NO IMAGE
1 Star2 Stars3 Stars4 Stars5 Stars 給文章打分!
Loading...

參考文件KBA-161109181347-how_to_enable_secure_boot_step_by_step.pdf。

1.新建臨時目錄tmp:

   mkdir tmp
   cd tmp

2.複製opensslroot.cfg和v3.ext到tmp目錄,這兩個檔案在後面的命令中要用到:

   cp ~/work/M1503-6.0.1-01610/LINUX/android/vendor/qcom/proprietary/common/scripts/SecImage/resources/openssl/opensslroot.cfg .
   cp ~/work/M1503-6.0.1-01610/LINUX/android/vendor/qcom/proprietary/common/scripts/SecImage/resources/openssl/v3.ext .

3.按照文件產生證書鏈:

   openssl genrsa -out oem_rootca.key -3 2048
   openssl req -new -key oem_rootca.key -x509 -out oem_rootca.crt -subj /C=”US”/ST=”CA”/L=”SANDIEGO”/O=”OEM”/OU=”General OEM rootca”/CN=”OEM ROOT CA” -days 7300 -set_serial 1 -config opensslroot.cfg
   openssl genrsa -out oem_attestca.key -3 2048
   openssl req -new -key oem_attestca.key -out oem_attestca.csr -subj /C=”US”/ST=”CA”/L=”SANDIEGO”/O=”OEM”/OU=”General OEM attestation CA”/CN=”OEM attestation CA” -days 7300 -config opensslroot.cfg
   openssl x509 -req -in oem_attestca.csr -CA oem_rootca.crt -CAkey oem_rootca.key -outoem_attestca.crt -set_serial 5 -days 7300 -extfile v3.ext
   openssl x509 -in oem_rootca.crt -inform PEM -out oem_rootca.cer -outform DER
   openssl x509 -in oem_attestca.crt -inform PEM -out oem_attestca.cer -outform DER
   mv oem_rootca.key qpsa_rootca.key
   mv oem_attestca.key qpsa_attestca.key
   mv oem_rootca.cer qpsa_rootca.cer
   mv oem_attestca.cer qpsa_attestca.cer
   openssl dgst -sha256 qpsa_rootca.cer
   這個命令產生的雜湊值在後面會用到:
   SHA256(qpsa_rootca.cer)=8ecf3eaa03f772e28479fa2f0bbae2141ccad6f106b384d1c46263edb5b02838

4.複製證書

將產生的qpsa_rootca.key,qpsa_attestca.key,qpsa_rootca.cer,qpsa_attestca.cer複製到common/tools/sectools/resources/data_prov_assets/Signing/Local/qc_presigned_certs-key2048_exp3目錄:

cp qpsa_rootca.keyqpsa_attestca.key qpsa_rootca.cerqpsa_attestca.cer ~/work/M1503-6.0.1-01610/common/tools/sectools/resources/data_prov_assets/Signing/Local/qc_presigned_certs-key2048_exp3/

5.進入sectools目錄,配置雜湊值,使能secure boot:

   cd ~/work/M1503-6.0.1-01610/common/tools/sectools
   修改檔案config/8909/8909_fuseblower_USER.xml,紅色的為修改內容,一共有4處:
   1) <entry ignore=”false”>
               <description>contains the OEM public key hash as set by OEM</description>
               <name>root_cert_hash</name>
               <value>8ecf3eaa03f772e28479fa2f0bbae2141ccad6f106b384d1c46263edb5b02838</value>
        </entry>
   這個雜湊值就是步驟3最終生成的64位雜湊值。
   2) <entry ignore=”false”>
             <description>PK Hash is in Fuse for SEC_BOOT1 : Apps</description>
             <name>SEC_BOOT1_PK_Hash_in_Fuse</name>
             <value>true</value>
        </entry>
   3) <entry ignore=”false”>
            <description>PK Hash is in Fuse for SEC_BOOT2 : MBA</description>
            <name>SEC_BOOT2_PK_Hash_in_Fuse</name>
            <value>true</value>
        </entry>
   4) <entry ignore=”false”>
            <description>PK Hash is in Fuse for SEC_BOOT3 : MPSS</description>
            <name>SEC_BOOT3_PK_Hash_in_Fuse</name>
            <value>true</value>
        </entry>

6.生成sec.dat檔案:

   python sectools.py fuseblower -e config/8909/8909_fuseblower_OEM.xml -q config/8909/8909_fuseblower_QC.xml -u config/8909/8909_fuseblower_USER.xml -g verbose -vvv
   用下面的命令檢視生成的sec.dat是否和xml檔案匹配:
   python sectools.py fuseblower –oem_config_path=config/8909/8909_fuseblower_OEM.xml –qc_config_path=config/8909/8909_fuseblower_QC.xml –user_config_path=config/8909/8909_fuseblower_USER.xml –secdat=fuseblower_output/v1/sec.dat –validate

7.給映象簽名,8909_secimage.xml檔案中提到的檔案均需要簽名,在AP側只需要籤lk即可。在msm8909平臺上,需要簽名的檔案如下:

   boot_images/build/ms/bin/8909/emmc/sbl1.mbn
   boot_images/build/ms/bin/8909/emmc/unsigned/prog_emmc_firehose_8909_ddr.mbn
   LINUX/android/out/target/product/msm8909/emmc_appsboot.mbn
   modem_proc/build/ms/bin/8909.gen.prod/mba.mbn
   modem_proc/build/ms/bin/8909.gen.prod/qdsp6sw.mbn
   rpm_proc/build/ms/bin/8909/pm8909/rpm.mbn
   trustzone_images/build/ms/bin/MAZAANAA/tz.mbn
   wcnss_proc/build/ms/bin/SCAQMAZ/reloc/wcnss.mbn
   有兩種方式簽名:
   方法一:使用python sectools.py secimage -i ~/work/M1503-6.0.1-01610/modem_proc/build/ms/bin/8909.gen.prod/mba.mbn -c config/8909/8909_secimage.xml -sa命令逐一給所有映象簽名。
   方法二:使用python sectools.py secimage -m ~/work/M1503-6.0.1-01610 -c ./config/8909/8909_secimage.xml -o ~/sec_output -sa命令給所有映象簽名,-m ~/work/M1503-6.0.1-01610指定原始碼根目錄,-o  ~/sec_output指定簽名後的映象存放位置。

8.簽名後,需要將wcnss.mbn,mba.mbn,qdsp6sw.mbnc重新放回源目錄下,到common/build下面執行python update_common_info.py,更新modem分割槽。

9.用QFIL工具將簽名後的映象下載到單板,開機後用fastboot工具將步驟6生成的sec.dat刷到sec分割槽。

燒寫sec.dat後,下次再用QFIL工具就沒法下載了,想再次用QFIL刷機,需要修改bootloader:
For 8994:boot_images/core/storage/tools/deviceprogrammer/src/firehose/deviceprogrammer_initialize.c
static void deviceprogrammer_init_hw()
{
<snip>
     fh.validation_enabled = FALSE;

#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
    // This check below is to ensure that only VIP programmer is run on secure boot devices
    // In otherwords, signing the non VIP programmer is highly not recommended
    if( isSecureBootEnabled()==TRUE )
    {
        // To be here means Secure Boot Fuses are blown, therefore must use VIP
        fh.validation_enabled = TRUE;
    }
#endif

     fh.validation_enabled = FALSE;
 
     // These PMIC calls were added to have long key power off to be
<snip>
}

For 8939/8916/8909:boot_images/core/storage/tools/deviceprogrammer_ddr/src/firehose/deviceprogrammer_initialize.c
/* comment out – start
#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
// This check below is to ensure that only VIP programmer is run on secure boot devices
// In otherwords, signing the non VIP programmer is highly not recommended
if (FALSE == isValidationMode() && TRUE == isAuthenticationEnabled()) { strlcat(err_log, “Secure boot detected. VIP not enabled:fail “, sizeof(err_log)); }
#endif
comment out – end */
修改後重編bootloader,用步驟7的方法一給映象簽名,將簽名後的映象覆蓋之前的映象,就可以再次用QFIL工具下載。

注意:一旦燒寫sec.dat,如果開機失敗,將導致單板報廢,所以在燒寫前,需要確保簽名沒有問題,高通提供了拉高GPIO的方法來驗證簽名的正確性,具體可以參考文件80-NP408-5B-msm8909_msm8609_msm8209_msm8208_apq8009_Digital_Baseband.pdf:

相關文章

程式語言 最新文章