[OLPC Security] OFW system copier key -- security review for immediate signing

Erik Garrison erik at laptop.org
Thu Sep 4 23:42:37 EDT 2008 

Techteam and Security,

Attached is a 32-line OFW Forth script which, when run from OFW on a XO,
saves the NAND FLASH of the XO to a file on the usb flash drive from
which it is run, then shuts down the machine.  For convenience the
filename corresponds to the equipment's serial number.  Users are
notified if an error occurs during the process.

The script is necessary because it allows the acquisition of such images
in cases where the laptop is locked, unbootable, or it is otherwise
inconvenient or impossible to acquire a developer key so that the NAND
FLASH can be copied from OFW.  It will allow us to speed the acquisition
of system images from the field and improve available feedback about the
usage of our systems in the wild.

I wrote the script with the guidance of Mitch Bradley, and have tested
it from the OFW prompt of an unlocked machine.

Please approve and sign this image ASAP so that it can be used to copy
the disk images of unsecured laptops here in Uruguay.  There is some
time sensitivitiy to this issue, as I only have one more day at LATU to
acquire NAND images to start testing our upgrade systems.

Erik
-------------- next part --------------
\ OLPC Boot Script for automatically saving OS images
\ by Erik Garrison <erik at laptop.org>
\ with help from Mitch Bradley <wmb at laptop.org>

\ Version number
." syscopy key version: 2008-09-04 19:02Z" cr

screen-ih stdout ! \ show output to show process progress
no-page \ but don't use the pager, because the keyboard isn't turned on
\ (the keyboard is only turned on if we boot holding down a game key)

' . to .error           \ suppress fancy abort messages
' noop to load-started  \ suppress the load progress spinner
' noop to ?show-device  \ suppress the boot progress icons
' false to auto-boot?   \ suppress automatic booting after this finishes

h# 100 buffer: $cmd-buf

: save-named-image ( -- ) \ save NAND image to USB storage device
   " save-nand " $cmd-buf place   ( )
   make-sn-name $cmd-buf $cat     ( )
   $cmd-buf count                 ( adr len )
   ." Saving system NAND FLASH" cr  ( adr len )
   ['] evaluate catch if                          ( x x )
      red-letters ." Save failed - power off to restart" cr   ( x x )
      suspend  bye
   then                           ( )
   green-letters ." Save complete, powering off in three seconds" cr  ( )
   d# 3000 ms  power-off
;

save-named-image

More information about the Security mailing list