Test OFW security on XO-1.5

[wmb@…]

The whole OFW security infrastructure needs to be tested on XO-1.5 - including allow and prevent cases for secure boot (and non-boot), FLASH rewrite, OS update (both manual and NANDblasting).

[wmb@…]

One problem is that current OFW builds (Q3A14 and earlier) don't contain the OLPC keys in the SPI FLASH - the lines that include those keys in the olpc.bth build script are commented-out. This begs the question of whether we want to use the same keys for XO-1 and XO-1.5, or make new ones.

[wmb@…]

Fixed by svn 1439. The fix will appear in q3a15.

[Quozl]

No idea how to test, sorry. Suggestions?

[wmb@…]

Action Needed changed to "test in build" for consistency with other bugs in the same state.

Martin, can you work with Quozl to help him learn how to test this?

[reuben]

Q3A20 and OS56

On a B2 I created and injected an o1 key. i copied vmlinuz and initrd.img and signed them as runos.zip and runrd.zip and added them to the to /bootpart/boot/ . OFW appears to accept the signature of both runos and runrd, indicate by two unlock icons, and then the screen craps out after loading runrd.

On a B3 Ed and I repeated the same process with a serial cable. With a serial cable attached OFW appears to accept the signature of both runos and runrd, indicate by two unlock icons, and then the startup chime loops continuously. Nothing more is sent out the serial cable other then: RD Found (the same message that appears on the screen)

[dsd]

Can't reproduce exactly. My system boots the kernel, even though the screen dies as you describe and the initramfs craps out, both due to #9867

Here's what I'm working with:

• http://dev.laptop.org/~dsd/20091211/o1.pub
• http://dev.laptop.org/~dsd/20091211/runos.zip
• http://dev.laptop.org/~dsd/20091211/runrd.zip

[reuben]

6 types of security: All testing was done using keys generated and placed in the augment slot of 1 i.e. x1.

1. OS: Signed runos.zip and runrd.zip. Signature pass and functional up to the point of #9867

2. Activation: symlinked runos.zip and runrd.zip to actos.zip and actrd.zip. Signatures pass. DSD says:

"it doesnt unfreeze dcon and act-gui doesnt support 24bpp framebuffer"

Placing lease.sig in int:\security\ works correctly.

3. Developer: Secured XO. XO does not check u:\security\develop.sig only int:\security\develop.sig. Removing SD card and placing develop.sig in int:\security\ works correctly.

disable-security - does not work. though this may be due to my manipulation of tags.

4. FS: For Secure reflash. See: #9873 and 9874

5. FW: Downgrade to q3a18.rom. Signed q3a22a.rom to bootfw.zip. Placed in int:\..Rebooted Firmware updated correctly.

6. OATS -- No idea how to test.

[Quozl]

Remains a blocker, good progress today, cjb to handle next.

[dsd]

All blockers fixed except for #9873 which is only pending a firmware release. OATS tested with an oatslite server running on my desktop, successfully delivered updated lease. so this bug can be closed.

[reuben]

Replying to dsd:

All blockers fixed except for #9873 which is only pending a firmware release. OATS tested with an oatslite server running on my desktop, successfully delivered updated lease. so this bug can be closed.

Just curious, any docs for testing procedure on this or is this one of those you know it cause you wrote/developed it?

[dsd]

* generate t1 key and install into mfg data on test laptop * install a lease on test laptop * setup oatslite (it has documentation and a sample config) * generate a better lease (i.e. one that expires later), put it in oatslite's lease directory * list your OATS server in /security/oats-server on the XO * run olpc-update-query -v -v --force * confirm that newer lease has been installed and system can still secure-boot