1.
新建临时目录tmp:
mkdir tmp
cd tmp
2.
复制
opensslroot.cfg和v3.ext到tmp目录,这两个文件在后面的命令中要用到:
cp ~/work/M1503-6.0.1-01610/LINUX/android/vendor/qcom/proprietary/common/scripts/SecImage/resources/openssl/opensslroot.cfg .
cp ~/work/M1503-6.0.1-01610/LINUX/android/vendor/qcom/proprietary/common/scripts/SecImage/resources/openssl/v3.ext .
3.
按照文档产生证书链:
openssl genrsa -out oem_rootca.key -3 2048
openssl req -new -key oem_rootca.key -x509 -out oem_rootca.crt -subj /C=”US”/ST=”CA”/L=”
SANDIEGO”/O=”OEM”/OU=”General OEM rootca”/CN=”OEM ROOT CA” -days 7300 -set_serial 1
-config opensslroot.cfg
openssl genrsa -out oem_attestca.key -3 2048
openssl req -new -key oem_attestca.key -out oem_attestca.csr -subj /C=”US”/ST=”CA”/L=”
SANDIEGO”/O=”OEM”/OU=”General OEM attestation CA”/CN=”OEM attestation CA” -days 7300 –
config opensslroot.cfg
openssl x509 -req -in oem_attestca.csr -CA oem_rootca.crt -CAkey oem_rootca.key -out
oem_attestca.crt -set_serial 5 -days 7300 -extfile v3.ext
openssl x509 -in oem_rootca.crt -inform PEM -out oem_rootca.cer -outform DER
openssl x509 -in oem_attestca.crt -inform PEM -out oem_attestca.cer -outform DER
mv oem_rootca.key qpsa_rootca.key
mv oem_attestca.key qpsa_attestca.key
mv oem_rootca.cer qpsa_rootca.cer
mv oem_attestca.cer qpsa_attestca.cer
openssl dgst -sha256 qpsa_rootca.cer
这个命令产生的哈希值在
后面会用到:
SHA256(qpsa_rootca.cer)=
8ecf3eaa03f772e28479fa2f0bbae2141ccad6f106b384d1c46263edb5b02838
4.
将产生的
qpsa_rootca.key
,
qpsa_attestca.key
,
qpsa_rootca.cer
,
qpsa_attestca.cer复制到common/tools/sectools/resources/data_prov_assets/Signing/Local/qc_presigned_certs-key2048_exp3目录:
cp
qpsa_rootca.key
qpsa_attestca.key
qpsa_rootca.cer
qpsa_attestca.cer ~/work/M1503-6.0.1-01610/common/tools/sectools/resources/data_prov_assets/Signing/Local/qc_presigned_certs-key2048_exp3/
5.
进入sectools目录,配置哈希值,使能secure boot:
cd ~/work/M1503-6.0.1-01610/common/tools/sectools
修改文件config/8909/8909_fuseblower_USER.xml,红色的为修改内容,一共有4处:
1) <entry ignore=”false”>
<description>contains the OEM public key hash as set by OEM</description>
<name>root_cert_hash</name>
<value>
8ecf3eaa03f772e28479fa2f0bbae2141ccad6f106b384d1c46263edb5b02838
</value>
</entry>
这个哈希值就是步骤3最终生成的64位哈希值。
2) <entry ignore=”false”>
<description>PK Hash is in Fuse for SEC_BOOT1 : Apps</description>
<name>SEC_BOOT1_PK_Hash_in_Fuse</name>
<value>
true
</value>
</entry>
3) <entry ignore=”false”>
<description>PK Hash is in Fuse for SEC_BOOT2 : MBA</description>
<name>SEC_BOOT2_PK_Hash_in_Fuse</name>
<value>
true
</value>
</entry>
4) <entry ignore=”false”>
<description>PK Hash is in Fuse for SEC_BOOT3 : MPSS</description>
<name>SEC_BOOT3_PK_Hash_in_Fuse</name>
<value>
true
</value>
</entry>
6.
生成sec.dat文件:
python sectools.py fuseblower -e config/8909/8909_fuseblower_OEM.xml -q config/8909/8909_fuseblower_QC.xml -u config/8909/8909_fuseblower_USER.xml -g verbose -vvv
用下面的命令查看生成的sec.dat是否和xml文件匹配:
python sectools.py fuseblower –oem_config_path=config/8909/8909_fuseblower_OEM.xml –qc_config_path=config/8909/8909_fuseblower_QC.xml –user_config_path=config/8909/8909_fuseblower_USER.xml –secdat=fuseblower_output/v1/sec.dat –validate
7.
给镜像签名,8909_secimage.xml文件中提到的文件均需要签名,在AP侧只需要签lk即可。在msm8909平台上,需要签名的文件如下:
boot_images/build/ms/bin/8909/emmc/sbl1.mbn
boot_images/build/ms/bin/8909/emmc/unsigned/prog_emmc_firehose_8909_ddr.mbn
LINUX/android/out/target/product/msm8909/emmc_appsboot.mbn
modem_proc/build/ms/bin/8909.gen.prod/mba.mbn
modem_proc/build/ms/bin/8909.gen.prod/qdsp6sw.mbn
rpm_proc/build/ms/bin/8909/pm8909/rpm.mbn
trustzone_images/build/ms/bin/MAZAANAA/tz.mbn
wcnss_proc/build/ms/bin/SCAQMAZ/reloc/wcnss.mbn
有两种方式签名:
方法一:使用
python sectools.py secimage -i ~/work/M1503-6.0.1-01610/modem_proc/build/ms/bin/8909.gen.prod/mba.mbn -c config/8909/8909_secimage.xml -sa
命令逐一给所有镜像签名。
方法二:使用
python sectools.py secimage -m ~/work/M1503-6.0.1-01610 -c ./config/8909/8909_secimage.xml -o ~/sec_output -sa
命令给所有镜像签名,-m ~/work/M1503-6.0.1-01610指定源码根目录,-o ~/sec_output指定签名后的镜像存放位置。
8.
签名后,需要将wcnss.mbn,mba.mbn,qdsp6sw.mbnc重新放回源目录下,到common/build下面执行python update_common_info.py,更新modem分区。
9.
用QFIL工具将签名后的镜像下载到单板,开机后用fastboot工具将步骤6生成的sec.dat刷到sec分区。
烧写sec.dat后,下次再用QFIL工具就没法下载了,想再次用QFIL刷机,需要修改bootloader:
For 8994:boot_images/core/storage/tools/deviceprogrammer/src/firehose/deviceprogrammer_initialize.c
static void deviceprogrammer_init_hw()
{
<snip>
fh.validation_enabled = FALSE;
#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
// This check below is to ensure that only VIP programmer is run on secure boot devices
// In otherwords, signing the non VIP programmer is highly not recommended
if( isSecureBootEnabled()==TRUE )
{
// To be here means Secure Boot Fuses are blown, therefore must use VIP
fh.validation_enabled = TRUE;
}
#endif
+ fh.validation_enabled = FALSE;
// These PMIC calls were added to have long key power off to be
<snip>
}
For 8939/8916/8909:boot_images/core/storage/tools/deviceprogrammer_ddr/src/firehose/deviceprogrammer_initialize.c
+/* comment out – start
#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
// This check below is to ensure that only VIP programmer is run on secure boot devices
// In otherwords, signing the non VIP programmer is highly not recommended
if (FALSE == isValidationMode() && TRUE == isAuthenticationEnabled()) { strlcat(err_log, “Secure boot detected. VIP not enabled:fail “, sizeof(err_log)); }
#endif
+ comment out – end */
修改后重编bootloader,用步骤7的方法一给镜像签名,将签名后的镜像覆盖之前的镜像,就可以再次用QFIL工具下载。
注意:一旦烧写sec.dat,如果开机失败,将导致单板报废,所以在烧写前,需要确保签名没有问题,高通提供了拉高GPIO的方法来验证签名的正确性,具体可以参考文档80-NP408-5B-msm8909_msm8609_msm8209_msm8208_apq8009_Digital_Baseband.pdf:
