Author: wmb Date: 2007-08-31 03:03:19 +0200 (Fri, 31 Aug 2007) New Revision: 588

Added: cpu/x86/pc/olpc/lzip.fth cpu/x86/pc/olpc/security.fth Modified: cpu/x86/call.fth cpu/x86/pc/olpc/crypto.fth cpu/x86/pc/olpc/fw.bth cpu/x86/pc/olpc/linux.fth cpu/x86/pc/olpc/loaddropins.fth cpu/x86/pc/olpc/olpc.bth ofw/fs/zipfs.fth Log: OLPC - First cut at secure booting.

Modified: cpu/x86/call.fth =================================================================== --- cpu/x86/call.fth 2007-08-31 01:02:04 UTC (rev 587) +++ cpu/x86/call.fth 2007-08-31 01:03:19 UTC (rev 588) @@ -1,7 +1,7 @@ \ See license at end of file purpose: From Forth, call the C subroutine whose address is on the stack

-code sp-call ( [ arg5 .. arg0 ] adr sp -- [ arg5 .. arg0 ] result ) +code sp-call ( [ arg7 .. arg0 ] adr sp -- [ arg5 .. arg0 ] result ) bx pop \ Get the new stack pointer ax pop \ Get the subroutine address

@@ -9,7 +9,9 @@ rp 'user saved-rp mov \ Save for callbacks

sp bx xchg \ Switch to new SP, with EBX set to old SP - 5 /n* [ebx] push \ Copy the arguments to the new stack + 7 /n* [ebx] push \ Copy the arguments to the new stack + 6 /n* [ebx] push + 5 /n* [ebx] push 4 /n* [ebx] push 3 /n* [ebx] push 2 /n* [ebx] push

Modified: cpu/x86/pc/olpc/crypto.fth =================================================================== --- cpu/x86/pc/olpc/crypto.fth 2007-08-31 01:02:04 UTC (rev 587) +++ cpu/x86/pc/olpc/crypto.fth 2007-08-31 01:03:19 UTC (rev 588) @@ -2,9 +2,11 @@ \ See license at end of file

h# c0000 constant crypto-base \ The address the code is linked to run at -h# c0000 constant hasher-base \ The address the code is linked to run at +h# d0000 constant crypto-bss \ The address the code is linked to run at +h# 10000 constant /crypto-bss

0 [if] +h# c0000 constant hasher-base \ The address the code is linked to run at variable hashlen d# 128 buffer: hashbuf

@@ -20,21 +22,36 @@ ; [then]

-0 value hashname +0 value crypto-loaded? +: load-crypto ( -- error? ) + crypto-loaded? if false exit then + " crypto" find-drop-in 0= if true exit then ( prog$ ) + 2dup crypto-base swap move free-mem ( ) + true to crypto-loaded? + false +; + +h# 200 buffer: pubkey +0 value /pubkey +: load-key ( name$ -- error? ) + find-drop-in 0= if true exit then ( key$ ) + dup h# 200 > if free-mem true exit then ( key$ ) + dup to /pubkey ( key$ ) + 2dup pubkey swap move ( key$ ) + free-mem + false +; + : signature-bad? ( data$ sig$ hashname$ -- mismatch? ) - $cstr to hashname ( data$ sig$ ) - " crypto" find-drop-in 0= if 4drop true exit then ( data$ sig$ prog$ ) - 2dup crypto-base swap move free-mem ( data$ sig$ ) + $cstr >r ( data$ sig$ r: 'hashname )

- " pubkey" find-drop-in 0= if 4drop true exit then ( data$ sig$ key$ ) - 2>r ( data$ sig$ r: key$ ) - swap 2swap swap ( siglen sigadr datalen dataadr r: key$ ) - 2r@ swap 2swap ( siglen sigadr keylen keyadr datalen dataadr r: key$ ) + swap 2swap swap ( siglen sigadr datalen dataadr ) + /pubkey pubkey 2swap ( siglen sigadr keylen keyadr datalen dataadr ) + r> ( siglen sigadr keylen keyadr datalen dataadr 'hashname )

- hashname ( siglen sigadr keylen keyadr datalen dataadr hash r: key$ )

