Re: [Sugar-devel] Clocks on XOs
El Wed, 07-07-2010 a las 01:58 -0400, Kevin Mark escribió: > On Tue, Jul 06, 2010 at 05:03:02PM -0400, Bernie Innocenti wrote: > > > > PS: I just found yet another laptop which won't activate because the > > clock was set to 15 July 2000 (not 2010!). Do you see many of these? > just a query as I dont know the details of activation: if the rtc is off by a > year or more (10 year?) the laptop will not activte using the required > activation lease key? so the rtc must be up-to-date to use an activation lease > key? Yes, because the leases have an expiration date. (BTW: you dropped my name off the cc list in your reply. This is why I did not notice your question sooner) -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Sat, Jul 3, 2010 at 9:54 AM, Bernie Innocenti wrote: >> NetworkManager used to call ntpdate when it setup a connection. Was that an >> OLPC addition? Yes, although it's now present in litl's software builds as well. > We figured out that the ntp package has never been present on the XO > images. It was ntpdate, which was smaller than the whole ntp package. > There's no way to practical way to implement effective anti-theft > without taking away root from the user. And once we take away root > access, we've also taken away olpc's principle #1: child ownership. See my recent message on this topic. Apart from the hardware fix (which avoids RTC dependency altogether), it is also possible to separate most of root's authority from the RTC priviledge. Installing software, for example, requires root access to the filesystem, but not access to the RTC. >> What are the school servers doing to keep their clocks reasonable? > > They're using ntp, with the Fedora pool of ntp servers. You should probably apply for your own pool: http://www.pool.ntp.org/en/vendors.html#open-source It's pretty painless, and makes you a better netizen. >> > Why aren't we using ntp? >> >> ntp is probably overkill for XOs. Besides, who would want to give up that >> much ram? On top of that, ntpd doesn't get along with power saving mode. That's why you use ntpdate. --scott -- ( http://cscott.net/ ) ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Tue, Jul 6, 2010 at 10:14 PM, Bernie Innocenti wrote: >> And that there are efforts to solve that in the future. > > Oh, I was unaware of this. Who is working on it, and what's the exact > plan? http://dev.laptop.org/ticket/9564 Now, folks, please be careful here with all the exaggeration and drama. This list is full of people who don't understand humour or exaggeration. And who don't necesarily understand that security is never absolute, never perfect. Our antitheft scheme doesn't work in a vacuum -- it only works as a social device, to strongly discourage theft and grey-market sales. Tradeoffs is what it's all about. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Tue, Jul 06, 2010 at 04:36:55PM -0600, Daniel Drake wrote: > > > PS: I just found yet another laptop which won't activate because the > > clock was set to 15 July 2000 (not 2010!). Do you see many of these? > > This was probably a human error in the Fix_clock repair process that > happened on that laptop. from my understanding of the 'fix clock'/rtc issue, the clock would go back to about 1970? and not something as recent as 2000. -- | .''`. == Debian GNU/Linux ==.| http://kevix.myopenid.com..| | : :' : The Universal OS| mysite.verizon.net/kevin.mark/.| | `. `' http://www.debian.org/.| http://counter.li.org [#238656]| |___`-Unless I ask to be CCd,.assume I am subscribed._| ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Tue, Jul 06, 2010 at 05:03:02PM -0400, Bernie Innocenti wrote: > > PS: I just found yet another laptop which won't activate because the > clock was set to 15 July 2000 (not 2010!). Do you see many of these? just a query as I dont know the details of activation: if the rtc is off by a year or more (10 year?) the laptop will not activte using the required activation lease key? so the rtc must be up-to-date to use an activation lease key? -- | .''`. == Debian GNU/Linux ==.| http://kevix.myopenid.com..| | : :' : The Universal OS| mysite.verizon.net/kevin.mark/.| | `. `' http://www.debian.org/.| http://counter.li.org [#238656]| |___`-Unless I ask to be CCd,.assume I am subscribed._| ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Tue, 2010-07-06 at 16:36 -0600, Daniel Drake wrote: > On 6 July 2010 15:03, Bernie Innocenti wrote: > > Well, granting root access from the console already weakens it to the > > point of being useless. Who would bother to setup a fake DHCP, DNS and > > NTP server when it takes 20 seconds to crack it from the console? :-) > > Right. So with that logic, lets just throw out the whole security > system. Ignoring the fact that some deployments ship without root > access. Is the practice of completely locking-down the laptops something we'd even want to encourage? Assuming we don't, why should we cripple time-syncing for everyone just to simplify an