1.生成私钥:
vendor/mediatek/proprietary/scripts/sign-image_v2/cert_chain$ openssl genrsa -out root_prvk.pem 2048
vendor/mediatek/proprietary/scripts/sign-image_v2/cert_chain$ python der_extractor/pem_to_der.py root_prvk.pem root_prvk.der
2.生成公钥:
vendor/mediatek/proprietary/scripts/sign-image_v2/cert_chain$ openssl rsa -in root_prvk.pem -pubout > root_pubk.pem
vendor/mediatek/proprietary/scripts/sign-image_v2/cert_chain$ python der_extractor/pem_to_der.py root_pubk.pem root_pubk.der
3.拷贝私钥到da
vendor/mediatek/proprietary/scripts/secure_chip_tools$ cp ../sign-image_v2/cert_chain/root_prvk.pem keys/resignda/da_prvk.pem
vendor/mediatek/proprietary/scripts/secure_chip_tools$ cp ../sign-image_v2/cert_chain/root_prvk.pem keys/resignda/epp_prvk.pem
4.生成CHIP_TEST_KEY.ini:
vendor/mediatek/proprietary/scripts/secure_chip_tools$ python key_pem_to_ini.py keys/resignda/da_prvk.pem CHIP_TEST_KEY.ini BL_SIGN
5.生成oemkey.h:
vendor/mediatek/proprietary/scripts/secure_chip_tools$ python key_pem_to_ini.py keys/resignda/da_prvk.pem oemkey.h AND_SBC
6.编译DA:
把生成的oemkey.h cp到QUEUE26142088\FLASHLIB_DA_EXE(Official)_ALPS\FLASHLIB_DA_EXE_v5.2016.00.000\bin\Customization_Kit_buildspec\Raphael-da\custom\MT6735下
make BBCHIP=MT6735
7.DA签名:
把QUEUE26142088\FLASHLIB_DA_EXE(Official)_ALPS\FLASHLIB_DA_EXE_v5.2016.00.000\bin\Customization_Kit_buildspec\bin下的MTK_AllInOne_DA.bin cp到以下目录:
vendor/mediatek/proprietary/scripts/secure_chip_tools$ cp keys/resignda/MTK_AllInOne_DA.bin
修改bbchips_pss.ini:
diff --git a/vendor/mediatek/proprietary/scripts/secure_chip_tools/settings/resignda/bbchips_pss.ini b/vendor/mediatek/proprietary/scripts/secure_chip_tools/settings/resignda/bbchips_pss.ini
index 1153673..ba2a1eb 100755
--- a/vendor/mediatek/proprietary/scripts/secure_chip_tools/settings/resignda/bbchips_pss.ini
+++ b/vendor/mediatek/proprietary/scripts/secure_chip_tools/settings/resignda/bbchips_pss.ini
@@ -1,5 +1,5 @@
-[MT6755]
-hw_code = 0x6755
+[MT6735]
+hw_code = 0x6735
hw_sub_code = 0x0
hw_ver = 0xca00
sw_ver = 0x0
运行脚本签名:
vendor/mediatek/proprietary/scripts/secure_chip_tools$ python resign_da.py keys/resignda/MTK_AllInOne_DA.bin MT6735 settings/resignda/bbchips_pss.ini all out/resignda/MTK_AllInOne_DA-resing.bin
生成的签名文件:MTK_AllInOne_DA-resing.bin
8.修改系统:
8.1 把生成的oemkey.h 替换
vendor/mediatek/proprietary/bootable/bootloader/lk/target/tb8735ap1_64_ztk/inc/oemkey.h文件:
