Re: Create and sign Country specific XO image
On Tue, Jun 30, 2009 at 3:56 AM, Philipp Kocherphilipp.koc...@gmx.net wrote: So getting our own keys in the manufacturing data is not an option. It still is. Google for keyjector :-) What is the problem with the process described here http://blog.olenepal.org/index.php/archives/183? For a more complete explanation, see the 'multiple keys' page you will find googling for keyjector. Some major points: - Forces you to depend on OLPC. - Forces OLPC to audit your image before signing it. - Your OLPC-signed image can be used on _any_ secure XO that uses OLPC keys (instead of their own), not only the ones in your deployment. - By using OLPC's keys in your deployment, your XOs can be re-flashed with any other OLPC signed image. cheers, martin -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Create and sign Country specific XO image
2009/6/30 Philipp Kocher philipp.koc...@gmx.net: The XOs got manufactured some time ago and just not delivered because localization wasn't finished (localization is still not finished, but the XO arrived yesterday). So getting our own keys in the manufacturing data is not an option. You can keyject them, if you have an appropriate relationship with OLPC to get them to make you a keyjector firmware. I hoped for an easier image creation and signing process. What is the problem with the process described here http://blog.olenepal.org/index.php/archives/183? Do your XOs have security enabled? If so you cannot do it because you cannot reach a command prompt and the XO will not accept unsigned images. Unless you want to modify the process to include obtaining developer keys for all laptops and disabling security. Also this method is a bad idea as has been discussed several times; many files are generated during the first and subsequent boots which are unique to each XO (hence you would want to delete them from your image) but nobody has really documented which ones they are or how you should deal with this. A number of projects have resorted to this method but all of them seem to face oddities after a while... Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Create and sign Country specific XO image
The XOs got manufactured some time ago and just not delivered because localization wasn't finished (localization is still not finished, but the XO arrived yesterday). So getting our own keys in the manufacturing data is not an option. I hoped for an easier image creation and signing process. What is the problem with the process described here http://blog.olenepal.org/index.php/archives/183? 1. setup one XO the way you want it (I would use a script to do this) 2. delete a few files 3. create the image with save-nand at the ok prompt. 4. If I could send the CRC file of the image to OLPC and they would give me a fs.zip in return, that would be great. This way I could use the NandBlaster for the first installation and would be much faster than installing os802.img from USB flash drive and call the customization script on the flash drive on each XO. Daniel Drake wrote: On Fri, 2009-06-26 at 11:25 +0700, Philipp Kocher wrote: Hello Cambodia is getting 1000 new XOs very soon. This are the first ones with a Khmer keyboard. To make the installation process easier, I would like to create a country specific image based on build 802, which includes Khmer keyboard support, fonts, the newest language pack with software translations, Activities and some customizations. Image builder can do all this: http://wiki.laptop.org/go/Image_builder You'll have to script some of those customizations. The other option is to use pilgrim, which is what I think they do in Nepal. Looking back, I think this is a better option than image builder for the non-activity customizations, but image builder is probably a bit easier to get started with. You have to decide if you want to sign your own builds, or if you want to get OLPC to do it (if they will do so). To do it yourself you have to generate your own public/private keys and somehow get those public keys to be present in the manufacturing data on all of your laptops. Full details here: http://wiki.laptop.org/go/Firmware_security#Multiple-Key_Support The bios-crypto code is what you will use to sign your images. Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Create and sign Country specific XO image
On Fri, Jun 26, 2009 at 6:47 AM, Bryan Berrybr...@olenepal.org wrote: Personally, i think you are better off unlocking your XO's and using and unsigned image. Actually, the best option is to get the laptops with their own keys, so they can sign their image themselves. This keeps antitheft tools available. I'm finishing an XS release that supplies the bits that have been missing -- with it you can run the full blown antitheft scheme. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Create and sign Country specific XO image
On Fri, 2009-06-26 at 11:25 +0700, Philipp Kocher wrote: Hello Cambodia is getting 1000 new XOs very soon. This are the first ones with a Khmer keyboard. To make the installation process easier, I would like to create a country specific image based on build 802, which includes Khmer keyboard support, fonts, the newest language pack with software translations, Activities and some customizations. Image builder can do all this: http://wiki.laptop.org/go/Image_builder You'll have to script some of those customizations. The other option is to use pilgrim, which is what I think they do in Nepal. Looking back, I think this is a better option than image builder for the non-activity customizations, but image builder is probably a bit easier to get started with. You have to decide if you want to sign your own builds, or if you want to get OLPC to do it (if they will do so). To do it yourself you have to generate your own public/private keys and somehow get those public keys to be present in the manufacturing data on all of your laptops. Full details here: http://wiki.laptop.org/go/Firmware_security#Multiple-Key_Support The bios-crypto code is what you will use to sign your images. Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Create and sign Country specific XO image
Hello Cambodia is getting 1000 new XOs very soon. This are the first ones with a Khmer keyboard. To make the installation process easier, I would like to create a country specific image based on build 802, which includes Khmer keyboard support, fonts, the newest language pack with software translations, Activities and some customizations. I found just very few information about creating a country specific image (mainly from Nepal): http://tiezemans.wordpress.com/2008/12/30/customizing-the-xo-image/ http://blog.olenepal.org/index.php/archives/183 http://wiki.laptop.org/go/Customizing_NAND_images How can I get a country specific image file signed? Which other customizations or bugfixes are recommended to be included (e.g. like the ones from paraguay http://lists.laptop.org/pipermail/devel/2009-March/023788.html)? Detailed instructions from other deployments about creating an image are very welcome. Thanks and best regards, Philipp ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Create and sign Country specific XO image
Philip, talk to reuben caron about getting the image signed. Personally, i think you are better off unlocking your XO's and using and unsigned image. If you want to create a custom image, my best recommendation is that you contract Ties Stuij or someone at OLPC to do it for you. Reuben may or may not have the resources to do it himself. Creating a custom image is a fair amount of work and you always have to change it later. On Fri, 2009-06-26 at 11:25 +0700, Philipp Kocher wrote: Hello Cambodia is getting 1000 new XOs very soon. This are the first ones with a Khmer keyboard. To make the installation process easier, I would like to create a country specific image based on build 802, which includes Khmer keyboard support, fonts, the newest language pack with software translations, Activities and some customizations. I found just very few information about creating a country specific image (mainly from Nepal): http://tiezemans.wordpress.com/2008/12/30/customizing-the-xo-image/ http://blog.olenepal.org/index.php/archives/183 http://wiki.laptop.org/go/Customizing_NAND_images How can I get a country specific image file signed? Which other customizations or bugfixes are recommended to be included (e.g. like the ones from paraguay http://lists.laptop.org/pipermail/devel/2009-March/023788.html)? Detailed instructions from other deployments about creating an image are very welcome. Thanks and best regards, Philipp ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel -- Bryan W. Berry Technology Director OLE Nepal, http://www.olenepal.org ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
