key is a file named develop.sig containing cryptographic information tied to a specific XO laptop.
- An activation key is a file named lease.sig containing a cryptographic signature tied to a specific XO laptop and used to register the laptop with a school server in a deployment.
What you can do with a developer key
Some OLPC XO laptops are "secured", meaning that you can only install operating systems signed by OLPC. This limits the spread of hacked or virus-laden software, but when you want to install a custom OS, you will need to "unsecure" your machine.
To do this, you can get a developer key specially designed for your XO, put it on a USB drive or SD card, boot your XO with the drive or card plugged into it, and then run a short command to unsecure the machine.
Where the developer key is stored on the XO
When the XO boots, its firmware checks to see if security is enabled or permanently disabled (a system parameter). If it is enabled, it looks for the a developer key, at /security/develop.sig, on any USB flash drive and on any SD card that's plugged in. (See Firmware security for the gory details.)
If that file is there (and contains an appropriate string), the XO will act as though it is unsecured:
- You will be able to interrupt the boot process and enter commands
- You can run any program or disk image you supply to it, such as a Fedora or Debian Linux system.
Why you might want to unsecure your XO
OLPC and others produce unsigned operating system images for development and testing. These will only work on unsecured laptops.
If your laptop refuses to boot because the clock is set wrong, or complains about an unsigned kernel, you may need a developer key to fix this trouble.
When "secured" laptops can be useful
This security is part of the BitFrost security system, and is used to ensure that unless the user has specifically opted out, their basic operating software remains unmodified.
How to tell if your laptop is secured
Laptops obtained through the Give One, Get One program have had firmware security enabled. Many other XO laptops have had firmware security enabled, if it was requested by the deployment. (You can see which deployments have requested firmware security in Manufacturing_data.)
With a developer key, whenever the laptop boots, the firmware will give you the option to press the Escape key (at the upper left, marked ) and get an ok prompt, which lets you enter commands in Forth. If you don't press the Escape key, after a short countdown the firmware continues booting the operating system.
- This is the insecure boot process, and it will boot into any image you install on the xo.
- Rather than drawing pretty pictures on the screen, lots of text messages will be displayed, and will eventually scroll up the screen. This is normal, and can be useful for diagnosing problems in your laptop.
- The insecure boot process does not automatically upgrade firmware; you will be responsible for updating your firmware yourself.
Getting a developer key for your running XO laptop
There's a "Developer key request" web page on the XO to apply for a key.
- On your XO, open a new Browse activity, and navigate to the request page:
- For release 8.2.0, 10.1.x, and later, click on the link "get a developer key" at the bottom of the Browse start page,
- otherwise, type file:///home/.devkey.html in the browse location field and press enter.
- Follow the directions to apply for a developer key; it should be created in a day or two.
- Go back to the request page when your key is ready, and follow the instructions to download your key to your XO.
- Once your key has been created, you can return to this page at any time on your XO to re-download it; there will be no further creation delay.
- Reboot your XO.
Tip: if the typeface is too difficult to read easily, you can use Browse's Zoom options (in the View menu) to make it larger. Alternatively, you can copy the text and paste it into the Write activity, where you can resize it.
Using a developer key
Make back up copies!
However you get a key, please make a copy of it on some other computer, one that gets backed up regularly, in case this one is lost. Also, you should copy your developer key to /security/develop.sig on a USB drive, if you have one.
Disabling the security system
Once you have a developer key:
- Make sure it is in the /security/ directory on your USB drive or SD card.
- Plug it into your XO before booting it. Boot your XO with that drive/card plugged in.
- You can now either immediately install unsigned software, or interact with the firmware -- including permanently disabling the firmware security system. (Once this is turned off, you will no longer need your XO's developer key to run the machine in "unsecured" mode.)
To permanently turn off firmware security:
- Boot the XO as above, with a USB drive or SD card with the developer key plugged in. Interrupt the boot sequence: press the Escape key a few times during the startup sound, just after turning the laptop on, to bring up the firmware Ok prompt. (for other ways to reach the prompt, see Ok prompt.)
- Type disable-security. Press enter.
- If disable-security says "No wp tag", it means that security is already disabled.
- If disable-security says "Restarting to enable SPI flash writing. Try again after the system restarts.", you'll need to start over with the Esc key again as above.
- When security is disabled, you can re-enable it for a single boot (say, to test how a secured machine would work) by pressing the X gamepad key while powering on. This is useful to do firmware upgrades from signed builds. It can also help to test secure boot on release candidates.
