MTK 平台项目security boot 开启/关闭 及 系统签名流程

以 https://online.mediatek.com/FAQ#/SW/FAQ26691 为基础做如下记录以做备忘：

How to Enable/Disable Secure Boot for Security 3.0:

1、 How to Enable

      Path      Enable
Preloader      /vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/{Project Name}/{Project Name}.mk     

MTK_SECURITY_SW_SUPPORT=yes

MTK_SECURITY_ANTI_ROLLBACK=yes    

     \\Note:配置该项会打开anti-rollback

MTK_SEC_BOOT = ATTR_SBOOT_ENABLE

     \\ATTR_SBOOT_ENABLE: always enable       

     \\ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP:enable depend on SBC_EN

MTK_SEC_USBDL = ATTR_SUSBDL_ENABLE

    \\ATTR_SUSBDL_ENABLE: always enable）

    \\ ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP: enable depend on SBC_EN
lk2     /vendor/mediatek/proprietary/bootable/bootloader/lk2/project/{Project name}.mk     

MTK_SECURITY_SW_SUPPORT=yes

MTK_SECURITY_ANTI_ROLLBACK=yes 

    \\Note:配置该项会打开anti-rollback
Kernel     

/kernel-5.10/arch/arm64/configs/{Project Name}_defconfig

/kernel-5.10/arch/arm64/configs/{Project Name}_debug_defconfig

   ( e.g.   /kernel-5.10/arch/arm64/configs/k6983v1_64_defconfig)
    

CONFIG_MTK_SECURITY_SW_SUPPORT=m
/device/mediateksample/{PROJECT}/ko_order_table.csv     

在ko_order_table.csv新增如下配置:

sec.ko,/drivers/misc/mediatek/masp/sec.ko,vendor,Y,Y,user/userdebug/eng

2、 How to Disable:

      Path      Enable
Preloader      /vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/{Project Name}/{Project Name}.mk     

MTK_SECURITY_SW_SUPPORT=no

MTK_SECURITY_ANTI_ROLLBACK=no    

MTK_SEC_BOOT = ATTR_SBOOT_DISABLE

MTK_SEC_USBDL = ATTR_SUSBDL_DISABLE
lk2     /vendor/mediatek/proprietary/bootable/bootloader/lk2/project/{Project name}.mk     

MTK_SECURITY_SW_SUPPORT=no

MTK_SECURITY_ANTI_ROLLBACK=no  
Kernel     

/kernel-5.10/arch/arm64/configs/{Project Name}_defconfig/kernel-5.10/arch/arm64/configs/{Project Name}_debug_defconfig   ( e.g.   /kernel-5.10/arch/arm64/configs/k6983v1_64_defconfig) 
    CONFIG_MTK_SECURITY_SW_SUPPORT=n 
/device/mediateksample/{PROJECT}/ko_order_table.csv     sec.ko,/drivers/misc/mediatek/masp/sec.ko,vendor,N,N,user/userdebug/eng

 How to Enable/Disable Secure download

      1、 How to Enable

Features     Path     How to Enable
Security Download     /vendor/mediatek/proprietary/bootable/bootloader/preloader/platform/{Platform}/flash/make_script/mode/DA_BR.mk     

C_OPTION += -DDA_ENABLE_SECURITY=1 
DA Anti-rollbck     C_OPTION += -DDA_ENABLE_ANTI_ROLLBACK=1 

      2、How to Disable

Features     Path     How to Enable
Security Download     /vendor/mediatek/proprietary/bootable/bootloader/preloader/platform/{Platform}/flash/make_script/mode/DA_BR.mk     

删除:  C_OPTION += -DDA_ENABLE_SECURITY=1 
DA Anti-rollbck     删除: C_OPTION += -DDA_ENABLE_ANTI_ROLLBACK=1 

签名流程

 Generate Root /Img key :   (需要安装openssl 环境)

    Step1:    cd  /vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor 

    Step2:    For Root key:  openssl genrsa -out root_prvk.pem 2048  

                  For Img  key:   openssl genrsa -out img_prvk.pem 2048

    Step3:     openssl rsa -in root_prvk.pem -pubout > root_pubk.pem

                   openssl rsa -in img_prvk.pem -pubout > img_pubk.pem

    Step4:     python pem_to_der.py root_prvk.pem root_prvk.der

                   python pem_to_der.py img_prvk.pem img_prvk.der

    Step5:     python pem_to_der.py root_pubk.pem root_pubk.der

    Step6:    Generate oemkey.h for key config:

                 chmod 777 der_extractor

                 cd 根目录

                 ./vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/der_extractor root_pubk.der oemkey.h ANDROID_SBC

config key for verify img/DA:

将前面生成的oemkey.h，替换到如下Path
Preloader     

/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/{Project_Name}/inc/oemkey.h

/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/{Project_Name}/inc/dakey.h     - Note:  dakey.h为Pubk key, 生成方式参考oemkey.h,  用于preloader verify da,
lk2     /vendor/mediatek/proprietary/bootable/bootloader/lk2/target/{Project_Name}/include/oemkey.h
DA     /vendor/mediatek/proprietary/bootable/bootloader/preloader/platform/{Platform}/flash/custom/oemkey.h

regenerate cert1 & cert2 if key change

           Step1:  cd 根目录

           Step2:  python vendor/mediatek/proprietary/scripts/sign-image_v2/img_key_deploy.py mt6983 cert1_key_path={KEY_PATH}/root_prvk.pem cert2_key_path={KEY_PATH}/img_prvk.pem root_key_padding=pss | tee gen_cert1_cert2_key.log

           Step3:  到path /vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/mt6983/security/cert_config/  检查cert1 cert2_key的修改日期是否正确

Resign for all img:

             Step1.     在img_list.txt检查需配置Sign的image:    /vendor/mediatek/proprietary/custom/{platform}/security/cert_config/img_list.txt 

             Step2.    把生成的root_prvk.pem和img_prvk.pem 私钥更新替换到此路径: /vendor/mediatek/proprietary/scripts/sign-image_v2/hsm_test_keys

             Step3.    copy需resign的image到此路径:   /vendor/mediatek/proprietary/scripts/sign-image_v2/out

             Step4.    generate cert1 cert2, cd 根目录:

             python vendor/mediatek/proprietary/scripts/sign-image_v2/img_key_deploy.py {Platform} {Project} cert1_key_path={KEY_PATH}/root_prvk.pem cert2_key_path={KEY_PATH}/img_prvk.pem root_key_padding=pss | tee gen_cert1_cert2_key.log

             到path /vendor/mediatek/proprietary/custom/{platform}/security/cert_config/  检查cert1 cert2_key的修改日期是否正确

             Step5.    cd 根目录

             Step6.    python vendor/mediatek/proprietary/scripts/sign-image_v2/sign_flow.py { Platform }  { Project }

     3) Resign for single img:

PYTHONDONTWRITEBYTECODE=True python sign_flow.py -env_cfg env.cfg -target lk.img { Platform }  { Project } | tee sign_lk.log

     4) How To Customize Remote Security Server Sign: [FAQ26693]: Security 3.0 Sign Tool Usage

MTK 平台项目（L400） antirollback升级 demo：

1.
从签名服务器~/project/SecurityKey/Sign/MTK6765/L400/signimage/keys/目录下拷贝root_prvk.pem和img_prvk.pem 到本地L400项目android/vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/der_extractor目录下

2.
修改本地L400项目android/vendor/mediatek/proprietary/scripts/secure_chip_tools/settings/pbp/目录和android/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/L400/security/chip_config/s/key/目录下的pl_content.ini和pl_key.ini文件，将sw_ver修改为升级的antirollback的值，例如antirollback的值2则为sw_ver = "2"

3.
从签名服务器~/project/SecurityKey/Sign/MTK6765/L400/signimage/pbp/目录下拷贝root_prvk.pem和img_prvk.pem 私钥更新替换路径: /vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/L400/security/chip_config/s/key/下的root_prvk.pem和img_prvk.pem

4.
(1)cd android 
(2)source build/envsetup.sh 
(3)lunch 
(4)full_L400-user
(5)cd vendor/mediatek/proprietary/scripts/sign-image_v2/
(6)python img_key_deploy.py mt6765 L400 cert1_key_path=./der_extractor/root_prvk.pem cert2_key_path=./der_extractor/img_prvk.pem root_key_padding=pss -workspace=../../../../../| tee deploy.log

5.
编译user版本 
查看sign_result文件imgVer INTEGER值是否为升的值
例如antirollback值为2
imgVer INTEGER::= 2

6.
使用avbtool工具查看img的antirollback的值
$sudo ./android/out/soong/host/linux-x86/bin/avbtool info_image --image ./android/out/target/product/L400/boot.img

Rollback Index:     2

7.
开机查看系统imei是否有来判断系统的modem是否起来。