unsupported customization? > And that there are efforts to solve that in the future. Oh, I was unaware of this. Who is working on it, and what's the exact plan? > Having ntp sync like this weakens the security system because it means > that when you fix one problem (of easy root access, for example), you > still have other ones that make your system easily defeatable. > Instead, if you choose not to add more holes, once you fix the > existing ones then you have a fully secure system. Easy root access is not a security bug, it's a feature that OLPC deliberately chose to give to all users. I even submitted a mingetty patch adding --loginpause which we use to drop into the root console. Why? Because, without root access, children would own the XO the same way consumers own the iPhone and the TiVo. They could crash the physical thing on the floor and burn it, but not flip one bit without government's authorization. I may sound a bit melodramatic, but a project of this kind wouldn't have inspired me to volunteer even for one day. Moralities apart, I guess anyone would agree on the purely technical statement that we can't make OATS work effectively without also taking away root privileges (or the best parts of it). Any half-hearted compromise is likely to be as ineffective as it is annoying. > > This isn't globally acceptable: many (most?) laptops run without a OATS > > server, so their clock would remain wrong forever. > > This picture is rapidly changing. I thought the default was changed one year ago from locked to unlocked. I would be surprised if many deployments had the technical skills to deal comfortably with the complexity of the activation system, when it is very challenging even for us. We probably disagree here, but I think that in most cases OATS costs more to maintain than its actual economical benefit. Admittedly, it works very well at addressing a problem of fear that may play a big role in influencing decision makers. Come on, we all secretly know this and play dumb :-) -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On 6 July 2010 15:03, Bernie Innocenti wrote: > Well, granting root access from the console already weakens it to the > point of being useless. Who would bother to setup a fake DHCP, DNS and > NTP server when it takes 20 seconds to crack it from the console? :-) Right. So with that logic, lets just throw out the whole security system. Ignoring the fact that some deployments ship without root access. And that there are efforts to solve that in the future. Having ntp sync like this weakens the security system because it means that when you fix one problem (of easy root access, for example), you still have other ones that make your system easily defeatable. Instead, if you choose not to add more holes, once you fix the existing ones then you have a fully secure system. > This isn't globally acceptable: many (most?) laptops run without a OATS > server, so their clock would remain wrong forever. This picture is rapidly changing. > PS: I just found yet another laptop which won't activate because the > clock was set to 15 July 2000 (not 2010!). Do you see many of these? This was probably a human error in the Fix_clock repair process that happened on that laptop. Daniel ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Sat, Jul 3, 2010 at 9:54 AM, Bernie Innocenti wrote: > Likely so, but the software should be able to compensate for it. After > discussing it on IRC, it seems that olpc-update-query should > automatically update the clock from the OATS server. Do _not_ rely on this for accurate clock setting. It only kicks in if - the clock is really off - the XS has delegated OATS keys >> NetworkManager used to call ntpdate when it setup a connection. Was that an >> OLPC addition? > > We figured out that the ntp package has never been present on the XO > images. Um? I thought it was there -- perhaps in much older builds? ... > There's no way to practical way to implement effective anti-theft > without taking away root from the user. And once we take away root > access, we've also taken away olpc's principle #1: child ownership. Not true on several levels. We can control the clock in OFW for the case where the time is reset to the past. Not implemented (yet) but planned. