[Sugar-devel] Generating signed builds for Afghanistan

Bernie Innocenti bernie at codewiz.org
Mon Jun 14 08:11:19 EDT 2010


[cc += devel at lists.laptop.org]

El Mon, 14-06-2010 a las 15:07 +0430, javed khan escribió:
> i am working in Ministry of Education Kabul Afghanistan OLPC team as
> software developer and technical support officer.

Say hello to Mike Dawson from me!


> which linux os is best for developing olpc custom images?

I'm using Fedora 13 (x86_64) to create my images. Older versions of
Fedora also work.

If you also need to rebuild system RPM packages, you may also need to
keep an old Fedora 11 box around. I use one of our servers for this
purpose.


> how to sign a custom image for xo's in my country ?

I thought that laptops in Afghanistan were being deployed unlocked.
In which case, you don't need to sign your builds.

If you need to implement the theft-deterrence system, you should
generate a set of key-pairs for your deployment using the bios-crypto
package, and load the public firmware key into the manufacturing data of
all your laptops.

Some info:

 http://wiki.laptop.org/go/Firmware_security#Multiple-Key_Support
 http://wiki.laptop.org/go/OLPC_Bitfrost


You will also have to setup a central activation server, or use the new
delegation scheme developed for Peru, which enables schoolservers to
generate activations autonomously. Martin Langhoff and Daniel Drake are
the most up-to-date people on this topic.

Some information here:

  http://wiki.laptop.org/go/Theft_deterrence_protocol


Then, you can configure olpc-os-builder to create signed builds. This is
the easiest part. All you have to do is add something like this to your
configuration:

 [signing]
 bios_crypto_path=/home/bernie/src/olpc/bios-crypto
 skey=/home/bernie/src/olpc/keys/pys1
 okey=/home/bernie/src/olpc/keys/pyo1
 wkey=/home/bernie/src/olpc/keys/pyw1


The entire anti-theft scheme is very complicated and requires a lot of
expertise to implement. In Paraguay, we have to deal with it almost
every day even after one year.

In my opinion, the engineering effort to implement the anti-theft system
is justified only if large quantities of laptops are being stolen every
year.


> how to put custom image into school server so the xo's can update
> from ?

This requires olpc-update. The server side is a python program which
wraps rsync. Depending what version of the OS your laptops are running,
they may or may not ask the schoolserver for updates. Try running
olpc-update from the command line and spy what it is doing on the
network.

Another effective way to update many laptops consists in setting up a
NANDblaster server in the school:

 http://wiki.laptop.org/go/Multicast_NAND_FLASH_Update


This will wipe the flash, so children and teachers need to be warned
ahead of time so they have time to backup important activities to a USB
stick.



PS: I suggest you change your subscription to non-digest mode, as it
makes very hard to follow threads and reply to others. Usually email
clients can filter incoming mailing-list mail into separate folders.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/



More information about the Sugar-devel mailing list