- crypto-base dup h# 10 - sp-call >r 3drop 4drop r> ( result r: key$ ) - 2r> free-mem + crypto-bss /crypto-bss erase + crypto-base dup h# 10 - sp-call >r 3drop 4drop r> ( result )

\ XXX free-mem in suspend.fth and fw.bth after find-drop-in \ XXX clean out dead code in usb.fth

Modified: cpu/x86/pc/olpc/fw.bth =================================================================== --- cpu/x86/pc/olpc/fw.bth 2007-08-31 01:02:04 UTC (rev 587) +++ cpu/x86/pc/olpc/fw.bth 2007-08-31 01:03:19 UTC (rev 588) @@ -335,6 +335,8 @@ fload ${BP}/cpu/x86/pc/olpc/nandstat.fth \ fload ${BP}/cpu/x86/pc/olpc/carousel.fth \ Carouseled NAND writing fload ${BP}/cpu/x86/pc/olpc/crypto.fth \ Cryptographic image validation +fload ${BP}/cpu/x86/pc/olpc/lzip.fth \ Access zip images from memory +fload ${BP}/cpu/x86/pc/olpc/security.fth fload ${BP}/ofw/gui/ofpong.fth [then]

@@ -542,7 +544,7 @@ ;

: newrom - " flash http:\10.20.0.104\new.rom" eval + " flash http:\10.20.0.14\new.rom" eval \ " wifi media lab 802.11" eval \ " flash http:\18.85.46.172\new.rom" eval ;

Modified: cpu/x86/pc/olpc/linux.fth =================================================================== --- cpu/x86/pc/olpc/linux.fth 2007-08-31 01:02:04 UTC (rev 587) +++ cpu/x86/pc/olpc/linux.fth 2007-08-31 01:03:19 UTC (rev 588) @@ -181,8 +181,8 @@ d# 256 buffer: ramdisk-buf ' ramdisk-buf " ramdisk" chosen-string

-: load-ramdisk ( -- ) - " ramdisk" eval dup 0= if 2drop exit then ( name$ ) +defer load-ramdisk +: $load-ramdisk ( name$ -- ) 0 to /ramdisk ( name$ )

['] load-path behavior >r ( name$ r: xt ) @@ -195,6 +195,11 @@ throw loaded to /ramdisk to ramdisk-adr ; +: cv-load-ramdisk ( -- ) + " ramdisk" eval dup 0= if 2drop exit then ( name$ ) + $load-ramdisk +; +' cv-load-ramdisk to load-ramdisk

: claim-params ( -- ) [ifdef] virtual-mode

Modified: cpu/x86/pc/olpc/loaddropins.fth =================================================================== --- cpu/x86/pc/olpc/loaddropins.fth 2007-08-31 01:02:04 UTC (rev 587) +++ cpu/x86/pc/olpc/loaddropins.fth 2007-08-31 01:03:19 UTC (rev 588) @@ -38,7 +38,6 @@

" ${BP}/ofw/termemu/gallant.obf" " font" $add-deflated-dropin

-\ " /space/bios-crypto/bios_crypto.img" " crypto" $add-deflated-dropin -\ " /space/bios-crypto/bios_hash.img" " hasher" $add-deflated-dropin -\ " /space/bios-crypto/wmbtest256.public" " pubkey" $add-dropin \ Incompressible -\ " /space/bios-crypto/usb8388.bin.sig256" " usb8388.sig" $add-dropin \ Incompressible + " crypto.img" " crypto" $add-deflated-dropin + " os.public" " oskey" $add-dropin \ Incompressible + " fw.public" " fwkey" $add-dropin \ Incompressible

