Author: wmb Date: 2007-11-18 04:54:48 +0100 (Sun, 18 Nov 2007) New Revision: 736

Modified: cpu/x86/pc/olpc/fw.bth cpu/x86/pc/olpc/loaddropins.fth cpu/x86/pc/olpc/security.fth Log: OLPC - Cosmetic improvements in secure boot error messages and some stuff to help the factory repair systems after FQA.

Modified: cpu/x86/pc/olpc/fw.bth =================================================================== --- cpu/x86/pc/olpc/fw.bth 2007-11-16 22:29:19 UTC (rev 735) +++ cpu/x86/pc/olpc/fw.bth 2007-11-18 03:54:48 UTC (rev 736) @@ -332,9 +332,9 @@ fload ${BP}/cpu/x86/pc/olpc/lzip.fth \ Access zip images from memory fload ${BP}/cpu/x86/pc/olpc/gamekeys.fth fload ${BP}/cpu/x86/pc/olpc/linux.fth +fload ${BP}/cpu/x86/pc/olpc/setwp.fth fload ${BP}/cpu/x86/pc/olpc/security.fth fload ${BP}/cpu/x86/pc/olpc/fsupdate.fth -fload ${BP}/cpu/x86/pc/olpc/setwp.fth fload ${BP}/ofw/gui/ofpong.fth fload ${BP}/cpu/x86/pc/olpc/life.fth fload ${BP}/cpu/x86/pc/olpc/sound.fth @@ -520,12 +520,13 @@ ." Tests complete - powering off" cr d# 5000 ms power-off then ; + : ?scan-nand ( -- ) rocker-up game-key? if text-on scan-nand then ; : ?fs-update ( -- ) button-check button-x or button-o or button-square or ( mask ) - game-key-mask over and = if + game-key-mask = if try-fs-update then ; @@ -547,6 +548,8 @@

no-page

+ ?factory-mode + console-start

?resume-botch

Modified: cpu/x86/pc/olpc/loaddropins.fth =================================================================== --- cpu/x86/pc/olpc/loaddropins.fth 2007-11-16 22:29:19 UTC (rev 735) +++ cpu/x86/pc/olpc/loaddropins.fth 2007-11-18 03:54:48 UTC (rev 736) @@ -27,7 +27,7 @@

" ${BP}/ofw/inet/telnetd.fth" " telnetd" $add-deflated-dropin

- " ${BP}/cpu/x86/pc/olpc/images/warnings.565" " warnings.565" $add-deflated-dropin +\ " ${BP}/cpu/x86/pc/olpc/images/warnings.565" " warnings.565" $add-deflated-dropin " ${BP}/cpu/x86/pc/olpc/images/lightdot.565" " lightdot.565" $add-deflated-dropin " ${BP}/cpu/x86/pc/olpc/images/yellowdot.565" " yellowdot.565" $add-deflated-dropin " ${BP}/cpu/x86/pc/olpc/images/darkdot.565" " darkdot.565" $add-deflated-dropin

Modified: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth 2007-11-16 22:29:19 UTC (rev 735) +++ cpu/x86/pc/olpc/security.fth 2007-11-18 03:54:48 UTC (rev 736) @@ -13,8 +13,8 @@

0 0 2value base-xy 0 0 2value next-xy -d# 410 d# 540 2constant progress-xy -d# 557 d# 283 2constant sad-xy +d# 463 d# 540 2constant progress-xy +d# 552 d# 283 2constant sad-xy

true value debug-security? : ?lease-debug ( msg$ -- ) @@ -23,6 +23,9 @@ : ?lease-debug-cr ( msg$2 -- ) debug-security? if type cr else 2drop then ; +: ?lease-error-cr ( msg$2 -- ) + debug-security? if red-letters type black-letters cr else 2drop then +;

: fail-load ( -- ) text-on @@ -31,15 +34,21 @@ begin again ;

+code halt hlt c; \ To save power + 0 value security-off?

