On Thu, Nov 15, 2012 at 09:21:53PM -0500, Tony Anderson wrote: > Hi, > > Thanks. Now two questions: > > 1. How do I create and install a local key?
The bios-crypto software creates local keys. http://wiki.laptop.org/go/Firmware_security "Making New Deployment Keys" The firmware accepts local keys at the ok prompt, storing them in the manufacturing data area of the SPI FLASH chip. http://wiki.laptop.org/go/Firmware_security "Adding Deployment Keys to Manufacturing Data" and "Procedures for Adding Deployment Keys En Masse" (for instance, using the key injector). > 2. How do I sign the build with that key? http://wiki.laptop.org/go/OSBuilder#Signing_preparation first, then follow the instructions in the signing module of olpc-os-builder: http://dev.laptop.org/git/projects/olpc-os-builder/tree/modules/signing/README > > This procedure uses a single key which is installed in all XOs (not > a different key for each laptop like the developer key). Yes, installed on all laptops in a deployment or collection. > > Tony > > On 11/15/2012 09:06 PM, John Watlington wrote: > > > >On Nov 15, 2012, at 8:44 PM, Tony Anderson wrote: > > > >>Hi, > >> > >>If I understand this: > >> > >>1. Get a developer key for each laptop in the school. > >>2. Use the developer key to unlock each laptop. > >>3. Do a normal install of the build image. > >>4. Relock the laptop by removing the developer key on the XO > > > >Once you remove the developer key, it will refuse to boot an > >unsigned image. > > > >The process is more like: > > > >>1. Get a developer key for each laptop in the school. > >>2. Use the developer key to unlock each laptop. > >2a. Install local keys (either in addition to the OLPC keys or replacing > >them) > > > >>3. Do a normal install of the build image. > >3a. This build should be signed with the local keys > > > >>4. Relock the laptop by removing the developer key on the XO > > > >Cheers, > >wad > > > >. > > > -- James Cameron http://quozl.linux.org.au/ _______________________________________________ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
