[MTK] 开启Efuse的过程记录
文摘 MediaTek 2023-02-9 阅读:5878文章目录
MTK 平台开启SecureBoot[efuse]的配置过程
- 文章目标
- 环境说明
- Kernel配置
- 证书生成
- DA文件生成
- 镜像和DA文件签名
- Efuse和镜像烧入
- 添加cmdline标识efuse是否开启
- 工具汇总
1.文章目标
记录在MTK平台下开启SecureBoot[Efuse]的整个过程。主要介绍整个配置过程和遇到的坑,该文章不含SecureBoot原理性的东西。关于SecureBoot原理,后面单独写个文章。
2.环境说明
| platform[平台] | project[项目] | Android Version |
|---|---|---|
| MT6761 | xqt551 | Android 12 |
注意:以下所有脚本和配置都是基于platfor=MT6761,project=xqt551编写的。如果是其他平台或项目需要对应改一下脚本!!!
3.Kernel配置
修改以下宏配置
# 1.路径:vendor/mediate/proprietary/bootable/bootloader/preloader/custom/xqt551/xqt551.mk
MTK_SECURITY_SW_SUPPORT=yes
MTK_SEC_BOOT=ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP
MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP
# 2.路径:vendor/mediate/proprietary/bootable/bootloader/lk/project/xqt551.mk
MTK_SECURITY_SW_SUPPORT=yes
# 3.路径:path-for-project-kernel/arch/arm/configs/xqt551_debug_defconfig
CONFIG_MTK_SECURITY_SW_SUPPORT=y
# 4.路径:path-for-project-kernel/arch/arm/configs/xqt551_defconfig
CONFIG_MTK_SECURITY_SW_SUPPORT=y
# 注意:如果是其他项目将xqt551改为对应的project,如果是64位系统将arm改为arm64
4.证书生成
# ! /bin/bash
# generickey.sh
echo "1 Generate root key pair"
cd vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor
# Generate private key command:
echo "1.1 Generate private key command:"
openssl genrsa -out root_prvk.pem 2048
python pem_to_der.py root_prvk.pem root_prvk.der
# Generate public key command:
echo "1.2 Generate public key command:"
openssl rsa -in root_prvk.pem -pubout > root_pubk.pem
python pem_to_der.py root_pubk.pem root_pubk.der
echo "2 image key pair"
echo "2.1 Generate img_prvk command:"
openssl genrsa -out img_prvk.pem 2048
python pem_to_der.py img_prvk.pem img_prvk.der
echo "2.2 Generate img_pubk command:"
openssl rsa -in img_prvk.pem -pubout > img_pubk.pem
python pem_to_der.py img_pubk.pem img_pubk.der
echo "3 DA key pair"
echo "3.1 Generate da_prvk command:"
openssl genrsa -out da_prvk.pem 2048
python pem_to_der.py da_prvk.pem da_prvk.der
echo "3.2 Generate da_pubk command:"
openssl rsa -in da_prvk.pem -pubout > da_pubk.pem
python pem_to_der.py da_pubk.pem da_pubk.der
chmod 777 der_extractor
echo "4 Generate oemkey.h"
./der_extractor root_pubk.der oemkey.h ANDROID_SBC
echo "4.1 export oemkey.h"
# mtkbuild -o ./ -x oemkey.h
cp -r oemkey.h ../../../bootable/bootloader/preloader/custom/xqt551/inc/
cp -r oemkey.h ../../../bootable/bootloader/lk/target/xqt551/inc/
echo "5 Generate dakey.h"
./der_extractor da_pubk.der dakey.h ANDROID_SBC
sed -i "s/OEM/DA/g" dakey.h
cp -r dakey.h ../../../bootable/bootloader/preloader/custom/xqt551/inc/将上述脚本复制到源码根目录执行,会生成3组密钥。该脚本在刷入efuse后不能再执行,生成的密钥需要做好备份!!!
| 密钥组 | 生成的密钥文件 | 作用 |
|---|---|---|
| root keys | root_prvk.pem(pem格式的私钥) root_prvk.der(der格式的私钥) root_pubk.pem(pem格式的公钥) root_pubk.der(der格式的公钥) oemkey.h(十六进制格式的私钥) | 该组密钥为根密钥需要烧写到efuse中,烧入后就无法更改所以一旦生成需要做好备份!!! |
| img keys | img_prvk.pem(pem格式的私钥) img_prvk.der(der格式的私钥) img_pubk.pem(pem格式的公钥) img_pubk(der格式的公钥) | 该组密钥用于镜像签名和验签 |
| da keys | da_prvk.pem(pem格式的私钥) da_prvk.der(der格式的私钥) da_pubk.pem(pem格式的公钥) da_pubk.der(der格式的公钥) dakey.h(十六进制格式的公钥) | 该组密钥用于DA文件签名和验签 |
5.DA文件生成
DA文件包含需要刷入到设备的分区信息。需要使用FLASHLIB_DA_EXE(Official)_ALPS工具配合GCC和GnuWin32生成,工具下载路径见:工具汇总。以下是使用该工具生成DA文件的过程。
- 将GCC放到C:Program Files
- 将GnuWin32放到C:Program Files (x86)并配置环境变量
- 修改base.mk中GCCDIR的路径, base.mk路径:
FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspecRaphael-damakebase.mk
GCCDIR := c:/progra~1/GCC/arm-2015q1/bin (注意:c:/progra~1/
在window系统中就是指向C:Program Files,GCCDIR有两个位置一个是linux环境一个是window环境) - 配置custom分区为不需要签名的分区,配置文件路径:
FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspecRaphael-dacustomMT6761DA_BRsec_policy_config_common.h 将CUST1_IMG_NAME 宏修改为:
#define CUST1_IMG_NAME "custom" - 替换oemkey.h 将源码下的oemkey.h替换到:
FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspecRaphael-dacustomMT6761oemkey.h - 编译生成未签名的DA文件 执行目录:
FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspec 执行:make BBCHIP=MT6761 编译出来的DA路径:
FLASHLIB_DA_EXE(Official)_ALPSFLASHLIB_DA_EXE_v5.2228.00.000binCustomization_Kit_buildspecbinMTK_AllInOne_DA.bin
(注意查看编译过程中有没有报error!!!如果很快就编译完成很可能是文件丢失需要重新解压Customization_Kit_buildspec.zip重新操作!!!)
6.镜像和DA文件签名
将生成的MTK_AllInOne_DA.bin复制到源码vendor/mediatek/proprietary/scripts/secure_chip_tools/prebuilt/resignda/路径下
#!/bin/bash
# copy keys
cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/img_prvk.pem
vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/xqt551/security/chip_config/s/key
cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem
vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/xqt551/security/chip_config/s/key
cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/resignda
cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/resignda/epp_prvk.pem
cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth
cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth/epp_prvk.pem
cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth
#generate cert1 and cert2 key
python ./vendor/mediatek/proprietary/scripts/sign-image_v2/img_key_deploy.py mt6761 xqt551
cert1_key_path=./vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem
cert2_key_path=./vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/img_prvk.pem
root_key_padding=pss 2>&1 | tee SecureGen.log
#build images
make clean-preloader
./build.sh xqt551 1 1 1 1 64 (MTK的编译脚本,如果没有直接make -j64)
#sign DA and auth file
cd vendor/mediatek/proprietary/scripts/secure_chip_tools/
python resign_da.py prebuilt/resignda/MTK_AllInOne_DA.bin MT6761 settings/resignda/bbchips_pss.ini all
out/resignda/MTK_AllInOne_DA-resing.bin
python toolauth.py -i settings/toolauth/toolauth_key.ini -g settings/toolauth/toolauth_gfh_config_pss.ini
out/toolauth/auth_sv5.auth