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Tue, 2010-07-06 at 11:21 -0600, Daniel Drake wrote: > I think it's fine that individual deployments can do it. But it > shouldn't be done globally because it weakens the security system. Which security system, the theft deterrence? Well, granting root access from the console already weakens it to the point of being useless. Who would bother to setup a fake DHCP, DNS and NTP server when it takes 20 seconds to crack it from the console? :-) Where you thinking of a different scenario? > A globally acceptable solution could be to decrease the safety guard > on the olpc-update-query check so that it corrects the time if it is > (e.g.) more than 1 hour out. This isn't globally acceptable: many (most?) laptops run without a OATS server, so their clock would remain wrong forever. PS: I just found yet another laptop which won't activate because the clock was set to 15 July 2000 (not 2010!). Do you see many of these? -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On 6 July 2010 10:10, Bernie Innocenti wrote: > Laptops with anti-theft enabled can get the time from the OATS server > when it's off by more than 24 hours. Unlocked laptops don't have a way > to synchronize the time at all. > > All we need to fix it is a trivial shell script. Why not do it? I think it's fine that individual deployments can do it. But it shouldn't be done globally because it weakens the security system. A globally acceptable solution could be to decrease the safety guard on the olpc-update-query check so that it corrects the time if it is (e.g.) more than 1 hour out. Daniel ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Mon, 2010-07-05 at 08:22 -0600, Daniel Drake wrote: > On 3 July 2010 16:52, Bernie Innocenti wrote: > > I checked: olpc-update-query only sets the clock if it's off by more > > than 24hours, so it cannot serve as a replacement for ntpdate. > > What's the requirement for super-accurate clocks on the XO? It doesn't have to be super-accurate, just good enough to show a clock with a meaningful time. Laptops with anti-theft enabled can get the time from the OATS server when it's off by more than 24 hours. Unlocked laptops don't have a way to synchronize the time at all. All we need to fix it is a trivial shell script. Why not do it? NOTE: whoever is interested in supporting configurations that take away root access from users will probably want to remove this functionality as well. Very sad :-( -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On 3 July 2010 16:52, Bernie Innocenti wrote: > I checked: olpc-update-query only sets the clock if it's off by more > than 24hours, so it cannot serve as a replacement for ntpdate. What's the requirement for super-accurate clocks on the XO? Daniel ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
El Sat, 03-07-2010 a las 09:54 -0400, Bernie Innocenti escribió: > Likely so, but the software should be able to compensate for it. After > discussing it on IRC, it seems that olpc-update-query should > automatically update the clock from the OATS server. I checked: olpc-update-query only sets the clock if it's off by more than 24hours, so it cannot serve as a replacement for ntpdate. Besides, I can't find where NetworkManager would be running ntpdate... The most logical place would be /etc/NetworkManager/dispatcher.d, but there's nothing. The ntp packate drops a script in /etc/dhcp/dhclient.d, but it seems to kick into action only if the dhcp server provides an ntp server option. My conclusion: currently there's no straight-forward way to set the clock on the XO (even when we don't care about the time hijacking scenario). -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
Excerpts from Hal Murray's message of Sat Jul 03 18:42:48 + 2010: > >> On top of that, ntpd doesn't get along with power saving mode. > > I haven't noticed anything odd. Either it's been fixed in the meantime or it > > was only subtle misbehaviour. Do you have a ticket number or link to a > > description of the problem that has been experienced before? > > Are you running XO-1s with power saving enabled? Last I knew that didn't > work and recent OSes ship with it pre-configured to off. I'm running Debian squeeze with powerd on both XO-1 and XO-1.5 > "doesn't get along" may be too strong. The symptoms were that the clock > drifted wildly. Then it seems fixed. I would have noticed a wildly drifting system clock. > I'll dig out some data if it matters, but that was with the > old kernel from Fedora 9, when power saving worked. This is with the latest OLPC kernel (2.6.31). > Linux seems to break things when somebody cleans up something in this area. > I think there has been more work in this area recently, but it may not be > that recent. I'm procrastinating until power saving works again. Ah, so you're talking about power saving, not clocks (re. cleaning up). Yes, suspend still contains too many race conditions to enable auto-suspend by default unfortunately. But as this is where the embedded world seems to be going as well, there's a good chance this will improve near to medium term. > Clocks are hard. Clocks on XOs are doubly hard because you don't have > anyplace to stand when the CPU and its clocks are powered down. Unless you happen to hit the bad RTC battery holder problem or don't use your XO for several months, the RTC will always be powered on the XO-1, even if you took the battery out. PS: Follow-Up set to de...@l.l.o as this is about XOs, not Sugar. Sascha signature.asc Description: PGP signature ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
