[MTK] 开启Efuse的过程记录

文摘 MediaTek 2023-02-9 阅读:8626

文章目录

MTK 平台开启SecureBoot[efuse]的配置过程

  1. 文章目标
  2. 环境说明
  3. Kernel配置
  4. 证书生成
  5. DA文件生成
  6. 镜像和DA文件签名
  7. Efuse和镜像烧入
  8. 添加cmdline标识efuse是否开启
  9. 工具汇总

1.文章目标

记录在MTK平台下开启SecureBoot[Efuse]的整个过程。主要介绍整个配置过程和遇到的坑,该文章不含SecureBoot原理性的东西。关于SecureBoot原理,后面单独写个文章。

2.环境说明

platform[平台]project[项目]Android Version
MT6761xqt551Android 12

注意:以下所有脚本和配置都是基于platfor=MT6761,project=xqt551编写的。如果是其他平台或项目需要对应改一下脚本!!!

3.Kernel配置

修改以下宏配置

# 1.路径:vendor/mediate/proprietary/bootable/bootloader/preloader/custom/xqt551/xqt551.mk

MTK_SECURITY_SW_SUPPORT=yes

MTK_SEC_BOOT=ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP

MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP

# 2.路径:vendor/mediate/proprietary/bootable/bootloader/lk/project/xqt551.mk

MTK_SECURITY_SW_SUPPORT=yes

# 3.路径:path-for-project-kernel/arch/arm/configs/xqt551_debug_defconfig

CONFIG_MTK_SECURITY_SW_SUPPORT=y

# 4.路径:path-for-project-kernel/arch/arm/configs/xqt551_defconfig

CONFIG_MTK_SECURITY_SW_SUPPORT=y

# 注意:如果是其他项目将xqt551改为对应的project,如果是64位系统将arm改为arm64

4.证书生成

# ! /bin/bash

# generickey.sh

echo "1 Generate root key pair"

cd vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor

# Generate private key command:

echo "1.1 Generate private key command:"

openssl genrsa -out root_prvk.pem 2048

python pem_to_der.py root_prvk.pem root_prvk.der

# Generate public key command:

echo "1.2 Generate public key command:"

openssl rsa -in root_prvk.pem -pubout > root_pubk.pem

python pem_to_der.py root_pubk.pem root_pubk.der

echo "2 image key pair"

echo "2.1 Generate img_prvk command:"

openssl genrsa -out img_prvk.pem 2048

python pem_to_der.py img_prvk.pem img_prvk.der

echo "2.2 Generate img_pubk command:"

openssl rsa -in img_prvk.pem -pubout > img_pubk.pem

python pem_to_der.py img_pubk.pem img_pubk.der

echo "3 DA key pair"

echo "3.1 Generate da_prvk command:"

openssl genrsa -out da_prvk.pem 2048

python pem_to_der.py da_prvk.pem da_prvk.der

echo "3.2 Generate da_pubk command:"

openssl rsa -in da_prvk.pem -pubout > da_pubk.pem

python pem_to_der.py da_pubk.pem da_pubk.der

chmod 777 der_extractor

echo "4 Generate oemkey.h"

./der_extractor root_pubk.der oemkey.h ANDROID_SBC

echo "4.1 export oemkey.h"

# mtkbuild -o ./ -x oemkey.h

cp -r oemkey.h ../../../bootable/bootloader/preloader/custom/xqt551/inc/

cp -r oemkey.h ../../../bootable/bootloader/lk/target/xqt551/inc/

echo "5 Generate dakey.h"

./der_extractor da_pubk.der dakey.h ANDROID_SBC

sed -i "s/OEM/DA/g" dakey.h

cp -r dakey.h ../../../bootable/bootloader/preloader/custom/xqt551/inc/

将上述脚本复制到源码根目录执行,会生成3组密钥。该脚本在刷入efuse后不能再执行,生成的密钥需要做好备份!!!