cd -
#sign images
MTK_PLATFORM_DIR=mt6761 #(注意替换为自己的平台)
MTK_BASE_PROJECT=xqt551 #(注意替换为自己的项目)
PYTHONDONTWRITEBYTECODE=True PRODUCT_OUT={out/image/dirs(编译出来的镜像路径)} BOARD_AVB_ENABLE=true
python ./vendor/mediatek/proprietary/scripts/sign-image_v2/sign_flow.py
-env_cfg ./vendor/mediatek/proprietary/scripts/sign-image_v2/env.cfg "mt6761" "xqt551"在源码根目录下执行以上脚本会生成:
vendor/mediatek/proprietary/scripts/secure_chip_tools/out/resignda/MTK_AllInOne_DA-resing.bin: 签过名的DA文件
vendor/mediatek/proprietary/scripts/secure_chip_tools/out/toolauth/auth_sv5.auth: 校验文件
out/image/dirs(编译出来的镜像路径):签过名的镜像文件
7.Efuse和镜像烧入
efuse和镜像烧入需要用到SP_MDT_v5.2228.00.00_exe工具。工具下载路径见: 工具汇总
- 将签过名的镜像文件复制到images
- 将CheckSum_Generate_exe中的文件复制到images,执行CheckSum_Gen.exe生成Checksum.ini
- 将Checksum.ini复制到SP_MDT_v5.2228.00.00_exe目录下
- 修改SP_MDT_v5.2228.00.00_exeEfuse.ini Enable 修改为1
EfuseXmlPath指定到:imagesefuse_MT6761.xml修改后的内容如下: ; 0 represents disable, 1 represents enable ;
DownloadEfuseOneStep: 0 for disable, 1 for enable write efuse in
format and download [EfuseSettings] Enable = 1 DownloadEfuseOneStep
= 0 ; EfuseOnly = 0 SettingsEnable = 0 LockEnable = 0 ReadBackEnable = 0 EfuseXmlPath= C:UsersAdministratorDesktopMTM1ToolsSP_MDT_TOOLimagesefuse_MT6761.xml - 修改efuse_MT6761.xm注意三个路径要和镜像中的文件对应,pub-key-n要和oemkey.h中的内容对应
- 扫描设备准备烧写镜像
勾选BootRom+PreLoader COM Sel All点击scan点击是,设备断电接入再启动
搜索到设备后点击Stop all停止扫描准备开始烧写镜像
- 烧入efuse
- 烧入镜像
至此efuse的配置和烧写全部完成。
8.添加cmdline标识efuse是否开启
为了判断efuse是否开启成功,可以在lk里面添加cmdline,用来标识efuse状态
diff --git a/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c b/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c
index a97d22599a0..4ed05c4e3bc 100644
--- a/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c
+++ b/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c
@@ -1733,6 +1733,8 @@ void get_AB_OTA_name(char *part_name, int size)
}
#endif /* MTK_AB_OTA_UPDATER */
+extern int efuse_sbc_enabled(void);
+
int boot_linux_from_storage(void)
{
int ret = 0;
@@ -1740,10 +1742,8 @@ int boot_linux_from_storage(void)
uint32_t ramdisk_target_addr = 0;
uint32_t tags_target_addr = 0;
uint32_t ramdisk_real_sz = 0;
-#if defined(CFG_NAND_BOOT)
#define CMDLINE_TMP_CONCAT_SIZE 110
char cmdline_tmpbuf[CMDLINE_TMP_CONCAT_SIZE];
-#endif
switch (g_boot_mode) {
case NORMAL_BOOT:
case META_BOOT:
@@ -1760,6 +1760,10 @@ int boot_linux_from_storage(void)
NAND_MANF_CMDLINE, nand_flash_man_code, NAND_DEV_CMDLINE, nand_flash_dev_id);
cmdline_append(cmdline_tmpbuf);
#endif
+
+ snprintf(cmdline_tmpbuf, CMDLINE_TMP_CONCAT_SIZE, "%s%s", "androidboot.secureboot=", (efuse_sbc_enabled()?"enabled":"disabled"));
+ cmdline_append(cmdline_tmpbuf);
+
ret = load_vfy_boot(BOOTIMG_TYPE_BOOT, CFG_BOOTIMG_LOAD_ADDR);
ret = (int)handle_vboot_state(BOOTIMG_TYPE_BOOT);
if (ret != STATUS_OK)生成属性ro.boot.secureboot,enabled: efuse打开 disabled: efuse关闭
9.工具汇总
工具下载路径:
https://download.csdn.net/download/zhuxc_001/87272156?spm=1001.2014.3001.5501
版权声明:本文为CSDN博主「达芬奇放假回家」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/zhuxc_001/article/details/128228814
共0条评论
作者
Pixiv日榜Top50