8.2 修改
vendor/mediatek/proprietary/bootable/bootloader/lk/target/tb8735ap1_64_ztk/inc/oemkey.h 的OEM_PUBK数据:
diff --git a/vendor/mediatek/proprietary/bootable/bootloader/lk/target/tb8735ap1_64_ztk/inc/oemkey.h b/vendor/mediatek/proprietary/bootable/bootloader/lk/target/tb8735ap1_64_ztk/inc/oemkey.h
index 687c2be..45f6920 100644
--- a/vendor/mediatek/proprietary/bootable/bootloader/lk/target/tb8735ap1_64_ztk/inc/oemkey.h
+++ b/vendor/mediatek/proprietary/bootable/bootloader/lk/target/tb8735ap1_64_ztk/inc/oemkey.h
@@ -1,25 +1,20 @@
#ifndef __OEMKEY__
#define __OEMKEY__
-
-/* OEM_PUBK is set as the same as MTEE public key for convenience, but they can be different */
-/* OEM_PUBK will be used to verify oemkeystore, and use oemkeystore to verify images */
#define OEM_PUBK_SZ 256
-
-#define OEM_PUBK 0xDA, 0xCD, 0x8B, 0x5F, 0xDA, 0x8A, 0x76, 0x6F, 0xB7, 0xBC, 0xAA, 0x43, 0xF0, 0xB1, 0x69, 0x15, \
- 0xCE, 0x7B, 0x47, 0x71, 0x4F, 0x13, 0x95, 0xFD, 0xEB, 0xCF, 0x12, 0xA2, 0xD4, 0x11, 0x55, 0xB0, \
- 0xFB, 0x58, 0x7A, 0x51, 0xFE, 0xCC, 0xCB, 0x4D, 0xDA, 0x1C, 0x8E, 0x5E, 0xB9, 0xEB, 0x69, 0xB8, \
- 0x6D, 0xAF, 0x2C, 0x62, 0x0F, 0x6C, 0x27, 0x35, 0x21, 0x5A, 0x5F, 0x22, 0xC0, 0xB6, 0xCE, 0x37, \
- 0x7A, 0xA0, 0xD0, 0x7E, 0xB3, 0x8E, 0xD3, 0x40, 0xB5, 0x62, 0x9F, 0xC2, 0x89, 0x04, 0x94, 0xB0, \
- 0x78, 0xA6, 0x3D, 0x6D, 0x07, 0xFD, 0xEA, 0xCD, 0xBE, 0x3E, 0x7F, 0x27, 0xFD, 0xE4, 0xB1, 0x43, \
- 0xF4, 0x9D, 0xB4, 0x97, 0x14, 0x37, 0xE6, 0xD0, 0x0D, 0x9E, 0x18, 0xB5, 0x6F, 0x02, 0xDA, 0xBE, \
- 0xB0, 0x00, 0x0B, 0x6E, 0x79, 0x51, 0x6D, 0x0C, 0x80, 0x74, 0xB5, 0xA4, 0x25, 0x69, 0xFD, 0x0D, \
- 0x91, 0x96, 0x65, 0x5D, 0x2A, 0x40, 0x30, 0xD4, 0x2D, 0xFE, 0x05, 0xE9, 0xF6, 0x48, 0x83, 0xE6, \
- 0xD5, 0xF7, 0x9A, 0x5B, 0xFA, 0x3E, 0x70, 0x14, 0xC9, 0xA6, 0x28, 0x53, 0xDC, 0x1F, 0x21, 0xD5, \
- 0xD6, 0x26, 0xF4, 0xD0, 0x84, 0x6D, 0xB1, 0x64, 0x52, 0x18, 0x7D, 0xD7, 0x76, 0xE8, 0x88, 0x6B, \
- 0x48, 0xC2, 0x10, 0xC9, 0xE2, 0x08, 0x05, 0x9E, 0x7C, 0xAF, 0xC9, 0x97, 0xFD, 0x2C, 0xA2, 0x10, \
- 0x77, 0x5C, 0x1A, 0x5D, 0x9A, 0xA2, 0x61, 0x25, 0x2F, 0xB9, 0x75, 0x26, 0x8D, 0x97, 0x0C, 0x62, \
- 0x73, 0x38, 0x71, 0xD5, 0x78, 0x14, 0x09, 0x8A, 0x45, 0x3D, 0xF9, 0x2B, 0xC6, 0xCA, 0x19, 0x02, \
- 0x5C, 0xD9, 0xD4, 0x30, 0xF0, 0x2E, 0xE4, 0x6F, 0x80, 0xDE, 0x6C, 0x63, 0xEA, 0x80, 0x2B, 0xEF, \
- 0x90, 0x67, 0x3A, 0xAC, 0x4C, 0x66, 0x67, 0xF2, 0x88, 0x3F, 0xB4, 0x50, 0x1F, 0xA7, 0x74, 0x55