密钥组生成的密钥文件作用
root keysroot_prvk.pem(pem格式的私钥) root_prvk.der(der格式的私钥) root_pubk.pem(pem格式的公钥) root_pubk.der(der格式的公钥) oemkey.h(十六进制格式的私钥)   该组密钥为根密钥需要烧写到efuse中,烧入后就无法更改所以一旦生成需要做好备份!!!
img keysimg_prvk.pem(pem格式的私钥) img_prvk.der(der格式的私钥) img_pubk.pem(pem格式的公钥) img_pubk(der格式的公钥)该组密钥用于镜像签名和验签
da keysda_prvk.pem(pem格式的私钥) da_prvk.der(der格式的私钥) da_pubk.pem(pem格式的公钥) da_pubk.der(der格式的公钥) dakey.h(十六进制格式的公钥)该组密钥用于DA文件签名和验签

5.DA文件生成

DA文件包含需要刷入到设备的分区信息。需要使用FLASHLIB_DA_EXE(Official)_ALPS工具配合GCC和GnuWin32生成,工具下载路径见:工具汇总。以下是使用该工具生成DA文件的过程。

  1. 将GCC放到C:Program Files
  2. 将GnuWin32放到C:Program Files (x86)并配置环境变量
  3. 修改base.mk中GCCDIR的路径, base.mk路径:
    FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspecRaphael-damakebase.mk
    GCCDIR := c:/progra~1/GCC/arm-2015q1/bin (注意:c:/progra~1/
    在window系统中就是指向C:Program Files,GCCDIR有两个位置一个是linux环境一个是window环境)
  4. 配置custom分区为不需要签名的分区,配置文件路径:
    FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspecRaphael-dacustomMT6761DA_BRsec_policy_config_common.h 将CUST1_IMG_NAME 宏修改为:
    #define CUST1_IMG_NAME "custom"
  5. 替换oemkey.h 将源码下的oemkey.h替换到:
    FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspecRaphael-dacustomMT6761oemkey.h
  6. 编译生成未签名的DA文件 执行目录:
    FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspec 执行:make BBCHIP=MT6761 编译出来的DA路径:
    FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspecbinMTK_AllInOne_DA.bin

(注意查看编译过程中有没有报error!!!如果很快就编译完成很可能是文件丢失需要重新解压Customization_Kit_buildspec.zip重新操作!!!)

6.镜像和DA文件签名

将生成的MTK_AllInOne_DA.bin复制到源码vendor/mediatek/proprietary/scripts/secure_chip_tools/prebuilt/resignda/路径下

#!/bin/bash

# copy keys

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/img_prvk.pem

vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/xqt551/security/chip_config/s/key

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem

vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/xqt551/security/chip_config/s/key

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem

vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/resignda

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem

vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/resignda/epp_prvk.pem

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem

vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem

vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth/epp_prvk.pem

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem

vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth

#generate cert1 and cert2 key

python ./vendor/mediatek/proprietary/scripts/sign-image_v2/img_key_deploy.py mt6761 xqt551

cert1_key_path=./vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem

cert2_key_path=./vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/img_prvk.pem

root_key_padding=pss 2>&1 | tee SecureGen.log

#build images

make clean-preloader

./build.sh xqt551 1 1 1 1 64 (MTK的编译脚本,如果没有直接make -j64)

#sign DA and auth file

cd vendor/mediatek/proprietary/scripts/secure_chip_tools/

python resign_da.py prebuilt/resignda/MTK_AllInOne_DA.bin MT6761 settings/resignda/bbchips_pss.ini all

out/resignda/MTK_AllInOne_DA-resing.bin

python toolauth.py -i settings/toolauth/toolauth_key.ini -g settings/toolauth/toolauth_gfh_config_pss.ini

out/toolauth/auth_sv5.auth

cd -

#sign images

MTK_PLATFORM_DIR=mt6761 #(注意替换为自己的平台)

MTK_BASE_PROJECT=xqt551 #(注意替换为自己的项目)

PYTHONDONTWRITEBYTECODE=True PRODUCT_OUT={out/image/dirs(编译出来的镜像路径)} BOARD_AVB_ENABLE=true

python ./vendor/mediatek/proprietary/scripts/sign-image_v2/sign_flow.py

-env_cfg ./vendor/mediatek/proprietary/scripts/sign-image_v2/env.cfg "mt6761" "xqt551"

