MTK 开启Efuse的过程记录

MTK 平台开启SecureBoot[efuse]的配置过程

---

---

1. 文章目标

记录在MTK平台下开启SecureBoot[Efuse]的整个过程。主要介绍整个配置过程和遇到的坑，该文章不含SecureBoot原理性的东西。关于SecureBoot原理，后面单独写个文章。

2. 环境说明

platform[平台]	project[项目]	Android Version
MT6761	xqt551	Android 12

注意:以下所有脚本和配置都是基于platfor=MT6761,project=xqt551编写的。如果是其他平台或项目需要对应改一下脚本!!!

3. Kernel配置

# 修改以下宏配置
# 1.路径:vendor/mediate/proprietary/bootable/bootloader/preloader/custom/xqt551/xqt551.mk
MTK_SECURITY_SW_SUPPORT=yes
MTK_SEC_BOOT=ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP
MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP
# 2.路径:vendor/mediate/proprietary/bootable/bootloader/lk/project/xqt551.mk
MTK_SECURITY_SW_SUPPORT=yes
# 3.路径:path-for-project-kernel/arch/arm/configs/xqt551_debug_defconfig
CONFIG_MTK_SECURITY_SW_SUPPORT=y
# 4.路径:path-for-project-kernel/arch/arm/configs/xqt551_defconfig
CONFIG_MTK_SECURITY_SW_SUPPORT=y
# 注意：如果是其他项目将xqt551改为对应的project，如果是64位系统将arm改为arm64

4. 证书生成

# ! /bin/bash
# generickey.sh

echo "1 Generate root key pair"
cd vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor

# Generate private key command:
echo "1.1 Generate private key command:"
openssl genrsa -out root_prvk.pem 2048
python pem_to_der.py root_prvk.pem root_prvk.der

# Generate public key command:
echo "1.2 Generate public key command:"
openssl rsa -in root_prvk.pem -pubout > root_pubk.pem
python pem_to_der.py root_pubk.pem root_pubk.der

echo "2 image key pair"
echo "2.1 Generate img_prvk command:"
openssl genrsa -out img_prvk.pem 2048
python pem_to_der.py img_prvk.pem img_prvk.der

echo "2.2 Generate img_pubk command:"
openssl rsa -in img_prvk.pem -pubout > img_pubk.pem
python pem_to_der.py img_pubk.pem img_pubk.der

echo "3 DA key pair"
echo "3.1 Generate da_prvk command:"
openssl genrsa -out da_prvk.pem 2048
python pem_to_der.py da_prvk.pem da_prvk.der

echo "3.2 Generate da_pubk command:"
openssl rsa -in da_prvk.pem -pubout > da_pubk.pem
python pem_to_der.py da_pubk.pem da_pubk.der

chmod 777 der_extractor
echo "4 Generate oemkey.h"
./der_extractor root_pubk.der oemkey.h ANDROID_SBC

echo "4.1 export oemkey.h"
# mtkbuild -o ./ -x oemkey.h
cp -r oemkey.h ../../../bootable/bootloader/preloader/custom/xqt551/inc/
cp -r oemkey.h ../../../bootable/bootloader/lk/target/xqt551/inc/

echo "5 Generate dakey.h"
./der_extractor da_pubk.der dakey.h ANDROID_SBC
sed -i "s/OEM/DA/g" dakey.h
cp -r dakey.h ../../../bootable/bootloader/preloader/custom/xqt551/inc/

将上述脚本复制到源码根目录执行，会生成3组密钥。该脚本在刷入efuse后不能再执行，生成的密钥需要做好备份！！！

密钥组	生成的密钥文件	作用
root keys	root_prvk.pem(pem格式的私钥) root_prvk.der(der格式的私钥) root_pubk.pem(pem格式的公钥) root_pubk.der(der格式的公钥) oemkey.h(十六进制格式的私钥)	该组密钥为根密钥需要烧写到efuse中， 烧入后就无法更改所以一旦生成需要做好备份！！！
img keys	img_prvk.pem(pem格式的私钥) img_prvk.der(der格式的私钥) img_pubk.pem(pem格式的公钥) img_pubk(der格式的公钥)	该组密钥用于镜像签名和验签
da keys	da_prvk.pem(pem格式的私钥) da_prvk.der(der格式的私钥) da_pubk.pem(pem格式的公钥) da_pubk.der(der格式的公钥) dakey.h(十六进制格式的公钥)	该组密钥用于DA文件签名和验签

5. DA文件生成

DA文件包含需要刷入到设备的分区信息。需要使用FLASHLIB_DA_EXE(Official)_ALPS工具配合GCC和GnuWin32生成，工具下载路径见:工具汇总。以下是使用该工具生成DA文件的过程。

1. 将GCC放到C:\Program Files

2. 将GnuWin32放到C:\Program Files (x86)并配置环境变量

3. 修改base.mk中GCCDIR的路径, base.mk路径:
   FLASHLIB_DA_EXE(Official)_ALPS\FLASHLIB_DA_EXE_v5.2228.00.000\bin\Customization_Kit_buildspec\Raphael-da\make\base.mk
   GCCDIR := c:/progra~1/GCC/arm-2015q1/bin
   (注意:c:/progra~1/ 在window系统中就是指向C:\Program Files,GCCDIR有两个位置一个是linux环境一个是window环境)

4. 配置custom分区为不需要签名的分区,配置文件路径:
   FLASHLIB_DA_EXE(Official)_ALPS\FLASHLIB_DA_EXE_v5.2228.00.000\bin\Customization_Kit_buildspec\Raphael-da\custom\MT6761\DA_BR\sec_policy_config_common.h
   将CUST1_IMG_NAME 宏修改为:
   #define CUST1_IMG_NAME “custom”

5. 替换oemkey.h
   将源码下的oemkey.h替换到:
   FLASHLIB_DA_EXE(Official)_ALPS\FLASHLIB_DA_EXE_v5.2228.00.000\bin\Customization_Kit_buildspec\Raphael-da\custom\MT6761\oemkey.h

6. 编译生成未签名的DA文件
   执行目录:
   FLASHLIB_DA_EXE(Official)_ALPS\FLASHLIB_DA_EXE_v5.2228.00.000\bin\Customization_Kit_buildspec
   执行:make BBCHIP=MT6761
   编译出来的DA路径:
   FLASHLIB_DA_EXE(Official)_ALPS\FLASHLIB_DA_EXE_v5.2228.00.000\bin\Customization_Kit_buildspec\bin\MTK_AllInOne_DA.bin
   (注意查看编译过程中有没有报error!!!如果很快就编译完成很可能是文件丢失需要重新解压Customization_Kit_buildspec.zip重新操作!!!)

6. 镜像和DA文件签名

将生成的MTK_AllInOne_DA.bin复制到源码vendor/mediatek/proprietary/scripts/secure_chip_tools/prebuilt/resignda/路径下

#!/bin/bash
# copy keys
cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/img_prvk.pem \
vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/xqt551/security/chip_config/s/key

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem \
vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/xqt551/security/chip_config/s/key

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem \
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/resignda

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem \
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/resignda/epp_prvk.pem

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem \
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/da_prvk.pem \
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth/epp_prvk.pem

cp -r vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem \
vendor/mediatek/proprietary/scripts/secure_chip_tools/keys/toolauth

#generate cert1 and cert2 key
python ./vendor/mediatek/proprietary/scripts/sign-image_v2/img_key_deploy.py mt6761 xqt551 \
cert1_key_path=./vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/root_prvk.pem \
cert2_key_path=./vendor/mediatek/proprietary/scripts/sign-image_v2/der_extractor/img_prvk.pem \
root_key_padding=pss 2>&1 | tee SecureGen.log

#build images
make clean-preloader
./build.sh xqt551 1 1 1 1 64 (MTK的编译脚本,如果没有直接make -j64)

#sign DA and auth file
cd vendor/mediatek/proprietary/scripts/secure_chip_tools/
python resign_da.py prebuilt/resignda/MTK_AllInOne_DA.bin MT6761 settings/resignda/bbchips_pss.ini all \
out/resignda/MTK_AllInOne_DA-resing.bin

python toolauth.py -i settings/toolauth/toolauth_key.ini -g settings/toolauth/toolauth_gfh_config_pss.ini \
out/toolauth/auth_sv5.auth
cd -
#sign images
MTK_PLATFORM_DIR=mt6761 #(注意替换为自己的平台)
MTK_BASE_PROJECT=xqt551 #(注意替换为自己的项目)
PYTHONDONTWRITEBYTECODE=True PRODUCT_OUT={out/image/dirs(编译出来的镜像路径)} BOARD_AVB_ENABLE=true \
python ./vendor/mediatek/proprietary/scripts/sign-image_v2/sign_flow.py \
-env_cfg ./vendor/mediatek/proprietary/scripts/sign-image_v2/env.cfg "mt6761" "xqt551"

