12.1.0 on XO-1 customization stick

[James Cameron]

On Thu, Nov 15, 2012 at 09:21:53PM -0500, Tony Anderson wrote:
> Hi,
> 
> Thanks. Now two questions:
> 
> 1. How do I create and install a local key?

The bios-crypto software creates local keys.

http://wiki.laptop.org/go/Firmware_security "Making New Deployment
Keys"

The firmware accepts local keys at the ok prompt, storing them in the
manufacturing data area of the SPI FLASH chip.

http://wiki.laptop.org/go/Firmware_security "Adding Deployment Keys to
Manufacturing Data" and "Procedures for Adding Deployment Keys En
Masse" (for instance, using the key injector).

> 2. How do I sign the build with that key?

http://wiki.laptop.org/go/OSBuilder#Signing_preparation first, then
follow the instructions in the signing module of olpc-os-builder:

http://dev.laptop.org/git/projects/olpc-os-builder/tree/modules/signing/README

> 
> This procedure uses a single key which is installed in all XOs (not
> a different key for each laptop like the developer key).

Yes, installed on all laptops in a deployment or collection.

> 
> Tony
> 
> On 11/15/2012 09:06 PM, John Watlington wrote:
> >
> >On Nov 15, 2012, at 8:44 PM, Tony Anderson wrote:
> >
> >>Hi,
> >>
> >>If I understand this:
> >>
> >>1. Get a developer key for each laptop in the school.
> >>2. Use the developer key to unlock each laptop.
> >>3. Do a normal install of the build image.
> >>4. Relock the laptop by removing the developer key on the XO
> >
> >Once you remove the developer key, it will refuse to boot an
> >unsigned image.
> >
> >The process is more like:
> >
> >>1. Get a developer key for each laptop in the school.
> >>2. Use the developer key to unlock each laptop.
> >2a. Install local keys (either in addition to the OLPC keys or replacing them)
> >
> >>3. Do a normal install of the build image.
> >3a. This build should be signed with the local keys
> >
> >>4. Relock the laptop by removing the developer key on the XO
> >
> >Cheers,
> >wad
> >
> >.
> >
> 

-- 
James Cameron
http://quozl.linux.org.au/