Added: cpu/x86/pc/olpc/lzip.fth =================================================================== --- cpu/x86/pc/olpc/lzip.fth (rev 0) +++ cpu/x86/pc/olpc/lzip.fth 2007-08-31 01:03:19 UTC (rev 588) @@ -0,0 +1,70 @@ +\ See license at end of file +purpose: Package for treating the data at load-base as a device + +dev / +new-device +" lzip" device-name + +headerless +0 instance value seek-ptr +0 instance value image-size +0 instance value base-adr + +headers +external +: seek ( d.offset -- status ) + 0<> over image-size u> or if drop true exit then \ Seek offset too big + to seek-ptr + false +; + +: open ( -- flag ) + 0 to seek-ptr ( ) + load-base to base-adr ( ) + file-size @ to image-size ( ) + my-args dup if ( adr len ) + " zip-file-system" find-package 0= if ( adr len ph ) + 2drop false exit + then ( adr len ph ) + interpose + else ( adr len ) + 2drop ( ) + then ( ) + true ( true ) +; +: close ( -- ) ; +: size ( -- d.size ) image-size 0 ; +: read ( adr len -- actual ) + seek-ptr + image-size min seek-ptr - ( adr len' ) + tuck ( len adr len ) + base-adr seek-ptr + -rot move ( len ) + dup seek-ptr + to seek-ptr ( len ) +; +\ Having a load method is pointless since the image is already at load-base + +finish-device +device-end + +\ LICENSE_BEGIN +\ Copyright (c) 2007 FirmWorks +\ +\ Permission is hereby granted, free of charge, to any person obtaining +\ a copy of this software and associated documentation files (the +\ "Software"), to deal in the Software without restriction, including +\ without limitation the rights to use, copy, modify, merge, publish, +\ distribute, sublicense, and/or sell copies of the Software, and to +\ permit persons to whom the Software is furnished to do so, subject to +\ the following conditions: +\ +\ The above copyright notice and this permission notice shall be +\ included in all copies or substantial portions of the Software. +\ +\ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +\ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +\ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +\ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +\ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +\ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +\ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +\ +\ LICENSE_END

Modified: cpu/x86/pc/olpc/olpc.bth =================================================================== --- cpu/x86/pc/olpc/olpc.bth 2007-08-31 01:02:04 UTC (rev 587) +++ cpu/x86/pc/olpc/olpc.bth 2007-08-31 01:03:19 UTC (rev 588) @@ -24,6 +24,7 @@ in: ${BP}/dev/olpc/cafecamera/build/cafecamera.fc in: ${BP}/clients/memtest86/memtest in: ec.img +in: crypto.img in: usb8388.bin in: ${BP}/dev/pci/build/pcibridg.fc

