Generating signed builds for Afghanistan
Bernie Innocenti
bernie at codewiz.org
Mon Jun 14 08:11:19 EDT 2010
[cc += devel at lists.laptop.org]
El Mon, 14-06-2010 a las 15:07 +0430, javed khan escribió:
> i am working in Ministry of Education Kabul Afghanistan OLPC team as
> software developer and technical support officer.
Say hello to Mike Dawson from me!
> which linux os is best for developing olpc custom images?
I'm using Fedora 13 (x86_64) to create my images. Older versions of
Fedora also work.
If you also need to rebuild system RPM packages, you may also need to
keep an old Fedora 11 box around. I use one of our servers for this
purpose.
> how to sign a custom image for xo's in my country ?
I thought that laptops in Afghanistan were being deployed unlocked.
In which case, you don't need to sign your builds.
If you need to implement the theft-deterrence system, you should
generate a set of key-pairs for your deployment using the bios-crypto
package, and load the public firmware key into the manufacturing data of
all your laptops.
Some info:
http://wiki.laptop.org/go/Firmware_security#Multiple-Key_Support
http://wiki.laptop.org/go/OLPC_Bitfrost
You will also have to setup a central activation server, or use the new
delegation scheme developed for Peru, which enables schoolservers to
generate activations autonomously. Martin Langhoff and Daniel Drake are
the most up-to-date people on this topic.
Some information here:
http://wiki.laptop.org/go/Theft_deterrence_protocol
Then, you can configure olpc-os-builder to create signed builds. This is
the easiest part. All you have to do is add something like this to your
configuration:
[signing]
bios_crypto_path=/home/bernie/src/olpc/bios-crypto
skey=/home/bernie/src/olpc/keys/pys1
okey=/home/bernie/src/olpc/keys/pyo1
wkey=/home/bernie/src/olpc/keys/pyw1
The entire anti-theft scheme is very complicated and requires a lot of
expertise to implement. In Paraguay, we have to deal with it almost
every day even after one year.
In my opinion, the engineering effort to implement the anti-theft system
is justified only if large quantities of laptops are being stolen every
year.
> how to put custom image into school server so the xo's can update
> from ?
This requires olpc-update. The server side is a python program which
wraps rsync. Depending what version of the OS your laptops are running,
they may or may not ask the schoolserver for updates. Try running
olpc-update from the command line and spy what it is doing on the
network.
Another effective way to update many laptops consists in setting up a
NANDblaster server in the school:
http://wiki.laptop.org/go/Multicast_NAND_FLASH_Update
This will wipe the flash, so children and teachers need to be warned
ahead of time so they have time to backup important activities to a USB
stick.
PS: I suggest you change your subscription to non-digest mode, as it
makes very hard to follow threads and reply to others. Usually email
clients can filter incoming mailing-list mail into separate folders.
--
// Bernie Innocenti - http://codewiz.org/
\X/ Sugar Labs - http://sugarlabs.org/
More information about the Devel
mailing list