: security-failure ( -- ) visible - ." Stopping" cr - security-off? if quit then + security-off? if ." Stopping" cr quit then

- d# 10000 ms - power-off + button-check game-key? if + ." Use power button to power off" cr + begin halt again + else + ." Powering off in 10 seconds" cr + d# 10000 ms power-off + then ;

: +icon-xy ( delta-x,y -- ) icon-xy d+ to icon-xy ; @@ -56,6 +65,12 @@ sad-xy to icon-xy " sad" show-icon to icon-xy ; +: .security-failure ( error$ -- ) + visible red-letters type black-letters cr + show-sad + security-failure +; + : show-lock ( -- ) " lock" show-icon ; : show-unlock ( -- ) " unlock" show-icon ; : show-child ( -- ) @@ -63,14 +78,16 @@ d# 552 d# 383 to icon-xy " rom:xogray.565" $show-opaque progress-xy to icon-xy \ For boot progress reports ; + +0 [if] : show-warnings ( -- ) " erase-screen" $call-screen d# 48 d# 32 to icon-xy " rom:warnings.565" $show-opaque dcon-freeze ; +[then]

- h# 20 buffer: cn-buf \ filename prefix - either "act" or "run" h# 20 buffer: fn-buf \ filename tail - either "os" or "rd" h# 100 buffer: pn-buf \ pathname - either "\boot" or "\boot-alt" @@ -211,7 +228,7 @@

pubkey$ 2swap signature-bad? ( error? ) dup if - " Signature invalid" ?lease-debug-cr + " Signature invalid" ?lease-error-cr else " Signature valid" ?lease-debug-cr then @@ -233,7 +250,7 @@ 2dup our-pubkey? if false exit then ( rem$ line$ ) 2drop ( rem$ ) repeat ( rem$ ) - " No signature for our key" ?lease-debug-cr + " No signature for our key" ?lease-error-cr 2drop true ;

@@ -266,94 +283,64 @@ over r@ - r> ( tail$ head$ ) ;

-0. 2value exp-seconds \ Accumulator for parsing data/time strings - \ numfield is a factor used for parsing 2-digit fields from date/time strings. -\ Radix is the number to scale the result by, i.e. one more than the maximum -\ value of the field. Adjust is 0 for fields whose first valid value is 0 -\ (hours, minutes, seconds) or 1 for fields that start at 1 (month,day). - -: numfield ( exp$ adjust radix -- exp$' ) - >r >r ( exp$ r: radix adjust ) - 2 break$ $number throw ( exp$' num r: radix adjust ) - r> - ( exp$ num' r: radix ) - dup r@ u>= throw ( exp$ num r: radix ) - - \ No need to multiply the top half because it can only become nonzero - \ on the last call to scale-time - exp-seconds drop r> um* ( exp$ num d.seconds ) - rot 0 d+ to exp-seconds ( exp$ ) +: numfield ( exp$ min max -- exp$' ) + >r >r ( exp$ r: max min ) + 2 break$ $number throw ( exp$' num r: max min ) + dup r> < throw ( exp$ num r: max ) + dup r> > throw ( exp$ num ) ;

\ expiration-to-seconds parses an expiration date string like \ "20070820T130401Z", converting it to (double precision) seconds \ according to the simplified calculation described above for "get-date"

-: (expiration-to-seconds) ( expiration$ -- true | d.seconds false ) - 4 break$ $number throw ( exp$' year ) - dup d# 2999 u> throw ( exp$' year ) - 0 to exp-seconds ( exp$' ) - - 1 d# 12 numfield ( exp$' ) \ Month - 1 d# 31 numfield ( exp$' ) \ Day - - 1 break$ " T" $= 0= throw ( exp$' ) - - 0 d# 24 numfield ( exp$' ) \ Hour - 0 d# 60 numfield ( exp$' ) \ Minute - 0 d# 60 numfield ( exp$' ) \ Second - - " Z" $= 0= throw ( ) - exp-seconds +: (expiration-to-seconds) ( expiration$ -- d.seconds ) + 4 break$ $number throw >r ( exp$' r: y ) + 1 d# 12 numfield >r ( exp$' r: y m ) + 1 d# 31 numfield >r ( exp$' r: y m d ) + 1 break$ " T" $= 0= throw ( exp$' r: y m d ) + 0 d# 23 numfield >r ( exp$' r: y m d h ) + 0 d# 59 numfield >r ( exp$' r: y m d h m ) + 0 d# 59 numfield >r ( exp$' r: y m d h m s ) + " Z" $= 0= throw ( r: y m d h m s ) + r> r> r> r> r> r> ( s m h m d y ) + >unix-seconds ;

-: expiration-to-seconds ( expiration$ -- true | d.seconds false ) +: expiration-to-seconds ( expiration$ -- true | seconds false ) push-decimal - ['] (expiration-to-seconds) catch ( x x true | d.seconds false ) + ['] (expiration-to-seconds) catch ( x x true | seconds false ) pop-base dup if nip nip then ;

