Generating signed builds for Afghanistan

Ed McNierney ed at laptop.org
Mon Jun 14 08:38:28 EDT 2010


Javed -

The best way to get support for your efforts is to work through OLPC's country support team, since we have a working relationship with the Afghan MOE.  I will follow up with contact information so you can get the support you need.  Thanks!

	- Ed

Ed McNierney
CTO
One Laptop per Child
ed at laptop.org
+1 (978) 761-0049

On Jun 14, 2010, at 8:11 AM, Bernie Innocenti wrote:

> [cc += devel at lists.laptop.org]
> 
> El Mon, 14-06-2010 a las 15:07 +0430, javed khan escribiĆ³:
>> i am working in Ministry of Education Kabul Afghanistan OLPC team as
>> software developer and technical support officer.
> 
> Say hello to Mike Dawson from me!
> 
> 
>> which linux os is best for developing olpc custom images?
> 
> I'm using Fedora 13 (x86_64) to create my images. Older versions of
> Fedora also work.
> 
> If you also need to rebuild system RPM packages, you may also need to
> keep an old Fedora 11 box around. I use one of our servers for this
> purpose.
> 
> 
>> how to sign a custom image for xo's in my country ?
> 
> I thought that laptops in Afghanistan were being deployed unlocked.
> In which case, you don't need to sign your builds.
> 
> If you need to implement the theft-deterrence system, you should
> generate a set of key-pairs for your deployment using the bios-crypto
> package, and load the public firmware key into the manufacturing data of
> all your laptops.
> 
> Some info:
> 
> http://wiki.laptop.org/go/Firmware_security#Multiple-Key_Support
> http://wiki.laptop.org/go/OLPC_Bitfrost
> 
> 
> You will also have to setup a central activation server, or use the new
> delegation scheme developed for Peru, which enables schoolservers to
> generate activations autonomously. Martin Langhoff and Daniel Drake are
> the most up-to-date people on this topic.
> 
> Some information here:
> 
>  http://wiki.laptop.org/go/Theft_deterrence_protocol
> 
> 
> Then, you can configure olpc-os-builder to create signed builds. This is
> the easiest part. All you have to do is add something like this to your
> configuration:
> 
> [signing]
> bios_crypto_path=/home/bernie/src/olpc/bios-crypto
> skey=/home/bernie/src/olpc/keys/pys1
> okey=/home/bernie/src/olpc/keys/pyo1
> wkey=/home/bernie/src/olpc/keys/pyw1
> 
> 
> The entire anti-theft scheme is very complicated and requires a lot of
> expertise to implement. In Paraguay, we have to deal with it almost
> every day even after one year.
> 
> In my opinion, the engineering effort to implement the anti-theft system
> is justified only if large quantities of laptops are being stolen every
> year.
> 
> 
>> how to put custom image into school server so the xo's can update
>> from ?
> 
> This requires olpc-update. The server side is a python program which
> wraps rsync. Depending what version of the OS your laptops are running,
> they may or may not ask the schoolserver for updates. Try running
> olpc-update from the command line and spy what it is doing on the
> network.
> 
> Another effective way to update many laptops consists in setting up a
> NANDblaster server in the school:
> 
> http://wiki.laptop.org/go/Multicast_NAND_FLASH_Update
> 
> 
> This will wipe the flash, so children and teachers need to be warned
> ahead of time so they have time to backup important activities to a USB
> stick.
> 
> 
> 
> PS: I suggest you change your subscription to non-digest mode, as it
> makes very hard to follow threads and reply to others. Usually email
> clients can filter incoming mailing-list mail into separate folders.
> 
> -- 
>   // Bernie Innocenti - http://codewiz.org/
> \X/  Sugar Labs       - http://sugarlabs.org/
> 
> _______________________________________________
> Devel mailing list
> Devel at lists.laptop.org
> http://lists.laptop.org/listinfo/devel




More information about the Devel mailing list