在源码根目录下执行以上脚本会生成:

vendor/mediatek/proprietary/scripts/secure_chip_tools/out/resignda/MTK_AllInOne_DA-resing.bin: 签过名的DA文件

vendor/mediatek/proprietary/scripts/secure_chip_tools/out/toolauth/auth_sv5.auth: 校验文件

out/image/dirs(编译出来的镜像路径):签过名的镜像文件

7.Efuse和镜像烧入

efuse和镜像烧入需要用到SP_MDT_v5.2228.00.00_exe工具。工具下载路径见: 工具汇总

  1. 将签过名的镜像文件复制到images
  2. 将CheckSum_Generate_exe中的文件复制到images,执行CheckSum_Gen.exe生成Checksum.ini
  3. 将Checksum.ini复制到SP_MDT_v5.2228.00.00_exe目录下
  4. 修改SP_MDT_v5.2228.00.00_exeEfuse.ini Enable 修改为1
    EfuseXmlPath指定到:imagesefuse_MT6761.xml

    修改后的内容如下: ; 0 represents disable, 1 represents enable ;
    DownloadEfuseOneStep: 0 for disable, 1 for enable write efuse in
    format and download [EfuseSettings] Enable = 1 DownloadEfuseOneStep
    = 0 ; EfuseOnly = 0 SettingsEnable = 0 LockEnable = 0 ReadBackEnable = 0 EfuseXmlPath= C:UsersAdministratorDesktopMTM1ToolsSP_MDT_TOOLimagesefuse_MT6761.xml

  5. 修改efuse_MT6761.xm注意三个路径要和镜像中的文件对应,pub-key-n要和oemkey.h中的内容对应
    1.png
  6. 扫描设备准备烧写镜像
    勾选BootRom+PreLoader COM Sel All点击scan点击是,设备断电接入再启动
    2.png
    搜索到设备后点击Stop all停止扫描准备开始烧写镜像
    3.png
  7. 烧入efuse
    4.png
  8. 烧入镜像
    5.png

至此efuse的配置和烧写全部完成。

8.添加cmdline标识efuse是否开启

为了判断efuse是否开启成功,可以在lk里面添加cmdline,用来标识efuse状态

diff --git a/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c b/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c

index a97d22599a0..4ed05c4e3bc 100644

--- a/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c

+++ b/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c

@@ -1733,6 +1733,8 @@ void get_AB_OTA_name(char *part_name, int size)

 }

 #endif /* MTK_AB_OTA_UPDATER */

+extern int efuse_sbc_enabled(void);

+

 int boot_linux_from_storage(void)

 {

        int ret = 0;

@@ -1740,10 +1742,8 @@ int boot_linux_from_storage(void)

        uint32_t ramdisk_target_addr = 0;

        uint32_t tags_target_addr = 0;

        uint32_t ramdisk_real_sz = 0;

-#if defined(CFG_NAND_BOOT)

 #define CMDLINE_TMP_CONCAT_SIZE 110

        char cmdline_tmpbuf[CMDLINE_TMP_CONCAT_SIZE];

-#endif

        switch (g_boot_mode) {

        case NORMAL_BOOT:

        case META_BOOT:

@@ -1760,6 +1760,10 @@ int boot_linux_from_storage(void)

                         NAND_MANF_CMDLINE, nand_flash_man_code, NAND_DEV_CMDLINE, nand_flash_dev_id);

                cmdline_append(cmdline_tmpbuf);

 #endif

+

+               snprintf(cmdline_tmpbuf, CMDLINE_TMP_CONCAT_SIZE, "%s%s", "androidboot.secureboot=", (efuse_sbc_enabled()?"enabled":"disabled"));

+               cmdline_append(cmdline_tmpbuf);

+

                ret = load_vfy_boot(BOOTIMG_TYPE_BOOT, CFG_BOOTIMG_LOAD_ADDR);

                ret = (int)handle_vboot_state(BOOTIMG_TYPE_BOOT);

                if (ret != STATUS_OK)

生成属性ro.boot.secureboot,enabled: efuse打开 disabled: efuse关闭

9.工具汇总

工具下载路径:

https://download.csdn.net/download/zhuxc_001/87272156?spm=1001.2014.3001.5501


版权声明:本文为CSDN博主「达芬奇放假回家」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。

原文链接:https://blog.csdn.net/zhuxc_001/article/details/128228814

0条评论

© 2024 芯缘异码. Powered by Typecho