Author: quozl Date: Thu Jul 16 01:07:22 2015 New Revision: 3780 URL: http://tracker.coreboot.org/trac/openfirmware/changeset/3780
Log: OLPC - keyjector, rename bootfw2.zip to fw.zip since bootfw2.zip now has another meaning (XO-1.75 variant of bootfw.zip), and remove the duplicate file
Deleted: cpu/x86/pc/olpc/via/keyject.fth Modified: cpu/x86/pc/olpc/HOWTO-keyjector cpu/x86/pc/olpc/keyject.fth
Modified: cpu/x86/pc/olpc/HOWTO-keyjector ============================================================================== --- cpu/x86/pc/olpc/HOWTO-keyjector Wed Jul 15 04:08:40 2015 (r3779) +++ cpu/x86/pc/olpc/HOWTO-keyjector Thu Jul 16 01:07:22 2015 (r3780) @@ -19,34 +19,44 @@
The steps are:
-* Unpack the tar file containing the new keys into, for example, /home/wmb/Uruguay +* Unpack the tar file containing the new keys into, for example, + /home/wmb/Uruguay
-* Note the list of key names, e.g. d0 a1 o1 s1 t1 w1 +* Note the list of key names, e.g. d1 a1 o1 s1 t1 w1
$ cd /home/firmware/q2e34/openfirmware/cpu/x86/pc/olpc/build
* Edit ../keyjector.bth :
-** Change the "macro: FW_MINOR " line to the keyjector's intermediate version number, e.g. 34x +** Change the "macro: FW_MINOR " line to the keyjector's intermediate + version number, e.g. 34x ** Changing lines like below to the right file and key names. - " /space/bios-crypto/build/k2.public" " s1" $add-dropin + " /home/wmb/Uruguay/s1.public" " s1" $add-dropin
* Edit ../keyjector.fth :
-** In wrong-sku?, set the list of SKUs. This guards against "hijacking" of other country's laptops. -** In keyject-expired?, set an appropriate expiration date for the keyjector. +** In wrong-sku?, set the list of SKUs. This guards against + "hijacking" of other country's laptops. +** In keyject-expired?, set an appropriate expiration date for the + keyjector. ** In new-key-list$, set the key list.
$ ./build keyject
-It should build really quickly, because it is using nearly all the same modules as the base build. +It should build really quickly, because it is using nearly all the +same modules as the base build.
* Verify the version number in the new file:
** $ xxd q2e34x.rom | tail -4
-* If you have to make a new "real" release so the keyjector has a successor, do so now. +* If you have to make a new "real" release so the keyjector has a + successor, do so now.
* Sign the keyjector, naming the .zip file "bootfw.zip".
-* Sign the successor firmware, name the .zip file "bootfw2.zip" +* Sign the successor firmware, name the .zip file "fw.zip" + +* Place both in a boot directory on media for testing. + +* Boot with laptop locked or using X game button to force security on.
Modified: cpu/x86/pc/olpc/keyject.fth ============================================================================== --- cpu/x86/pc/olpc/keyject.fth Wed Jul 15 04:08:40 2015 (r3779) +++ cpu/x86/pc/olpc/keyject.fth Thu Jul 16 01:07:22 2015 (r3780) @@ -140,12 +140,12 @@
false value new-firmware? : got-firmware? ( dev$ -- flag ) - 2dup ." Looking for new bootfw2.zip on " type cr ( dev$ ) + 2dup ." Looking for new fw.zip on " type cr ( dev$ ) dn-buf place ( ) " \boot" pn-buf place ( ) filesystem-present? 0= if false exit then ( ) null$ cn-buf place ( ) - " bootfw2" bundle-present? 0= if false exit then ( ) + " fw" bundle-present? 0= if false exit then ( ) ." Found" cr ( ) secure? if ( ) load-crypto if ( ) @@ -242,12 +242,12 @@ ?keyject
[ifdef] HowItWorks -OLPC signs bootfw.zip containing OFW image A and bootfw2.zip containing OFW image B. +OLPC signs bootfw.zip containing OFW image A and fw.zip containing OFW image B. * A is an OFW with additional keyjector functionality * B is an ordinary OFW Version number B > version number A.
-bootfw.zip and bootfw2.zip are presented to a deployment machine in the usual manner, +bootfw.zip and fw.zip are presented to a deployment machine in the usual manner, either on a USB key or as part of a signed OS image.
On a deployment machine with firmware X (version X < version A): @@ -263,7 +263,7 @@ so it ! Injects the new keys then it - ! Reads bootfw2.zip, checks its signature, and reflashes with firmware B (version > A) + ! Reads fw.zip, checks its signature, and reflashes with firmware B (version > A) ! Reboots
2) Firmware B starts, performs the normal fw update attempt step,
openfirmware@openfirmware.info