MTK 平台项目security boot 开启/关闭 及 系统签名流程
以 https://online.mediatek.com/FAQ#/SW/FAQ26691 为基础做如下记录以做备忘:
How to Enable/Disable Secure Boot for Security 3.0:
1、 How to Enable
Path Enable
Preloader /vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/{Project Name}/{Project Name}.mk
MTK_SECURITY_SW_SUPPORT=yes
MTK_SECURITY_ANTI_ROLLBACK=yes
\\Note:配置该项会打开anti-rollback
MTK_SEC_BOOT = ATTR_SBOOT_ENABLE
\\ATTR_SBOOT_ENABLE: always enable
\\ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP:enable depend on SBC_EN
MTK_SEC_USBDL = ATTR_SUSBDL_ENABLE
\\ATTR_SUSBDL_ENABLE: always enable)
\\ ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP: enable depend on SBC_EN
lk2 /vendor/mediatek/proprietary/bootable/bootloader/lk2/project/{Project name}.mk
MTK_SECURITY_SW_SUPPORT=yes
MTK_SECURITY_ANTI_ROLLBACK=yes
\\Note:配置该项会打开anti-rollback
Kernel
/kernel-5.10/arch/arm64/configs/{Project Name}_defconfig
/kernel-5.10/arch/arm64/configs/{Project Name}_debug_defconfig
( e.g. /kernel-5.10/arch/arm64/configs/k6983v1_64_defconfig)
CONFIG_MTK_SECURITY_SW_SUPPORT=m
/device/mediateksample/{PROJECT}/ko_order_table.csv
在ko_order_table.csv新增如下配置:
sec.ko,/drivers/misc/mediatek/masp/sec.ko,vendor,Y,Y,user/userdebug/eng
2、 How to Disable:
Path Enable
Preloader /vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/{Project Name}/{Project Name}.mk
MTK_SECURITY_SW_SUPPORT=no
MTK_SECURITY_ANTI_ROLLBACK=no
MTK_SEC_BOOT = ATTR_SBOOT_DISABLE
MTK_SEC_USBDL = ATTR_SUSBDL_DISABLE
lk2 /vendor/mediatek/proprietary/bootable/bootloader/lk2/project/{Project name}.mk
MTK_SECURITY_SW_SUPPORT=no
MTK_SECURITY_ANTI_ROLLBACK=no
Kernel
/kernel-5.10/arch/arm64/configs/{Project Name}_defconfig/kernel-5.10/arch/arm64/configs/{Project Name}_debug_defconfig ( e.g. /kernel-5.10/arch/arm64/configs/k6983v1_64_defconfig)
CONFIG_MTK_SECURITY_SW_SUPPORT=n
/device/mediateksample/{PROJECT}/ko_order_table.csv sec.ko,/drivers/misc/mediatek/masp/sec.ko,vendor,N,N,user/userdebug/eng
How to Enable/Disable Secure download
1、 How to Enable
Features Path How to Enable
Security Download /vendor/mediatek/proprietary/bootable/bootloader/preloader/platform/{Platform}/flash/make_script/mode/DA_BR.mk
C_OPTION += -DDA_ENABLE_SECURITY=1
DA Anti-rollbck C_OPTION += -DDA_ENABLE_ANTI_ROLLBACK=1
2、How to Disable
Features Path How to Enable
Security Download /vendor/mediatek/proprietary/bootable/bootloader/preloader/platform/{Platform}/flash/make_script/mode/DA_BR.mk
删除: C_OPTION += -DDA_ENABLE_SECURITY=1
DA Anti-rollbck 删除: C_OPTION += -DDA_ENABLE_ANTI_ROLLBACK=1
签名流程
Generate Root /Img key : (需要安装openssl 环境)
Step1: cd /vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor
Step2: For Root key: openssl genrsa -out root_prvk.pem 2048
For Img key: openssl genrsa -out img_prvk.pem 2048
Step3: openssl rsa -in root_prvk.pem -pubout > root_pubk.pem
openssl rsa -in img_prvk.pem -pubout > img_pubk.pem
Step4: python pem_to_der.py root_prvk.pem root_prvk.der
python pem_to_der.py img_prvk.pem img_prvk.der
Step5: python pem_to_der.py root_pubk.pem root_pubk.der
Step6: Generate oemkey.h for key config:
chmod 777 der_extractor
cd 根目录
./vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/der_extractor root_pubk.der oemkey.h ANDROID_SBC
config key for verify img/DA:
将前面生成的oemkey.h,替换到如下Path
Preloader
/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/{Project_Name}/inc/oemkey.h
/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/{Project_Name}/inc/dakey.h - Note: dakey.h为Pubk key, 生成方式参考oemkey.h, 用于preloader verify da,
lk2 /vendor/mediatek/proprietary/bootable/bootloader/lk2/target/{Project_Name}/include/oemkey.h
DA /vendor/mediatek/proprietary/bootable/bootloader/preloader/platform/{Platform}/flash/custom/oemkey.h
regenerate cert1 & cert2 if key change
Step1: cd 根目录
Step2: python vendor/mediatek/proprietary/scripts/sign-image_v2/img_key_deploy.py mt6983 cert1_key_path={KEY_PATH}/root_prvk.pem cert2_key_path={KEY_PATH}/img_prvk.pem root_key_padding=pss | tee gen_cert1_cert2_key.log
Step3: 到path /vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/mt6983/security/cert_config/ 检查cert1 cert2_key的修改日期是否正确
Resign for all img:
Step1. 在img_list.txt检查需配置Sign的image: /vendor/mediatek/proprietary/custom/{platform}/security/cert_config/img_list.txt
Step2. 把生成的root_prvk.pem和img_prvk.pem 私钥更新替换到此路径: /vendor/mediatek/proprietary/scripts/sign-image_v2/hsm_test_keys
Step3. copy需resign的image到此路径: /vendor/mediatek/proprietary/scripts/sign-image_v2/out
Step4. generate cert1 cert2, cd 根目录:
python vendor/mediatek/proprietary/scripts/sign-image_v2/img_key_deploy.py {Platform} {Project} cert1_key_path={KEY_PATH}/root_prvk.pem cert2_key_path={KEY_PATH}/img_prvk.pem root_key_padding=pss | tee gen_cert1_cert2_key.log
到path /vendor/mediatek/proprietary/custom/{platform}/security/cert_config/ 检查cert1 cert2_key的修改日期是否正确
Step5. cd 根目录
Step6. python vendor/mediatek/proprietary/scripts/sign-image_v2/sign_flow.py { Platform } { Project }
3) Resign for single img:
PYTHONDONTWRITEBYTECODE=True python sign_flow.py -env_cfg env.cfg -target lk.img { Platform } { Project } | tee sign_lk.log
4) How To Customize Remote Security Server Sign: [FAQ26693]: Security 3.0 Sign Tool Usage
MTK 平台项目(L400) antirollback升级 demo:
1.
从签名服务器~/project/SecurityKey/Sign/MTK6765/L400/signimage/keys/目录下拷贝root_prvk.pem和img_prvk.pem 到本地L400项目android/vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/der_extractor目录下
2.
修改本地L400项目android/vendor/mediatek/proprietary/scripts/secure_chip_tools/settings/pbp/目录和android/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/L400/security/chip_config/s/key/目录下的pl_content.ini和pl_key.ini文件,将sw_ver修改为升级的antirollback的值,例如antirollback的值2则为sw_ver = "2"
3.
从签名服务器~/project/SecurityKey/Sign/MTK6765/L400/signimage/pbp/目录下拷贝root_prvk.pem和img_prvk.pem 私钥更新替换路径: /vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/L400/security/chip_config/s/key/下的root_prvk.pem和img_prvk.pem
4.
(1)cd android
(2)source build/envsetup.sh
(3)lunch
(4)full_L400-user
(5)cd vendor/mediatek/proprietary/scripts/sign-image_v2/
(6)python img_key_deploy.py mt6765 L400 cert1_key_path=./der_extractor/root_prvk.pem cert2_key_path=./der_extractor/img_prvk.pem root_key_padding=pss -workspace=../../../../../| tee deploy.log
5.
编译user版本
查看sign_result文件imgVer INTEGER值是否为升的值
例如antirollback值为2
imgVer INTEGER::= 2
6.
使用avbtool工具查看img的antirollback的值
$sudo ./android/out/soong/host/linux-x86/bin/avbtool info_image --image ./android/out/target/product/L400/boot.img
Rollback Index: 2
7.
开机查看系统imei是否有来判断系统的modem是否起来。