>> On top of that, ntpd doesn't get along with power saving mode. > I haven't noticed anything odd. Either it's been fixed in the meantime or it > was only subtle misbehaviour. Do you have a ticket number or link to a > description of the problem that has been experienced before? Are you running XO-1s with power saving enabled? Last I knew that didn't work and recent OSes ship with it pre-configured to off. With power saving disabled, ntpd works as expected. "doesn't get along" may be too strong. The symptoms were that the clock drifted wildly. I'll dig out some data if it matters, but that was with the old kernel from Fedora 9, when power saving worked. I don't have a ticket number. Linux seems to break things when somebody cleans up something in this area. I think there has been more work in this area recently, but it may not be that recent. I'm procrastinating until power saving works again. Clocks are hard. Clocks on XOs are doubly hard because you don't have anyplace to stand when the CPU and its clocks are powered down. -- These are my opinions, not necessarily my employer's. I hate spam. ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
On Fri, Jul 02, 2010 at 08:15:38PM -0700, Hal Murray wrote: > Was: Subject: =?ISO-8859-1?Q?Caacup=E9?= war bullettin -- day 1 > > ber...@codewiz.org said: > > * Date not being updated > > One laptop booted with clock set to the Epoch. > > Is that one of the old XOs that had troubles with the tiny battery feeding > the TOY/RTC clock when the main battery and wall power are both disconnected? > I forget the details, but I think there was a problem with the battery > holder. > the 'd6 bricking' has 2 common symptoms: the laptop boots with a dark screen and the mic light flashes and never goes further or the laptop boots with a message about an invalid date and goes no further. That is for non-lease-bound XOs. The lease complicates this as because when you have to re-image the laptop, you need to get a lease file onto the laptop to activate the laptop. See: http://wiki.laptop.org/go/Fix_Clock (let me know if you want to add a spanish translation) cheers, Kev -- | .''`. == Debian GNU/Linux ==.| http://kevix.myopenid.com..| | : :' : The Universal OS| mysite.verizon.net/kevin.mark/.| | `. `' http://www.debian.org/.| http://counter.li.org [#238656]| |___`-Unless I ask to be CCd,.assume I am subscribed._| ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
El Fri, 02-07-2010 a las 20:15 -0700, Hal Murray escribió: > Is that one of the old XOs that had troubles with the tiny battery feeding > the TOY/RTC clock when the main battery and wall power are both disconnected? > I forget the details, but I think there was a problem with the battery > holder. Likely so, but the software should be able to compensate for it. After discussing it on IRC, it seems that olpc-update-query should automatically update the clock from the OATS server. > NetworkManager used to call ntpdate when it setup a connection. Was that an > OLPC addition? We figured out that the ntp package has never been present on the XO images. > I think this area gets tangled up with security and lease checking. Do we > want/need two separate modes, one for the secure case and another for > developers without a school server? Maybe. We discussed the security implications of using unauthenticated ntp on XOs with anti-theft enabled yesterday on IRC. The concern is that a clever thief could setup a LAN with DHCP, DNS and NTP to set a date in te past and thus subvert the leases expiration scheme. However, with root access on the laptop, one does not need to bother so much: they could simply change the time from the console or, better, in /etc/rc.local. There's no way to practical way to implement effective anti-theft without taking away root from the user. And once we take away root access, we've also taken away olpc's principle #1: child ownership. > What are the school servers doing to keep their clocks reasonable? They're using ntp, with the Fedora pool of ntp servers. > > Why aren't we using ntp? > > ntp is probably overkill for XOs. Besides, who would want to give up that > much ram? On top of that, ntpd doesn't get along with power saving mode. Wow, 2MB of RSS! I had no idea ntp was such a hog. > Aside from quirks like this one, is time on the XO normally good enough? I would have to check... -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Clocks on XOs
Excerpts from Hal Murray's message of Sat Jul 03 03:15:38 + 2010: > > Why aren't we using ntp? > ntp is probably overkill for XOs. Besides, who would want to give up that > much ram? openntpd uses 390.5 KB on my XO-1 (measured using ps_mem.py after an uptime of 22 days). > On top of that, ntpd doesn't get along with power saving mode. I haven't noticed anything odd. Either it's been fixed in the meantime or it was only subtle misbehaviour. Do you have a ticket number or link to a description of the problem that has been experienced before? Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/ signature.asc Description: PGP signature ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel