高通Secure Boot调试流程记录
来源:互联网 发布:ecs windows 开启ftp 编辑:程序博客网 时间:2024/05/16 04:38
参考文档KBA-161109181347-how_to_enable_secure_boot_step_by_step.pdf。
1.新建临时目录tmp:
mkdir tmp
cd tmp
2.复制opensslroot.cfg和v3.ext到tmp目录,这两个文件在后面的命令中要用到:
cp ~/work/M1503-6.0.1-01610/LINUX/android/vendor/qcom/proprietary/common/scripts/SecImage/resources/openssl/opensslroot.cfg .
cp ~/work/M1503-6.0.1-01610/LINUX/android/vendor/qcom/proprietary/common/scripts/SecImage/resources/openssl/v3.ext .
3.按照文档产生证书链:
openssl genrsa -out oem_rootca.key -3 2048
openssl req -new -key oem_rootca.key -x509 -out oem_rootca.crt -subj /C="US"/ST="CA"/L="SANDIEGO"/O="OEM"/OU="General OEM rootca"/CN="OEM ROOT CA" -days 7300 -set_serial 1 -config opensslroot.cfg
openssl genrsa -out oem_attestca.key -3 2048
openssl req -new -key oem_attestca.key -out oem_attestca.csr -subj /C="US"/ST="CA"/L="SANDIEGO"/O="OEM"/OU="General OEM attestation CA"/CN="OEM attestation CA" -days 7300 -config opensslroot.cfg
openssl x509 -req -in oem_attestca.csr -CA oem_rootca.crt -CAkey oem_rootca.key -outoem_attestca.crt -set_serial 5 -days 7300 -extfile v3.ext
openssl x509 -in oem_rootca.crt -inform PEM -out oem_rootca.cer -outform DER
openssl x509 -in oem_attestca.crt -inform PEM -out oem_attestca.cer -outform DER
mv oem_rootca.key qpsa_rootca.key
mv oem_attestca.key qpsa_attestca.key
mv oem_rootca.cer qpsa_rootca.cer
mv oem_attestca.cer qpsa_attestca.cer
openssl dgst -sha256 qpsa_rootca.cer
这个命令产生的哈希值在后面会用到:
SHA256(qpsa_rootca.cer)=8ecf3eaa03f772e28479fa2f0bbae2141ccad6f106b384d1c46263edb5b02838
4.将产生的qpsa_rootca.key,qpsa_attestca.key,qpsa_rootca.cer,qpsa_attestca.cer复制到common/tools/sectools/resources/data_prov_assets/Signing/Local/qc_presigned_certs-key2048_exp3目录:
cp qpsa_rootca.keyqpsa_attestca.key qpsa_rootca.cerqpsa_attestca.cer ~/work/M1503-6.0.1-01610/common/tools/sectools/resources/data_prov_assets/Signing/Local/qc_presigned_certs-key2048_exp3/
5.进入sectools目录,配置哈希值,使能secure boot:
cd ~/work/M1503-6.0.1-01610/common/tools/sectools
修改文件config/8909/8909_fuseblower_USER.xml,红色的为修改内容,一共有4处:
1) <entry ignore="false">
<description>contains the OEM public key hash as set by OEM</description>
<name>root_cert_hash</name>
<value>8ecf3eaa03f772e28479fa2f0bbae2141ccad6f106b384d1c46263edb5b02838</value>
</entry>
这个哈希值就是步骤3最终生成的64位哈希值。
2) <entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT1 : Apps</description>
<name>SEC_BOOT1_PK_Hash_in_Fuse</name>
<value>true</value>
</entry>
3) <entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT2 : MBA</description>
<name>SEC_BOOT2_PK_Hash_in_Fuse</name>
<value>true</value>
</entry>
4) <entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT3 : MPSS</description>
<name>SEC_BOOT3_PK_Hash_in_Fuse</name>
<value>true</value>
</entry>
6.生成sec.dat文件:
python sectools.py fuseblower -e config/8909/8909_fuseblower_OEM.xml -q config/8909/8909_fuseblower_QC.xml -u config/8909/8909_fuseblower_USER.xml -g verbose -vvv
用下面的命令查看生成的sec.dat是否和xml文件匹配:
python sectools.py fuseblower --oem_config_path=config/8909/8909_fuseblower_OEM.xml --qc_config_path=config/8909/8909_fuseblower_QC.xml --user_config_path=config/8909/8909_fuseblower_USER.xml --secdat=fuseblower_output/v1/sec.dat --validate
7.给镜像签名,8909_secimage.xml文件中提到的文件均需要签名,在AP侧只需要签lk即可。在msm8909平台上,需要签名的文件如下:
boot_images/build/ms/bin/8909/emmc/sbl1.mbn
boot_images/build/ms/bin/8909/emmc/unsigned/prog_emmc_firehose_8909_ddr.mbn
LINUX/android/out/target/product/msm8909/emmc_appsboot.mbn
modem_proc/build/ms/bin/8909.gen.prod/mba.mbn
modem_proc/build/ms/bin/8909.gen.prod/qdsp6sw.mbn
rpm_proc/build/ms/bin/8909/pm8909/rpm.mbn
trustzone_images/build/ms/bin/MAZAANAA/tz.mbn
wcnss_proc/build/ms/bin/SCAQMAZ/reloc/wcnss.mbn
有两种方式签名:
方法一:使用python sectools.py secimage -i ~/work/M1503-6.0.1-01610/modem_proc/build/ms/bin/8909.gen.prod/mba.mbn -c config/8909/8909_secimage.xml -sa命令逐一给所有镜像签名。
方法二:使用python sectools.py secimage -m ~/work/M1503-6.0.1-01610 -c ./config/8909/8909_secimage.xml -o ~/sec_output -sa命令给所有镜像签名,-m ~/work/M1503-6.0.1-01610指定源码根目录,-o ~/sec_output指定签名后的镜像存放位置。
8.签名后,需要将wcnss.mbn,mba.mbn,qdsp6sw.mbnc重新放回源目录下,到common/build下面执行python update_common_info.py,更新modem分区。
9.用QFIL工具将签名后的镜像下载到单板,开机后用fastboot工具将步骤6生成的sec.dat刷到sec分区。
烧写sec.dat后,下次再用QFIL工具就没法下载了,想再次用QFIL刷机,需要修改bootloader:
For 8994:boot_images/core/storage/tools/deviceprogrammer/src/firehose/deviceprogrammer_initialize.c
static void deviceprogrammer_init_hw()
{
<snip>
fh.validation_enabled = FALSE;
#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
// This check below is to ensure that only VIP programmer is run on secure boot devices
// In otherwords, signing the non VIP programmer is highly not recommended
if( isSecureBootEnabled()==TRUE )
{
// To be here means Secure Boot Fuses are blown, therefore must use VIP
fh.validation_enabled = TRUE;
}
#endif
+ fh.validation_enabled = FALSE;
// These PMIC calls were added to have long key power off to be
<snip>
}
For 8939/8916/8909:boot_images/core/storage/tools/deviceprogrammer_ddr/src/firehose/deviceprogrammer_initialize.c
+/* comment out - start
#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
// This check below is to ensure that only VIP programmer is run on secure boot devices
// In otherwords, signing the non VIP programmer is highly not recommended
if (FALSE == isValidationMode() && TRUE == isAuthenticationEnabled()) { strlcat(err_log, "Secure boot detected. VIP not enabled:fail ", sizeof(err_log)); }
#endif
+ comment out - end */
修改后重编bootloader,用步骤7的方法一给镜像签名,将签名后的镜像覆盖之前的镜像,就可以再次用QFIL工具下载。
注意:一旦烧写sec.dat,如果开机失败,将导致单板报废,所以在烧写前,需要确保签名没有问题,高通提供了拉高GPIO的方法来验证签名的正确性,具体可以参考文档80-NP408-5B-msm8909_msm8609_msm8209_msm8208_apq8009_Digital_Baseband.pdf:
1.新建临时目录tmp:
mkdir tmp
cd tmp
2.复制opensslroot.cfg和v3.ext到tmp目录,这两个文件在后面的命令中要用到:
cp ~/work/M1503-6.0.1-01610/LINUX/android/vendor/qcom/proprietary/common/scripts/SecImage/resources/openssl/opensslroot.cfg .
cp ~/work/M1503-6.0.1-01610/LINUX/android/vendor/qcom/proprietary/common/scripts/SecImage/resources/openssl/v3.ext .
3.按照文档产生证书链:
openssl genrsa -out oem_rootca.key -3 2048
openssl req -new -key oem_rootca.key -x509 -out oem_rootca.crt -subj /C="US"/ST="CA"/L="SANDIEGO"/O="OEM"/OU="General OEM rootca"/CN="OEM ROOT CA" -days 7300 -set_serial 1 -config opensslroot.cfg
openssl genrsa -out oem_attestca.key -3 2048
openssl req -new -key oem_attestca.key -out oem_attestca.csr -subj /C="US"/ST="CA"/L="SANDIEGO"/O="OEM"/OU="General OEM attestation CA"/CN="OEM attestation CA" -days 7300 -config opensslroot.cfg
openssl x509 -req -in oem_attestca.csr -CA oem_rootca.crt -CAkey oem_rootca.key -outoem_attestca.crt -set_serial 5 -days 7300 -extfile v3.ext
openssl x509 -in oem_rootca.crt -inform PEM -out oem_rootca.cer -outform DER
openssl x509 -in oem_attestca.crt -inform PEM -out oem_attestca.cer -outform DER
mv oem_rootca.key qpsa_rootca.key
mv oem_attestca.key qpsa_attestca.key
mv oem_rootca.cer qpsa_rootca.cer
mv oem_attestca.cer qpsa_attestca.cer
openssl dgst -sha256 qpsa_rootca.cer
这个命令产生的哈希值在后面会用到:
SHA256(qpsa_rootca.cer)=8ecf3eaa03f772e28479fa2f0bbae2141ccad6f106b384d1c46263edb5b02838
4.将产生的qpsa_rootca.key,qpsa_attestca.key,qpsa_rootca.cer,qpsa_attestca.cer复制到common/tools/sectools/resources/data_prov_assets/Signing/Local/qc_presigned_certs-key2048_exp3目录:
cp qpsa_rootca.keyqpsa_attestca.key qpsa_rootca.cerqpsa_attestca.cer ~/work/M1503-6.0.1-01610/common/tools/sectools/resources/data_prov_assets/Signing/Local/qc_presigned_certs-key2048_exp3/
5.进入sectools目录,配置哈希值,使能secure boot:
cd ~/work/M1503-6.0.1-01610/common/tools/sectools
修改文件config/8909/8909_fuseblower_USER.xml,红色的为修改内容,一共有4处:
1) <entry ignore="false">
<description>contains the OEM public key hash as set by OEM</description>
<name>root_cert_hash</name>
<value>8ecf3eaa03f772e28479fa2f0bbae2141ccad6f106b384d1c46263edb5b02838</value>
</entry>
这个哈希值就是步骤3最终生成的64位哈希值。
2) <entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT1 : Apps</description>
<name>SEC_BOOT1_PK_Hash_in_Fuse</name>
<value>true</value>
</entry>
3) <entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT2 : MBA</description>
<name>SEC_BOOT2_PK_Hash_in_Fuse</name>
<value>true</value>
</entry>
4) <entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT3 : MPSS</description>
<name>SEC_BOOT3_PK_Hash_in_Fuse</name>
<value>true</value>
</entry>
6.生成sec.dat文件:
python sectools.py fuseblower -e config/8909/8909_fuseblower_OEM.xml -q config/8909/8909_fuseblower_QC.xml -u config/8909/8909_fuseblower_USER.xml -g verbose -vvv
用下面的命令查看生成的sec.dat是否和xml文件匹配:
python sectools.py fuseblower --oem_config_path=config/8909/8909_fuseblower_OEM.xml --qc_config_path=config/8909/8909_fuseblower_QC.xml --user_config_path=config/8909/8909_fuseblower_USER.xml --secdat=fuseblower_output/v1/sec.dat --validate
7.给镜像签名,8909_secimage.xml文件中提到的文件均需要签名,在AP侧只需要签lk即可。在msm8909平台上,需要签名的文件如下:
boot_images/build/ms/bin/8909/emmc/sbl1.mbn
boot_images/build/ms/bin/8909/emmc/unsigned/prog_emmc_firehose_8909_ddr.mbn
LINUX/android/out/target/product/msm8909/emmc_appsboot.mbn