-\ earliest is the earliest acceptable date value (in seconds). -\ It is the date that the first test version of this code was -\ deployed. If a laptop has any earlier date that than, that -\ date is presumed bogus. +0 value current-seconds

-" 20070101T000000Z" expiration-to-seconds drop 2constant earliest +: date-bad? ( -- flag ) + current-seconds 0= if + time&date >unix-seconds to current-seconds + then

-0. 2value current-seconds + \ earliest is the earliest acceptable date value (in seconds). + \ It is the date that the first test version of this code was + \ deployed. If a laptop has any earlier date that than, that + \ date is presumed bogus.

-\ get-date reads the date and time from the real time clock -\ and converts it to seconds. - -\ The seconds conversion uses a simplified approach that ignores -\ leap years and the like - it assumes that all months are 31 days. -\ This is sufficient for comparison purposes so long as we use the -\ same calculation in all cases. It is not good for doing -\ arithmetic on dates. -: get-date ( -- ) - time&date ( s m h d m y ) - d# 12 * swap 1- + ( s m h d m' ) \ Months start at 1 - d# 31 * swap 1- + ( s m h d' ) \ Days start at 1 - d# 24 * + ( s m h' ) - d# 60 * + ( s m' ) \ Can't overflow so far - d# 60 um* ( s d.s' ) - swap 0 d+ to current-seconds + current-seconds [ " 20070101T000000Z" expiration-to-seconds drop ] literal - 0< ;

+ \ expired? determines whether or not the expiration time string is \ earlier than this machine's current time (from the real time clock).

: expired? ( expiration$ -- bad? ) - expiration-to-seconds if true exit then ( d.seconds ) + expiration-to-seconds if true exit then ( seconds )

- current-seconds 0. d= if ( d.seconds ) - then - \ If the date is bad, leases are deemed to have expired - current-seconds earliest d< if 2drop true exit then + date-bad? if drop true exit then ( seconds )

- current-seconds d< + current-seconds - 0< ;

d# 1024 constant /sec-line-max @@ -380,11 +367,11 @@ : get-my-sn ( -- error? )

" SN" find-tag 0= if - " No serial number in mfg data" ?lease-debug-cr + " No serial number in mfg data" ?lease-error-cr true exit then ( adr len ) ?-null dup d# 11 <> if - " Invalid serial number" ?lease-debug-cr + " Invalid serial number" ?lease-error-cr 2drop true exit then ( adr len ) machine-id-buf swap move @@ -392,11 +379,11 @@ [char] : machine-id-buf d# 11 + c!

" U#" find-tag 0= if - " No UUID in mfg data" ?lease-debug-cr + " No UUID in mfg data" ?lease-error-cr true exit then ( adr len ) ?-null dup d# 36 <> if - " Invalid UUID" ?lease-debug-cr + " Invalid UUID" ?lease-error-cr 2drop true exit then ( adr len ) machine-id-buf d# 12 + swap move @@ -419,12 +406,12 @@ 2dup " 00000000T000000Z" $= if 0 exit then

dup d# 16 <> if ( expiration$ ) - " has bad expiration format" ?lease-debug-cr + " has bad expiration format" ?lease-error-cr -1 exit then ( expiration$ )

2dup expired? if - " expired" ?lease-debug-cr + " expired" ?lease-error-cr -1 exit then ( expiration$ ) 0 @@ -454,7 +441,10 @@ my-sn$ $= 0= if 2drop 0 exit then ( rem$ )

\ Disposition code - bl left-parse-string 1 <> if 3drop -1 exit then ( rem$ disp-adr ) + bl left-parse-string 1 <> if + " No disposition code" ?lease-error-cr + 3drop -1 exit + then ( rem$ disp-adr ) set-disposition ( rem$ )

bl left-parse-string check-expiry if 4drop -1 exit then ( sig$ exp$ ) @@ -470,7 +460,7 @@

: check-lease ( act01-lease$ -- -1|0|1 ) bl left-parse-string " act01:" $= 0= if - " Not act01:" ?lease-debug-cr + " Not act01:" ?lease-error-cr 2drop -1 exit then ( rem$ ) check-timed-signature ( -1|0|1 ) @@ -498,7 +488,7 @@ -1 of r> close-file drop " lock" show-icon false exit endof endcase repeat - " No matching records" ?lease-debug-cr + " No matching records" ?lease-error-cr r> close-file drop false ;