- You can reverse the disable-security command by entering enable-security at the 'ok' prompt. Security will then be permanently enabled until disabled again.
- You can see the raw manufacturing data where the disable-security setting is stored by typing ".mfg-data". See Manufacturing data for details.
Troubleshooting disabling of the security system
Some of us have had some issues with disabling the security when the developer key is on a USB drive. This may happen if the USB drive is incompatible with the firmware. If you experience this problem, try using an SD card instead. It should be vfat formatted.
If you are on Linux:
mkfs.vfat -I /dev/sdX
then mount the SD card
mount -t vfat /dev/sdX /media/yourmountpoint cp develop.sig /media/yourmountpoint
Once you are done unmount your SD card:
umount /dev/sdX
then stick the SD into the XO (it is under the screen, you need to turn it -- it is on the right side), reboot and hold down -- then you will get to an {ok} prompt type:
disable-security
it will automatically reboot to enable access to internal data, and you must repeat this step, then it will update the internal data and reboot again.
Once it finishes booting, copy the developer key to the disk:
cd /media/$some-automatically-mounted-name su cp develop.sig /security
Now you can reboot and take out the SD card if you hit it will bring you to the {ok} prompt
If you wipe out your developer key
If you reflash your XO you will remove /security/develop.sig. One way this can happen is if you ever do a fresh install of an operating system image using the clean-install procedure (rather than olpc-update). If you haven't disabled security and the OS image that overwrote flash is unsigned, then your laptop won't boot. But you have several options:
- Revert to a previous OS image. Try pressing the 'O' (circle) gamepad key while booting. That will attempt to boot a previous version of the OS, and if it was signed it will succeed.
- Reflash again with a signed OS image.
- Insert a USB drive or SD card with your developer key on it in /security/develop.sig (this is why you should always be sure to backup develop.sig), which will allow booting of the unsigned OS image and/or let you get to the 'ok' prompt to disable security.
Once boot completes you can restore your developer key back to NAND flash by typing in a terminal something like
cp -pi /media/MY_USB_NAME/security/develop.sig /security
or you can re-visit the "Developer key request" form and re-download your developer key. But you would be better off if you immediately disabled security, as described above; that never expires, unlike developer keys in NAND flash that often get overwritten.
Getting a developer key without WiFi
If you have some network access, you can:
- use a USB-to-wired ethernet adapter to get your XO on the net, then follow the above instructions.
- copy the file /home/.devkey.html from the XO to another (network-connected) machine, and perform the process from that machine. Entering the following command in the Terminal activity will copy it to any USB devices connected:
- cp -p /home/.devkey.html /media/*/devkey.html
How to get a developer key when Browse freezes
At times Browse can freeze when trying to activate your key. An alternative way of activating is by starting Terminal or by pressing Ctrl+Alt+ to get to a console and get the serial + uuid for activation. Once you see the terminal, you may need to type in "root" with no password to login.
Next type in:
vi /home/.devkey.html
on line 16, there should be the serial_num (write down what it says under VALUE="....") and what it says on line 17 the uuid VALUE=...". You will need this information to register for your key.
Next start a browser on a computer that has web access and type in: |https://activation.laptop.org/devkey/post/ and enter in the serial and uuid that you got from the .devkey.html file and select "Get developer key".
You should then return to the web page after 24 hours. Your key will be ready for you.
Getting a developer key without network
Via snail mail
You can submit a written request via snail mail to:
- One Laptop per Child
P.O. Box 425087 - Cambridge, MA 02142
Of course you must include your serial number (typically looks like CSNxxxxxxxx, SHFxxxxxxxx, or SHCxxxxxxxx) to deactivate antitheft on this particular computer.
Your key will then be mailed back to you.
If the machine won't boot
Revert to a previous OS image
First, try booting with the 'O' (circle) gamepad key held down. That will attempt to boot a previous version of the OS, after which you can use one of the options above.
Generate a laptops.dat file
See the USB drive directly below. You can collect a laptops.dat file with the UUID information of your machine, or of many machines, with a single stick. This method will sometimes work when simply submitting the serial number to OLPC doesn't. This is because the laptops.dat file contains additional information about the system (the system date and UUID) which must be correct but is looked up or assumed when only a serial number is submitted.
Via USB drive
This requires a USB drive, and manual assistance from someone at OLPC. The drive must be set up to work as a collection stick by adding code that at boot time copies information from the XO to itself. After using it, you should send the resulting file to OLPC.
- Set up a collection stick
- Plug the stick it into your laptop and power it on
- It will display a pretty "XO" screen and then a short message like "SHFxxxxxxxx nnnnnnnnnnnnnnn; Laptop data recorded successfully". After a few seconds it will power itself off or indicate it is done.
- Remove the USB drive and move the file to a different computer
- Open laptops.dat in a text editor and take a look.
- Enter your Serial Number (e.g., CSNxxxxxxxx, SHFxxxxxxxx, or SHCxxxxxxxx) and UUID (nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn) from laptops.dat into https://activation.laptop.org/devkey/post/
- Return to https://activation.laptop.org/devkey/post/ between 15 minutes and 24 hours later and your Developer Key should be ready!
- Problems? Email the laptops.dat file to help@laptop.org . Please describe your problem, including the serial number (printed inside your battery compartment, visible when you remove the battery), and attach the resulting laptops.dat file.
Setting up a collection stick
- Download Actos.zip and Runos.zip (its source code in Forth, if you're interested, is at http://dev.laptop.org/git?p=users/cscott/actkey; it will only run if it's put into a signed zip file.)
- Put these files into the /boot/ directory on a FAT-formatted or FAT32-formatted USB drive.
- Most USB drives use FAT or FAT32 when you buy them (except "U2" drives which probably won't work; they contain their own ugly DRM stuff).
- Your USB drive should contain these files (and nothing else in the boot directory):
- boot/
- boot/Actos.zip
- boot/Runos.zip
- If there is an old laptops.dat file on the USB drive from an earlier collection of laptops, you can delete it. However, see below : if you are gathering data from a number of laptops, do not delete the file in between XOs. The USB drive can have any other files on it that you like.
Getting devkey data for many XOs at once
For each laptop that you want to get a Developer Key for:
- Repeat the above process, inserting your collection stick and powering on the laptop, for each XO in turn.
- This will combine metadata for each laptop into one laptops.dat file, so do not delete the laptops.dat file in between.
- Enter all Serial Numbers (e.g., CSNxxxxxxxx, SHFxxxxxxxx, or SHCxxxxxxxx) and UUID's (nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn) from laptops.dat into self-service site https://activation.laptop.org/devkey/post/ as described above.
- If problems, email the resulting laptops.dat file to help@laptop.org, indicating the # of laptops you need keys for, and explaining extenuating circumstances.
Then wait for OLPC to send you your Developer key(s) and/or Activation key(s).
What to do when you receive your activation or developer keys
NB: OLPC may also send you other files to put on the USB drive, to help to patch or circumvent whatever problem is preventing your laptop from booting properly.
- You can use the same USB drive that you used as collector stick.
- You'll receive one or two files from OLPC. Extract the file or files using your email program.
- If you receive a lease.sig file, it's your activation key. (G1G1 laptops don't need one.) Copy the file into the root directory of your USB drive.
- Make a directory called security/ in the root directory of your USB drive, and copy the developer key develop.sig file into it.
- You should now have these files on your USB drive:
- lease.sig (if received)
- security/
- security/develop.sig
- With the laptop powered off, insert the USB drive into a USB port and power it on.
- If the laptop wasn't previously activated, it will now boot.
- Any activation key provided will be copied to /security/lease.sig on the XO. Keep the activation key around (or copy it to your school server) in case you later need to reflash the XO.
- The XO searches for /security/develop.sig on any media (not just the internal NAND). As of recent builds, there is no longer any visual indication that the XO found a developer key in the normal boot graphics. You can check whether the developer key was accepted by entering the OFW prompt by pressing Escape key (at the upper left, marked ) immediately after powering on the laptop, such as at the time the speakers chime.
- To permanently disable secure booting, press Escape and type "disable-security", then power cycle and repeat that command. (see Disable the security system, above.)
- The developer key is not automatically copied to your laptop's internal flash memory. You can do that by copying security/develop.sig from the USB drive into /security/develop.sig on the XO. You'll need to be root in a Terminal activity to do that.
Remove the USB drive as usual -- via the Journal or after you are at an "ok" prompt in the boot firmware.
If you requested keys for more than one laptop, you can use the same process and the same USB drive for each laptop.
See also
Note: the Developer key page generated by the OLPC Activation Service (in response to a developer key request from the XO) links to this page.