modem_proc/build/ms/bin/8909.gen.prod/mba.mbn
modem_proc/build/ms/bin/8909.gen.prod/qdsp6sw.mbn
rpm_proc/build/ms/bin/8909/pm8909/rpm.mbn
trustzone_images/build/ms/bin/MAZAANAA/tz.mbn
wcnss_proc/build/ms/bin/SCAQMAZ/reloc/wcnss.mbn
有两种方式签名:
方法一:使用python sectools.py secimage -i ~/work/M1503-6.0.1-01610/modem_proc/build/ms/bin/8909.gen.prod/mba.mbn -c config/8909/8909_secimage.xml -sa命令逐一给所有镜像签名。
方法二:使用python sectools.py secimage -m ~/work/M1503-6.0.1-01610 -c ./config/8909/8909_secimage.xml -o ~/sec_output -sa命令给所有镜像签名,-m ~/work/M1503-6.0.1-01610指定源码根目录,-o ~/sec_output指定签名后的镜像存放位置。
8.签名后,需要将wcnss.mbn,mba.mbn,qdsp6sw.mbnc重新放回源目录下,到common/build下面执行python update_common_info.py,更新modem分区。
9.用QFIL工具将签名后的镜像下载到单板,开机后用fastboot工具将步骤6生成的sec.dat刷到sec分区。
烧写sec.dat后,下次再用QFIL工具就没法下载了,想再次用QFIL刷机,需要修改bootloader:
For 8994:boot_images/core/storage/tools/deviceprogrammer/src/firehose/deviceprogrammer_initialize.c
static void deviceprogrammer_init_hw()
{
<snip>
fh.validation_enabled = FALSE;
#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
// This check below is to ensure that only VIP programmer is run on secure boot devices
// In otherwords, signing the non VIP programmer is highly not recommended
if( isSecureBootEnabled()==TRUE )
{
// To be here means Secure Boot Fuses are blown, therefore must use VIP
fh.validation_enabled = TRUE;
}
#endif
+ fh.validation_enabled = FALSE;
// These PMIC calls were added to have long key power off to be
<snip>
}
For 8939/8916/8909:boot_images/core/storage/tools/deviceprogrammer_ddr/src/firehose/deviceprogrammer_initialize.c
+/* comment out - start
#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
// This check below is to ensure that only VIP programmer is run on secure boot devices
// In otherwords, signing the non VIP programmer is highly not recommended
if (FALSE == isValidationMode() && TRUE == isAuthenticationEnabled()) { strlcat(err_log, "Secure boot detected. VIP not enabled:fail ", sizeof(err_log)); }
#endif
+ comment out - end */
修改后重编bootloader,用步骤7的方法一给镜像签名,将签名后的镜像覆盖之前的镜像,就可以再次用QFIL工具下载。
注意:一旦烧写sec.dat,如果开机失败,将导致单板报废,所以在烧写前,需要确保签名没有问题,高通提供了拉高GPIO的方法来验证签名的正确性,具体可以参考文档80-NP408-5B-msm8909_msm8609_msm8209_msm8208_apq8009_Digital_Baseband.pdf:
0 0
- 高通Secure Boot调试流程记录
- 高通Secure Boot调试流程记录
- Secure Boot
- 高通msm8x60 boot(lk)的usb处理解析流程
- 高通msm8x60 boot(lk)的usb处理解析流程
- Secure Boot功能介绍
- secure boot 的知识
- secure boot原理
- secure boot-dm verify
- EFI secure boot
- 高通8916 PMIC休眠关闭LDO调试记录
- Android安全框架:Verfied boot -- Secure Boot
- 高通camera流程
- u-boot 程序执行流程记录(am335x 开发板)
- secure shell 高亮显示
- 高通平台android4.4 audio policy 学习记录(1):调用流程
- 【存档记录】给Spring Boot添加远程调试端口
- 高通 camera 调试
- Spring整合JMS、IBM MQ发送和接收消息
- Git如何撤销merge操作
- look_weight
- JPA学习笔记(三)
- android ButterKnife8.5.1使用方法
- 高通Secure Boot调试流程记录
- freemarker 数字格式化
- iOS中修改WebView默认的User Agent
- 线程池
- OpenLayers 3 之 地图矢量图层(ol.layer.Vector)详解,openlayersvector
- socket】深入浅出讲解:php的socket通信
- oc——类——instancetype
- JavaScript ES6/ES2015核心
- Weblogic 10.3.6.0 集群搭建