Added: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth (rev 0) +++ cpu/x86/pc/olpc/security.fth 2007-08-31 01:03:19 UTC (rev 588) @@ -0,0 +1,443 @@ +purpose: OLPC secure boot +\ See license at end of file + +\ Specs at http://wiki.laptop.org/go/Firmware_Security + +: boot-device-list " disk sd nand" ; + +true value debug-security? +: ?lease-debug ( msg$ -- ) + debug-security? if type else 2drop then +; +: ?lease-debug-cr ( msg$2 -- ) + debug-security? if type cr else 2drop then +; + +: fail-load ( -- ) + screen-ih stdout ! + ." OS Load Failed" cr + quit + begin again +; + +h# 20 buffer: cn-buf \ filename prefix - either "act" or "run" +h# 20 buffer: fn-buf \ filename tail - either "os" or "rd" +h# 100 buffer: pn-buf \ pathname - either "\boot" or "\boot-alt" +h# 100 buffer: dn-buf \ device name + +\ These macro definitions make it easy to compose device specifier strings +\ from the above name components. +also macros definitions +: FN fn-buf count ; +: CN cn-buf count ; +: DN dn-buf count ; +: PN pn-buf count ; +previous definitions + +d# 256 constant /sig +/sig buffer: sig-buf + +: hex-decode ( hex$ -- true | sig$ false ) + dup /sig 2* <> if + ( ." Bad signature length" cr ) + 2drop true exit + then ( hex$ ) + sig-buf -rot ( adr hex$ ) + bounds ?do ( adr ) + i 2 push-hex $number pop-base if ( adr ) + 2drop true unloop exit + then ( adr n ) + over c! 1+ ( adr' ) + 2 +loop ( adr ) + sig-buf tuck - false ( sig$ false ) +; + +: parse-sig ( sig01$ -- true | hashname$ sig$ false ) + dup d# 89 < if 2drop true exit then + bl left-parse-string " sig01:" $= 0= if 2drop true exit then ( rem$ ) + bl left-parse-string dup d# 6 <> if 4drop true exit then 2swap ( hash$ rem$ ) + bl left-parse-string nip d# 64 <> if 4drop true exit then ( hash$ rem$ ) + newline left-parse-string 2swap nip 0<> if 4drop true exit then ( hash$ data$ ) + hex-decode if 2drop true else false then +; + +: zip-extent ( name$ -- adr len ) + expand$ open-dev ?dup 0= if " " exit then + >r + " offset" r@ $call-method load-base + + " size" r@ $call-method drop + r> close-dev +; +: sig$ ( -- adr len ) " /lzip:\data.sig" zip-extent ; +: img$ ( -- adr len ) " /lzip:\data.img" zip-extent ; +: bundle-name$ ( -- $ ) " ${DN}:${PN}${CN}${FN}.zip" expand$ ; + +: bundle-present? ( -- flag ) + bundle-name$ + " Trying " ?lease-debug 2dup ?lease-debug-cr + ['] (boot-read) catch if 2drop false exit then + true +; + +d# 32 buffer: hashname +\ fn-buf and pn-buf must contain the base file name and path +: valid? ( data$ sig$ -- okay? ) + parse-sig if + ." Bad signature format in " bundle-name$ type cr + false exit + then ( data$ hashname$ sig$ ) + + \ Check for duplicate hashname attacks + 2swap 2dup hashname count $= if ( data$ sig$ hashname$ ) + ." Duplicate hash name in " bundle-name$ type cr + 4drop false exit + then + + d# 31 min hashname place ( data$ sig$ ) + + hashname count signature-bad? 0= +; + +d# 2007 d# 12 * 8 1- + d# 31 * d# 27 + constant earliest +0. 2value current-seconds + +\ This isn't an accurate calculation of seconds, but it +\ is sufficient for comparison purposes so long as we +\ use the same calculation in all cases. It is not good +\ if we need to do arithmetic on dates. +: get-date ( -- error? ) + time&date ( s m h d m y ) + d# 12 * swap 1- + ( s m h d m' ) \ Months start at 1 + d# 31 * swap 1- + ( s m h d' ) \ Days start at 1 + dup earliest < if ( s m h d' ) + screen-ih stdout ! + ." The clock is not set properly" cr + 4drop true exit + then ( s m h d' ) + d# 24 * + ( s m h' ) + d# 60 * + ( s m' ) \ Can't overflow so far + d# 60 um* ( s d.s' ) + swap 0 d+ to current-seconds + false +; + +: break$ ( $ n -- tail$ head$ ) + dup >r /string ( tail$ ) + over r@ - r> ( tail$ head$ ) +; + +0. 