在源码根目录下执行以上脚本会生成:
vendor/mediatek/proprietary/scripts/secure_chip_tools/out/resignda/MTK_AllInOne_DA-resing.bin: 签过名的DA文件
vendor/mediatek/proprietary/scripts/secure_chip_tools/out/toolauth/auth_sv5.auth: 校验文件
out/image/dirs(编译出来的镜像路径)：签过名的镜像文件

7. Efuse和镜像烧入

efuse和镜像烧入需要用到SP_MDT_v5.2228.00.00_exe工具。工具下载路径见: 工具汇总

1. 将签过名的镜像文件复制到images

2. 将CheckSum_Generate_exe中的文件复制到images,执行CheckSum_Gen.exe生成Checksum.ini

3. 将Checksum.ini复制到SP_MDT_v5.2228.00.00_exe目录下

4. 修改SP_MDT_v5.2228.00.00_exe\Efuse.ini
   Enable 修改为1
   EfuseXmlPath指定到:images\efuse_MT6761.xml

   修改后的内容如下:
   ; 0 represents disable, 1 represents enable
   ; DownloadEfuseOneStep: 0 for disable, 1 for enable write efuse in format and download
   [EfuseSettings]
   Enable = 1
   DownloadEfuseOneStep = 0
   ; EfuseOnly = 0
   SettingsEnable = 0
   LockEnable = 0
   ReadBackEnable = 0
   EfuseXmlPath= C:\Users\Administrator\Desktop\MTM1\Tools\SP_MDT_TOOL\images\efuse_MT6761.xml

5. 修改efuse_MT6761.xm注意三个路径要和镜像中的文件对应，pub-key-n要和oemkey.h中的内容对应
   

6. 扫描设备准备烧写镜像
   勾选BootRom+PreLoader COM Sel All点击scan点击是，设备断电接入再启动
   
   搜索到设备后点击Stop all停止扫描准备开始烧写镜像
   

7. 烧入efuse
   

8. 烧入镜像
   
   至此efuse的配置和烧写全部完成。

8. 添加cmdline标识efuse是否开启

为了判断efuse是否开启成功，可以在lk里面添加cmdline，用来标识efuse状态

diff --git a/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c b/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c
index a97d22599a0..4ed05c4e3bc 100644
--- a/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c
+++ b/vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/mt_boot.c
@@ -1733,6 +1733,8 @@ void get_AB_OTA_name(char *part_name, int size)
 }
 #endif /* MTK_AB_OTA_UPDATER */

+extern int efuse_sbc_enabled(void);
+
 int boot_linux_from_storage(void)
 {
        int ret = 0;
@@ -1740,10 +1742,8 @@ int boot_linux_from_storage(void)
        uint32_t ramdisk_target_addr = 0;
        uint32_t tags_target_addr = 0;
        uint32_t ramdisk_real_sz = 0;
-#if defined(CFG_NAND_BOOT)
 #define CMDLINE_TMP_CONCAT_SIZE 110
        char cmdline_tmpbuf[CMDLINE_TMP_CONCAT_SIZE];
-#endif
        switch (g_boot_mode) {
        case NORMAL_BOOT:
        case META_BOOT:
@@ -1760,6 +1760,10 @@ int boot_linux_from_storage(void)
                         NAND_MANF_CMDLINE, nand_flash_man_code, NAND_DEV_CMDLINE, nand_flash_dev_id);
                cmdline_append(cmdline_tmpbuf);
 #endif
+
+               snprintf(cmdline_tmpbuf, CMDLINE_TMP_CONCAT_SIZE, "%s%s", "androidboot.secureboot=", (efuse_sbc_enabled()?"enabled":"disabled"));
+               cmdline_append(cmdline_tmpbuf);
+
                ret = load_vfy_boot(BOOTIMG_TYPE_BOOT, CFG_BOOTIMG_LOAD_ADDR);
                ret = (int)handle_vboot_state(BOOTIMG_TYPE_BOOT);
                if (ret != STATUS_OK)

生成属性ro.boot.secureboot，enabled: efuse打开 disabled: efuse关闭

9. 工具汇总

工具下载路径:
https://download.csdn.net/download/zhuxc_001/87272156?spm=1001.2014.3001.5501