@@ -575,6 +565,7 @@ ;

false value secure? +false value in-factory?

stand-init: wp " wp" find-tag if 2drop true to secure? then @@ -612,7 +603,7 @@ -1 of r> close-file drop false exit endof endcase repeat - " No matching records" ?lease-debug-cr + " No matching records" ?lease-error-cr r> close-file drop false ;

@@ -625,13 +616,13 @@ base @ >r d# 36 base ! fw#buf 5 $number if show-x - visible ." Invalid firmware version number" security-failure + " Invalid firmware version number" .security-failure then pop-base ;

: firmware-up-to-date? ( img$ -- ) - /flash <> if show-x visible ." Invalid Firmware image" security-failure then ( adr ) + /flash <> if show-x " Invalid Firmware image" .security-failure then ( adr ) (fw-version) ( file-version# ) rom-pa (fw-version) ( file-version# rom-version# ) u<= @@ -680,7 +671,7 @@

['] ?enough-power catch ?dup if visible - .error + red-letters .error black-letters security-failure then

@@ -689,9 +680,7 @@

reflash \ Should power-off and reboot show-x - visible - ." Reflash returned, unexpectedly" cr - security-failure + " Reflash returned, unexpectedly" .security-failure then show-lock then @@ -757,7 +746,6 @@

next-xy to icon-xy ( list$ ) repeat ( list$ ) - " sad" show-icon ( list$ ) 2drop false ( ) ;

@@ -765,15 +753,19 @@

: all-devices$ ( -- list$ ) " disk: sd: nand:" ;

+: secure-startup ( -- ) + in-factory? if + button-check button-x or button-o or button-square or button-rotate or ( mask ) + game-key-mask = if exit then + then

-: secure-startup ( -- ) ['] noop to ?show-device ['] noop to load-done ['] noop to load-started

set-alternate

- button-rotate game-key? if show-warnings then +\ button-rotate game-key? if show-warnings then show-child

?force-secure @@ -788,18 +780,58 @@

persistent-devkey? if true to security-off? visible exit then

- get-my-sn if visible ." No serial number" cr show-sad security-failure then + get-my-sn if " No serial number" .security-failure then

- get-date current-seconds earliest d< if + date-bad? if \ This is not fatal, because we don't want a brick if the RTC battery fails - visible ." Invalid system date" cr show-sad + visible red-letters ." Invalid system date" black-letters cr show-sad then

- load-crypto if visible ." Crytpo load failed" cr show-sad security-failure then ( ) + load-crypto if " Crytpo load failed" .security-failure then ( )

alternate? if " \boot-alt" else " \boot" then pn-buf place

all-devices$ load-from-list if exit then \ Returns only if no images found

- visible ." Boot failed" cr show-sad security-failure + " Boot failed" .security-failure ; + +: efface-md ( -- ) + " md" find-tag 0= if exit then ( data$ ) + + 2 + flash-base - ( flash-offset ) + spi-start spi-identify ( flash-offset ) + " MD" rot write-spi-flash ( ) + spi-reprogrammed ( ) +; + +: days>seconds ( n -- seconds ) [ d# 60 d# 60 * d# 24 * ] literal * ; +: ?factory-mode ( -- ) + date-bad? if efface-md exit then + " md" find-tag if ( data$ ) + 0 left-parse-string 2nip ( time$ ) + \ Erase the tag if it is invalid + expiration-to-seconds if efface-md exit then ( begin-seconds ) + dup 3 days>seconds + ( begin-seconds end-seconds ) + \ Erase the tag if its time is up + current-seconds -rot within 0= if efface-md exit then ( ) + true to in-factory? + then +; + +\ iso8601 date construction for activation key +: .2digits ( .. roll# -- .. ) roll u# u# drop ; +: >iso8601$ ( s m h d m y -- adr len ) + push-decimal + <# + [char] Z hold 5 .2digits 4 .2digits 3 .2digits + [char] T hold 2 .2digits 1 .2digits u# u# u# u# + u#> + pop-base +; + +: factory-mode ( -- ) + " md" find-tag if ." md tag already exists" cr 2drop exit then + " MD" find-tag if ." MD tag already exists" cr 2drop exit then + date-bad? if ." The RTC is not set correctly" cr exit then + time&date >iso8601$ " md" $add-tag +;