前言
Android 原生默认每次编译使用自动生成在out目录的 pem和x509文件签名,由于种种原因我们可能需要使用固定的key给ko做签名,经过研究发现如果要使用固定的key来签名,需要做一下修改
1.拷贝已经自动生成的key到 kernel 目录
可以参考下面的命令
cp out/target/product/msmnile_gvmq/obj/kernel/msm-4.14/certs/signing_key.pem kernel/msm-4.14/certs/signing_key_lee.pem
cp out/target/product/msmnile_gvmq/obj/kernel/msm-4.14/certs/signing_key.x509 kernel/msm-4.14/certs/signing_key_lee.x509
2.修改AndroidKernelModule.mk
文件路径在:device/qcom/common/dlkm/AndroidKernelModule.mk
--- a/dlkm/AndroidKernelModule.mk
+++ b/dlkm/AndroidKernelModule.mk
@@ -90,8 +90,8 @@ ifeq ($(TARGET_KERNEL_VERSION),3.18)
MODPUBKEY := $(KERNEL_OUT)/signing_key.x509
else
MODULE_SIGN_FILE := $(KERNEL_OUT)/scripts/sign-file
- MODSECKEY := $(KERNEL_OUT)/certs/signing_key.pem
- MODPUBKEY := $(KERNEL_OUT)/certs/signing_key.x509
+ MODSECKEY := $(KERNEL_OUT)/certs/signing_key_lee.pem
+ MODPUBKEY := $(KERNEL_OUT)/certs/signing_key_lee.x509
endif
3.修改kernel/msm-4.14/Makefile
diff --git a/msm-4.14/Makefile b/msm-4.14/Makefile
index 02402859b..635a0cdf9 100644
--- a/msm-4.14/Makefile
+++ b/msm-4.14/Makefile
@@ -1051,7 +1051,7 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4
ifdef CONFIG_MODULE_SIG_ALL
$(eval $(call config_filename,MODULE_SIG_KEY))
-mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY) certs/signing_key.x509
+mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY) certs/signing_key_lee.x509
else
mod_sign_cmd = true
endif
4.修改defconfig
文件路径在:kernel/msm-4.14/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig
diff --git a/msm-4.14/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig b/msm-4.14/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig
index 7e9bc9698..de55893cd 100644
--- a/msm-4.14/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig
+++ b/msm-4.14/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig
@@ -54,6 +54,7 @@ CONFIG_MODVERSIONS=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_SHA512=y
+CONFIG_MODULE_SIG_KEY="certs/signing_key_lee.pem"
# CONFIG_BLK_DEV_BSG is not set
CONFIG_PARTITION_ADVANCED=y
# CONFIG_IOSCHED_DEADLINE is not set
5.修改编译脚本
此为自己写的你编译脚本,可以自己手动拷贝或者使用其他脚本达到目的
自己写的编译脚本在device/qcom/common/make.sh或 make.sh
diff --git a/make.sh b/make.sh
index 9b25ed2c..f6f14420 100755
--- a/make.sh
+++ b/make.sh
@@ -117,6 +117,11 @@ MEMTOTAL=$(cat /proc/meminfo |grep MemTotal | awk '{print $2;}')
MEMGB=$(( $MEMTOTAL/1024/1024 ))
IMAGE="all"
BUILDIMG="true";
+SIG_KEY="out/target/product/msmnile_gvmq/obj/kernel/msm-4.14/certs/signing_key_lee.pem"
+SIG_PUB_KEY="out/target/product/msmnile_gvmq/obj/kernel/msm-4.14/certs/signing_key_lee.x509"
+SRC_KEY="kernel/msm-4.14/certs/signing_key_lee.pem"
+SRC_PUB_KEY="kernel/msm-4.14/certs/signing_key_lee.x509"
+KEY_DIR="out/target/product/msmnile_gvmq/obj/kernel/msm-4.14/certs/"
# Setup getopt.
long_opts="clean_build,help,image:,jobs:,kernel_defconf:,log_file:,module:,build_variant:"
long_opts+="project:,update-api"
@@ -199,6 +204,17 @@ if [ -n "$PROJECT" ]; then
build_project
fi
+if [ ! -f "${SIG_KEY}" ]; then
+ mkdir -p "${KEY_DIR}"
+ cp ${SRC_KEY} ${SIG_KEY}
+ echo -e "\nINFO: USE $SRC_KEY to $SIG_KEY\n\n"
+fi
+if [ ! -f "${SIG_PUB_KEY}" ]; then
+ mkdir -p "${KEY_DIR}"
+ cp ${SRC_PUB_KEY} ${SIG_PUB_KEY}
+ echo -e "\nINFO: USE $SRC_PUB_KEY to $SIG_PUB_KEY\n\n"
+fi
+
if [ "$BUILDIMG" == "true" ]; then
if [ "$IMAGE" == "all" ]; then
build_android "$CMD"
6.clean 全编译Android
可以使用自己写的脚本 bash make.sh -v user -c -j32 -u 重新编译
7.验证ko的签名
可以使用下面的命令:
hexdump -C out/target/product/msmnile_gvmq/vendor/lib/modules/v4l2loopback.ko | tail`
如图,记住签名的字串
8.再次使用 6的命令编译
9.再次使用 7的命令验证ko的签名,并比较7 和本次的签名字串是否一样
如果一样,就证明是成功的,就可以提交代码了