Activation and developer keys

From OLPC
Revision as of 18:10, 6 December 2007 by AlexL (talk | contribs)
Jump to navigation Jump to search

Getting a Developer Key for your XO

This is necessary for anyone who wants to run unsigned development builds. With few exceptions, only builds downloaded from http://download.laptop.org/xo-1/os/official/ are signed.

  1. On the xo, open the browser activity.
  2. Click on the Library link "other" and then on "about your xo"
  3. Click on the link at the very bottom of the page called "apply for a developer key". (First hit the last link in the table of contents to quickly get to the bottom of the page.)
    • You can also just type 'file:///home/.devkey.html' in the browser window to get to this page.
  4. Follow the directions to apply for a developer key.
  5. The key should be created within a day or two.
  6. Go back to the page when your key is ready, and follow the instructions for downloading your key. Once the key has been created, you can return to this page at any time to redownload it; there will be no further creation delay.
  7. Reboot your xo.
  8. Now, whenever the laptop boots, open firmware will give you the option to hit esc and get an ok prompt. Do nothing to continue the boot; you will see lots of normally-hidden boot status information.
    • This is the insecure boot process, and it will boot into any image you install on the xo.
    • The insecure boot process does *not* automatically upgrade firmware; you will be responsible for keeping your firmware up to date yourself.
  9. If you type 'disable-security' at the ok prompt, security will be turned off on your laptop permanently. (This isn't necessary, but in some cases useful; see below.)
    • Once security is disabled, you can re-enable it for a single boot by pressing the X gamepad key while turning the power on. This is useful to help us test secure boot on release candidates, as well as to perform firmware upgrades from signed builds.
    • You can reverse the 'disable-security' command with 'enable-security' at the ok prompt.
    • You may want to copy or move your developer key from /security/develop.sig on the build in NAND flash to /security/develop.sig on a USB key or SD card. Having the lease available in any of these places will enable insecure boot. (See Firmware Security for the gory details.) Keeping develop.sig on a USB key means that you can easily insert/remove the key to en/disable secure boot, which is often useful if you only occasionally need to temporarily disable security.
    • If you are doing fresh installs (complete overwrites; i.e. not olpc-update) of the operating system, you will lose the developer key (stored in /security/develop.sig) and if you haven't disabled security and the build you overwrote with isn't signed, your laptop won't boot. You will have to reflash with a signed image to recover, or insert a USB key with your developer key on it.


Getting Activation/Developer Keys for one or many XOs

(NOTE: this requires having an account on https://activation.laptop.org)

  1. First, you must create a 'Collection key'
    1. Download File:Actos.zip and File:Runos.zip (sources: http://dev.laptop.org/git?p=users/cscott/actkey)
      • These files are identical, but secure boot will choose one or the other depending on activation status.
    2. Put these files in a directory called 'boot' on a FAT-formatted usb key.
  2. Boot the laptop with the 'Collection key' inserted.
    • This will create a laptops.dat file on the usb key. (If you've done this before, be sure to first delete any old laptops.dat files on the key.)
  3. Boot each laptop in turn that you want to create keys for. The 'Collector key' will append each new laptop to the laptops.dat file, so do not delete the laptops.dat file between each laptop in a group that you are getting keys for.
  4. Go to: https://activation.laptop.org
  5. Sign in
  6. Click on 'Create a new lease request'
  7. Upload the laptops.dat file, and fill in the request information.
    • You may have to wait until the next business day to get your keys, but they should generally be created within a few minutes.
    • Note: the activation key (leases.sig) should go into the root directory of your USB key; the developer key (develop.sig) should be added to a subdirectory called 'security' on the USB key.
  8. Boot the laptop with the usb key inserted
    • The same key should work for all the laptops you included in the laptops.dat file.
  9. If the laptop wasn't previously activated... it will now boot properly
    • The activation key will be copied to /security/lease.sig on the XO. You may want to keep the activation key around (or copy the activation key to the school server) in case you ever need to wipe the XO and reflash it.
  10. If you're using the developer key, you should be able to get to the ok prompt.
  11. To permanently disable secure boot, you can type 'disable-security' from the OK prompt. You may need to leave the developer key in for a reboot and one more 'disable-security' command. See above for more information on using your developer key.

See also: OLPC on free/open source software