-
-#endif /* __OEMKEY__ */
+#define OEM_PUBK 0xC9, 0xD8, 0xE9, 0xA4, 0x6E, 0xAB, 0x6D, 0x7B, 0x18, 0x83, 0x36, 0x8C, 0x81, 0xE2, 0x81, 0xB6, \
+ 0x0B, 0x07, 0x37, 0xB1, 0x1E, 0xA3, 0xB9, 0x3B, 0x69, 0xA7, 0x41, 0x20, 0x59, 0xFB, 0xDD, 0xB0, \
+ 0x30, 0xBA, 0x52, 0x1F, 0xC6, 0xCE, 0x37, 0xDF, 0xE8, 0xDD, 0x17, 0x8A, 0xA1, 0x6D, 0x70, 0xBD, \
+ 0xFB, 0x89, 0x17, 0x77, 0x4A, 0x46, 0xE9, 0x2F, 0x0C, 0x81, 0x6C, 0xB5, 0x07, 0x49, 0x59, 0xFD, \
+ 0x92, 0xC0, 0x27, 0x9B, 0x6A, 0x33, 0x75, 0x7F, 0xFE, 0x6B, 0x93, 0xB4, 0x20, 0xB4, 0xBB, 0x3B, \
+ 0xFB, 0x8E, 0x6D, 0x56, 0xBC, 0x6F, 0x04, 0x5E, 0xDA, 0xF9, 0x54, 0x9D, 0xC3, 0x83, 0x3C, 0xF1, \
+ 0xF4, 0xDF, 0x61, 0x85, 0x0D, 0xA8, 0x63, 0x6E, 0x8B, 0xAF, 0xDD, 0x83, 0xCD, 0xEC, 0x17, 0x78, \
+ 0x4A, 0xC9, 0x79, 0x86, 0x5A, 0x9A, 0x7B, 0xF3, 0xD4, 0x5F, 0x76, 0xE7, 0xEB, 0xC4, 0x34, 0x46, \
+ 0xF6, 0xC7, 0x59, 0x75, 0xC1, 0xEA, 0x67, 0x22, 0xD3, 0x77, 0xBD, 0x30, 0x90, 0xED, 0xE1, 0xAD, \
+ 0xCF, 0x3E, 0x74, 0x9F, 0x5C, 0x8E, 0x3B, 0x16, 0x50, 0x7F, 0xF0, 0x50, 0x3C, 0xDB, 0x57, 0x50, \
+ 0x33, 0x5A, 0x55, 0xFD, 0x6B, 0x67, 0x97, 0xDB, 0xCB, 0x99, 0xA0, 0x81, 0xE5, 0x37, 0x1A, 0x88, \
+ 0xD8, 0xAC, 0x51, 0x19, 0x7D, 0x67, 0x2D, 0xE1, 0x60, 0x6D, 0x4A, 0xEA, 0x96, 0x6D, 0x1F, 0xF1, \
+ 0x78, 0x64, 0x47, 0xF2, 0xEF, 0xB8, 0x34, 0x5C, 0x70, 0x7B, 0x45, 0x23, 0xF1, 0x3F, 0x90, 0x44, \
+ 0xF1, 0x9C, 0xDC, 0x2B, 0x70, 0x02, 0x48, 0x8F, 0x8A, 0x5C, 0x80, 0x4F, 0x11, 0x72, 0xB7, 0xC6, \
+ 0xAD, 0xD8, 0x16, 0xB8, 0xC9, 0xC3, 0x15, 0x6B, 0xDA, 0x16, 0x1C, 0x70, 0xAB, 0xE9, 0x6F, 0x74, \
+ 0x7F, 0x2E, 0x7F, 0xAF, 0x59, 0x7C, 0xFD, 0x0D, 0x73, 0x65, 0x03, 0xB4, 0x74, 0xF0, 0x24, 0x23
+#endif /* __OEM_KEY__ */
8.3 把生成的CHIP_TEST_KEY.ini文件替换
vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/security/chip_config/s/key/CHIP_TEST_KEY.ini文件和
vendor/mediatek/proprietary/custom/tb8735ap1_64_ztk/security/chip_config/s/key/CHIP_TEST_KEY.ini文件
8.4 用生成的CHIP_TEST_KEY.ini的private_key_d和private_key_n值分别替换
VERIFIED_BOOT_IMG_AUTH_KEY.ini的AUTH_PARAM_D和AUTH_PARAM_N的值,注意数据格式。如:
8.4.1 修改
vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini文件
zhoutao@byteflyer:~/mediatek/m20_sdk_8.1/mt8735_sdk_8.1$ git diff vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini
diff --git a/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini b/vendor/mediatek/proprietary/bootable/bootloader/preloade
index 7710291..07b27d9 100755
--- a/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini
+++ b/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini
@@ -18,5 +18,5 @@ PROT_OPTION = 0x02
#DEC_PARAM = 0x03a39c05524d9d7b4f373293e550d6fd25d4235fae67a79d7447a7b5d05cd4fe
# Authentication Parameter (N, D) for RSA2048 (E=65537, 0x10001)
-AUTH_PARAM_N = 0xDACD8B5FDA8A766FB7BCAA43F0B16915CE7B47714F1395FDEBCF12A2D41155B0FB587A51FECCCB4DDA1C8E5EB9EB69B86DAF2C620F6C2735215A5F22C0B6CE377AA0D07EB38ED340B5629FC2890494B078A63D6D07FDEACDBE3E7F27FD
-AUTH_PARAM_D = 0x8BC9B1F7A559BCDD1717F3F7BFF8B858743892A6338D21D0BE2CE78D1BCB8F61A8D31822F694C476929897E4B10753DDBE45A2276C0EFEE594CF75E47016DA9CDB3D8EB6C3E4C5D69B8BCCE1AE443CF299C22B905300C85875E8DBB823
+AUTH_PARAM_N = 0xC9D8E9A46EAB6D7B1883368C81E281B60B0737B11EA3B93B69A7412059FBDDB030BA521FC6CE37DFE8DD178AA16D70BDFB8917774A46E92F0C816CB5074959FD92C0279B6A33757FFE6B93B420B4BB3BFB8E6D56BC6F045EDAF9549DC3
+AUTH_PARAM_D = 0x3FAD49901145CD850EE79E16D786E08AD091D754EE28927016D5A7EB0FD83048BC269B6FE0E4FFA588ADEF1651F4D7A367AE09141DFF9EE2B3DC44B21B795D856C7D68415450A599DA668FB33CBA277335D9E9CE7A25BFC838E67D7643
8.4.2 修改
vendor/mediatek/proprietary/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini文件
zhoutao@byteflyer:~/mediatek/m20_sdk_8.1/mt8735_sdk_8.1$ git diff vendor/mediatek/proprietary/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini
diff --git a/vendor/mediatek/proprietary/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini b/vendor/mediatek/proprietary/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_
index 7710291..07b27d9 100644
--- a/vendor/mediatek/proprietary/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini
+++ b/vendor/mediatek/proprietary/custom/tb8735ap1_64_ztk/security/image_auth/VERIFIED_BOOT_IMG_AUTH_KEY.ini
@@ -18,5 +18,5 @@ PROT_OPTION = 0x02
#DEC_PARAM = 0x03a39c05524d9d7b4f373293e550d6fd25d4235fae67a79d7447a7b5d05cd4fe
# Authentication Parameter (N, D) for RSA2048 (E=65537, 0x10001)
-AUTH_PARAM_N = 0xDACD8B5FDA8A766FB7BCAA43F0B16915CE7B47714F1395FDEBCF12A2D41155B0FB587A51FECCCB4DDA1C8E5EB9EB69B86DAF2C620F6C2735215A5F22C0B6CE377AA0D07EB38ED340B5629FC2890494B078A63D6D07FDEACDBE3E7F27FD
-AUTH_PARAM_D = 0x8BC9B1F7A559BCDD1717F3F7BFF8B858743892A6338D21D0BE2CE78D1BCB8F61A8D31822F694C476929897E4B10753DDBE45A2276C0EFEE594CF75E47016DA9CDB3D8EB6C3E4C5D69B8BCCE1AE443CF299C22B905300C85875E8DBB823
+AUTH_PARAM_N = 0xC9D8E9A46EAB6D7B1883368C81E281B60B0737B11EA3B93B69A7412059FBDDB030BA521FC6CE37DFE8DD178AA16D70BDFB8917774A46E92F0C816CB5074959FD92C0279B6A33757FFE6B93B420B4BB3BFB8E6D56BC6F045EDAF9549DC3
+AUTH_PARAM_D = 0x3FAD49901145CD850EE79E16D786E08AD091D754EE28927016D5A7EB0FD83048BC269B6FE0E4FFA588ADEF1651F4D7A367AE09141DFF9EE2B3DC44B21B795D856C7D68415450A599DA668FB33CBA277335D9E9CE7A25BFC838E67D7643
9.使能校验,修改如patch:
9.1 preloader
zhoutao@byteflyer:~/mediatek/m20_sdk_8.1/mt8735_sdk_8.1$ git diff vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/tb8735ap1_64_ztk.mk
diff --git a/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/tb8735ap1_64_ztk.mk b/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/tb873
index 4820e11..e13a926 100755
--- a/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/tb8735ap1_64_ztk.mk
+++ b/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tb8735ap1_64_ztk/tb8735ap1_64_ztk.mk
@@ -3,8 +3,10 @@ TARGET=tb8735ap1_64_ztk
MTK_PLATFORM=MT6735
MACH_TYPE=mt6737t
MTK_SEC_CHIP_SUPPORT=yes
-MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP
-MTK_SEC_BOOT=ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP
+#MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP
+#MTK_SEC_BOOT=ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP
+MTK_SEC_BOOT=ATTR_SBOOT_ENABLE
+MTK_SEC_USBDL=ATTR_SUSBDL_ENABLE
MTK_SEC_MODEM_AUTH=no
MTK_SEC_SECRO_AC_SUPPORT=yes
# Platform
9.2 kernel
zhoutao@byteflyer:~/mediatek/m20_sdk_8.1/mt8735_sdk_8.1$ git diff kernel-3.18/arch/arm64/configs/tb8735ap1_64_ztk_defconfig
diff --git a/kernel-3.18/arch/arm64/configs/tb8735ap1_64_ztk_defconfig b/kernel-3.18/arch/arm64/configs/tb8735ap1_64_ztk_defconfig
index 81b0269..cb1bd43 100755
--- a/kernel-3.18/arch/arm64/configs/tb8735ap1_64_ztk_defconfig
+++ b/kernel-3.18/arch/arm64/configs/tb8735ap1_64_ztk_defconfig
@@ -32,6 +32,7 @@ CONFIG_PREEMPT=y
# CONFIG_BOUNCE is not set
CONFIG_ZSMALLOC=y
CONFIG_SECCOMP=y
+CONFIG_MTK_SECURITY_SW_SUPPORT = y
CONFIG_ARMV8_DEPRECATED=y
CONFIG_SWP_EMULATION=y
CONFIG_CP15_BARRIER_EMULATION=y
10 签名:
mt8735_sdk_8.1$ ./vendor/mediatek/proprietary/scripts/sign-image/sign_image.sh
11 参考资料:
FLASHLIB_DA_EXE(Official)_ALPS
Secure_boot_guide.pdf
此文档为MT6735 8.1的Secure Boot 2.0签名的详细步骤,包括生成私钥和公钥、拷贝私钥、生成配置文件、编译DA、DA签名、修改系统、使能校验和签名等步骤。