2value exp-seconds \ Accumulator for parsing data/time strings + +\ This is a factor used for parsing 2-digit fields from date/time strings. +\ Radix is the number to scale the result by, i.e. one more than the maximum +\ value of the field. Adjust is 0 for fields whose first valid value is 0 +\ (hours, minutes, seconds) or 1 for fields that start at 1 (month,day). +: numfield ( exp$ adjust radix -- exp$' ) + >r >r ( exp$ r: radix adjust ) + 2 break$ $number throw ( exp$' num r: radix adjust ) + r> - ( exp$ num' r: radix ) + dup r@ u>= throw ( exp$ num r: radix ) + + \ No need to multiply the top half because it can only become nonzero + \ on the last call to scale-time + exp-seconds drop r> um* ( exp$ num d.seconds ) + rot 0 d+ to exp-seconds ( exp$ ) +; + +: (expiration-to-seconds) ( expiration$ -- true | d.seconds false ) + 4 break$ $number throw ( exp$' year ) + dup d# 2999 u> throw ( exp$' year ) + 0 to exp-seconds ( exp$' ) + + 1 d# 12 numfield ( exp$' ) \ Month + 1 d# 31 numfield ( exp$' ) \ Day + + 1 break$ " T" $= 0= throw ( exp$' ) + + 0 d# 24 numfield ( exp$' ) \ Hour + 0 d# 60 numfield ( exp$' ) \ Minute + 0 d# 60 numfield ( exp$' ) \ Second + + " Z" $= 0= throw ( ) + exp-seconds +; + +: expiration-to-seconds ( expiration$ -- true | d.seconds false ) + push-decimal + ['] (expiration-to-seconds) catch ( x x true | d.seconds false ) + pop-base + dup if nip nip then +; + +: expired? ( expiration$ -- bad? ) + expiration-to-seconds if true exit then + current-seconds d< +; + +d# 1024 constant /sec-line-max +/sec-line-max buffer: sec-line-buf + +\ Remove bogus null characters from the end of tags on old machines +: ?-null ( adr len -- adr' len' ) + dup if + 2dup + 1- c@ 0= if 1- then ( adr len' ) + then +; + +d# 65 buffer: machine-id-buf + +: get-my-sn ( -- error? ) + + " SN" find-tag 0= if true exit then ( adr len ) + ?-null dup d# 11 <> if 2drop true exit then ( adr len ) + machine-id-buf swap move + + [char] : machine-id-buf d# 11 + c! + + " U#" find-tag 0= if true exit then ( adr len ) + ?-null dup d# 36 <> if 2drop true exit then ( adr len ) + machine-id-buf d# 12 + swap move + + [char] : machine-id-buf d# 48 + c! + + false +; +: my-sn$ ( -- adr len ) machine-id-buf d# 11 ; + +: check-machine-signature ( sig$ expiration$ -- -1|1 ) + 0 hashname c! + machine-id-buf d# 49 + swap move ( sig$ ) + machine-id-buf d# 65 2swap valid? if 1 else -1 then +; + +\ -1 means lease is for this machine and is invalid +\ 1 means lease is for this machine and is valid +\ 0 means lease is not for this machine +: check-lease ( lease$ -- -1|0|1 ) + bl left-parse-string " act01:" $= 0= if + " Not act01:" ?lease-debug-cr + 2drop -1 exit + then + bl left-parse-string ( rem$ serial$ ) + my-sn$ $= 0= if ( rem$ ) + " is for a different system" ?lease-debug-cr + 2drop 0 exit + then ( rem$ ) + bl left-parse-string ( sig$ expiration$ ) + dup d# 16 <> if ( sig$ expiration$ ) + " has bad expiration format" ?lease-debug-cr + 4drop -1 exit + then ( sig$ expiration$ ) + 2dup expired? if + " expired" ?lease-debug-cr + 4drop -1 exit + then ( sig$ expiration$ ) + check-machine-signature ( -1|1 ) + + dup 0< if + " has bad signature" ?lease-debug-cr + else + " valid" ?lease-debug-cr + then +; + +: lease-valid? ( -- flag ) + " ${DN}:\security\lease.sig" expand$ ( name$ ) + " Trying " ?lease-debug 2dup ?lease-debug-cr + r/o open-file if drop false exit then ( ih ) + >r ( r: ih ) + " Lease " ?lease-debug ( r: ih ) + begin + sec-line-buf /sec-line-max r@ read-line if ( actual -eof? ) + 2drop r> close-file drop false exit + then ( actual -eof? ) + while ( actual ) + sec-line-buf swap check-lease case ( -1|0|1 ) + 1 of r> close-file drop true exit endof + -1 of r> close-file drop false exit endof + endcase + repeat + r> close-file drop false +; + +: ?leased ( -- ) + lease-valid? if " run" else " act" then cn-buf place +; + +: olpc-load-image ( list$ pathname$ -- okay? ) + pn-buf place ( list$ ) + begin dup while ( list$ ) + bl left-parse-string ( list$ devname$ ) + dn-buf place ( list$' ) + ?leased ( list$ ) + bundle-present? if ( list$ ) + " OS found - " ?lease-debug + 0 hashname c! + img$ sig$ valid? if + " Signature valid" ?lease-debug-cr + img$ tuck load-base swap move !load-size + 2drop true exit + else + " Signature invalid" ?lease-debug-cr + then + then ( list$ ) + repeat ( list$ ) + 2drop false +; + +: secure-load ( -- okay? ) + load-crypto if ( ) + ." Can't get crypt code" cr ( ) + false exit + then ( ) + + get-my-sn if false exit then + get-date if false exit then + + " oskey" load-key if ( ) + ." Can't find OS public key" cr ( ) + false exit + then ( ) + + " os" fn-buf place + + boot-device-list " \boot" olpc-load-image if true exit then + " nand" " \boot-alt" olpc-load-image if true exit then + false +; + +\ Call this after the kernel has already been moved away from load-base +\ We assume that pn-buf already has the path prefix string +: secure-load-ramdisk ( -- ) +\ Bad idea, because the cmdline would need to be signed too +\ " /lzip:\cmdline" zip-extent to cmdline + + " rd" fn-buf place + bundle-present? if + " RD found - " ?lease-debug + 0 hashname c! + img$ sig$ valid? if + " Signature valid" ?lease-debug-cr + " /lzip:\data.img" $load-ramdisk exit + else + " Signature invalid" ?lease-debug-cr + fail-load + then + then +; + +: check-devel-key ( adr len -- -1|0|1 ) + bl left-parse-string " dev01:" $= 0= if 2drop -1 exit then ( rem$ ) + bl left-parse-string ( rem$ serial$ ) + my-sn$ $= 0= if 2drop 0 exit then ( rem$ ) + + " 00000000T000000Z" check-machine-signature +; + +: has-developer-key? ( -- flag ) + " ${DN}:\security\develop.sig" expand$ ( name$ ) + r/o open-file if drop false exit then ( ih ) + >r + begin + sec-line-buf /sec-line-max r@ read-line if ( actual -eof? ) + 2drop r> close-file drop false exit + then ( actual -eof? ) + while ( actual ) + sec-line-buf swap check-devel-key case ( -1|0|1 ) + 1 of r> close-file drop true exit endof + -1 of r> close-file drop false exit endof + endcase + repeat + r> close-file drop false +; + +: developer-device-list " disk sd nand" ; + +: developer? ( -- flag ) + get-my-sn if false exit then + + load-crypto if ( ) + ." Can't get crypt code" cr ( ) + false exit + then ( ) + + " fwkey" load-key if ( ) + ." Can't find firmware public key" cr ( ) + false exit + then ( ) + + developer-device-list + begin dup while ( list$ ) + bl left-parse-string dn-buf place ( list$' ) + has-developer-key? if ( list$' ) + 2drop true exit + then ( list$ ) + repeat ( list$ ) + 2drop false +; + +: do-secure-boot ( -- ) + debug-security? if screen-ih stdout ! then + ['] secure-load-ramdisk to load-ramdisk + secure-load 0= if fail-load then + loaded sync-cache " init-program" $find if execute else 2drop then + go +; + +: wp? ( -- flag ) " wp" find-tag dup if nip nip then ; + +: secure-boot ( -- ) wp? if do-secure-boot else boot then ; +" secure-boot" ' boot-command set-config-string-default + +\ For dn in boot-device-list +\ if + +fexit + +Firmware security use cases: + +a) load image signing: + +Package: {run,act}{os,rd}.zip +Expiration: none +Signed object: OS or RD image file in .zip file +Signature: sha256_rsa256.sig in .zip file +Verification Algorithm: sha256 -> rsa256 +Verification Key: OLPC-run-public-key + +Rule: Don't run the image if the signature fails + +b) Firmware update key + +Package: /boot/bootfw.zip +Expiration: none (but should be versioned to avoid repeated updates) +Signed object: image in .zip file +Signature1: sha255.rsa in .zip file +Signature2: whirl.rsa in .zip file +Verification Algorithm: sha256 -> rsa256, whirlpool -> rsa256 +Verification Key: OLPC-fw-public-key + +Rule: If the developer key is valid, enter unlocked firmware state + +c) Developer key + +Package: /security/develop.key +Expiration: none +Signed object: <serial#>:<uuid>:00000000T000000Z (representing the machine) +Signature: rsa256 data in sig01 line +Verification Algorithm: rsa256 +Verification Key: OLPC-devel-public-key + +Rule: If the developer key is valid, enter unlocked firmware state + +d) Activation lease + +Package: /security/lease +Expiration: Yes - time on signature line +Signed object: <serial#>:<uuid>:<expiration time> (representing the machine) +Signature: rsa256 data in sig01 line +Verification Algorithm: rsa256 +Verification Key: OLPC-act-public-key + +Rule: If the lease is invalid, invoke act{os,rd}.zip instead of run{os,rd}.zip +

Modified: ofw/fs/zipfs.fth =================================================================== --- ofw/fs/zipfs.fth 2007-08-31 01:02:04 UTC (rev 587) +++ ofw/fs/zipfs.fth 2007-08-31 01:03:19 UTC (rev 588) @@ -5,7 +5,10 @@ 0 instance value base-adr 0 instance value image-size 0 instance value seek-ptr +external +\ Expose for the OLPC security scheme 0 instance value offset +headerless

: clip-size ( adr len -- adr len' ) seek-ptr + image-size umin seek-ptr -