| author | Sam Wu <yihui.wu@amlogic.com> | 2020-06-02 07:48:57 (GMT) |
|---|---|---|
| committer | Xindong Xu <xindong.xu@amlogic.com> | 2020-11-16 07:25:31 (GMT) |
| commit | cb9dd9ffe5fa0c145f00ee1e41b50f6e16684c0e (patch) | |
| tree | 84c73ac46b3e9664be5e27ee88148056103bfe9e | |
| parent | e3b9416964eb1c783f8b7952a2948e1ffdf3e6a5 (diff) | |
| download | common-cb9dd9ffe5fa0c145f00ee1e41b50f6e16684c0e.zip common-cb9dd9ffe5fa0c145f00ee1e41b50f6e16684c0e.tar.gz common-cb9dd9ffe5fa0c145f00ee1e41b50f6e16684c0e.tar.bz2 | |
secureboot: add support pack signed bootloader only [1/2]
PD#SWPL-27017
Problem:
Q with avb enabled and only bootloader with secure boot signed
convenient to support pack signed bootloader directly
Solution:
1,add tool aml_pkg_add_usb_bin,
2,use bootloader_secure.img as target bootloader if
PRODUCT_USE_PREBUILD_SECURE_BOOTLOADER configured true,
3,pack both bootloader.img/bootloader_secure.img with aml_pkg_add_usb_bin
Verify:
frankline/marconi
Change-Id: I5f5abb19edefd7b525965429f3ec47fef8b4b015
Signed-off-by: Sam Wu <yihui.wu@amlogic.com>
| -rw-r--r-- | factory.mk | 100 |
1 files changed, 15 insertions, 85 deletions
@@ -1,6 +1,9 @@ IMGPACK := $(BUILD_OUT_EXECUTABLES)/logo_img_packer$(BUILD_EXECUTABLE_SUFFIX) PRODUCT_UPGRADE_OUT := $(PRODUCT_OUT)/upgrade PRODUCT_COMMON_DIR := device/amlogic/common/products/$(PRODUCT_TYPE) +AML_UPGRADE_TOOL_DIR := $(BOARD_AML_VENDOR_PATH)/tools/aml_upgrade +AML_PKG_ADD_USB_BIN := $(AML_UPGRADE_TOOL_DIR)/aml_pkg_add_usb_bin.app +AML_IMG_PKG_TOOL := $(AML_UPGRADE_TOOL_DIR)/aml_image_v2_packer #$(warning Build dtbo image here, make sure BOARD_PREBUILT_DTBOIMAGE is defined before this warning) @@ -36,10 +39,6 @@ ifeq ($(BUILDING_SYSTEM_EXT_IMAGE),true) VB_CHECK_IMAGES += system_ext.img endif -ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) - BUILT_IMAGES := $(addsuffix .encrypt, $(BUILT_IMAGES)) -endif#ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) - ifdef BOARD_PREBUILT_DTBOIMAGE BUILT_IMAGES += dtbo.img endif @@ -99,13 +98,6 @@ endif # Adds to <product name>-img-<build number>.zip so can be flashed. b/110831381 -ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) - #using signed boot/recovery directly if 'PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY true' -INSTALLED_AML_ENC_RADIOIMAGE_TARGET = $(addprefix $(PRODUCT_OUT)/,$(filter *.img.encrypt,$(BUILT_IMAGES))) -INSTALLED_AML_ENC_RADIOIMAGE_TARGET = $(PRODUCT_OUT)/dt.img.encrypt -BOARD_PACK_RADIOIMAGES += $(basename $(filter %.img.encrypt,$(BUILT_IMAGES))) -$(warning echo "radio add $(filter %.img.encrypt,$(BUILT_IMAGES))") -else ifeq ($(PRODUCT_GOOGLEREF_SECURE_BOOT),true) INSTALLED_RADIOIMAGE_TARGET += $(PRODUCT_OUT)/dt.img INSTALLED_RADIOIMAGE_TARGET += $(PRODUCT_OUT)/bootloader.img @@ -116,7 +108,6 @@ INSTALLED_RADIOIMAGE_TARGET += $(PRODUCT_OUT)/dt.img BOARD_PACK_RADIOIMAGES += dt.img bootloader.img $(warning echo "radio add dt and bootloader") endif -endif#ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) INSTALLED_RADIOIMAGE_TARGET += $(PRODUCT_OUT)/super_empty_all.img BOARD_PACK_RADIOIMAGES += super_empty_all.img @@ -244,9 +235,6 @@ aml_usrimg :$(INSTALLED_AML_USER_IMAGES) endif # ifeq ($(TARGET_BUILD_USER_PARTS),true) INSTALLED_AMLOGIC_BOOTLOADER_TARGET := $(PRODUCT_OUT)/bootloader.img -ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) - INSTALLED_AMLOGIC_BOOTLOADER_TARGET := $(INSTALLED_AMLOGIC_BOOTLOADER_TARGET).encrypt -endif# ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) .PHONY: aml_bootloader aml_bootloader : $(INSTALLED_AMLOGIC_BOOTLOADER_TARGET) @@ -255,12 +243,10 @@ build_always: ifeq ($(BOOTLOADER_INPUT),) BOOTLOADER_INPUT := $(TARGET_DEVICE_DIR)/bootloader.img +ifeq ($(PRODUCT_USE_PREBUILD_SECURE_BOOTLOADER),true) + BOOTLOADER_INPUT := $(TARGET_DEVICE_DIR)/bootloader_secure.img $(TARGET_DEVICE_DIR)/bootloader.img +endif# ifeq ($(PRODUCT_USE_PREBUILD_SECURE_BOOTLOADER),true) #BOOTLOADER_INPUT_SIGNED := $(TARGET_DEVICE_DIR)/prebuilt/bootloader/bl33.bin -ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) -ifeq ($(PRODUCT_AML_SECURE_BOOT_VERSION3),true) - BOOTLOADER_INPUT := $(BOOTLOADER_INPUT).zip -endif #ifeq ($(PRODUCT_AML_SECURE_BOOT_VERSION3),true) -endif # ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) ifeq ($(TARGET_DEVICE),sabrina) ifneq ($(PRODUCT_GOOGLEREF_SECURE_BOOT),true) BOOTLOADER_INPUT := $(TARGET_DEVICE_DIR)/bootloader_unsign.img @@ -337,7 +323,6 @@ endif else $(INSTALLED_AMLOGIC_BOOTLOADER_TARGET) : $(BOOTLOADER_INPUT) $(hide) cp $< $@ - $(hide) $(call aml-secureboot-sign-bootloader, $@,$(PRODUCT_OUT)/$(notdir $<)) @echo "make $@: bootloader installed end" endif @@ -377,58 +362,6 @@ define update-aml_upgrade-conf fi;) endef #define update-aml_upgrade-conf -ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) -ifeq ($(PRODUCT_AML_SECURE_BOOT_VERSION3),true) -PRODUCT_AML_FIRMWARE_ANTIROLLBACK_CONFIG := ./device/amlogic/$(PRODUCT_DIR)/fw_arb.txt -define aml-secureboot-sign-bootloader - @echo -----aml-secureboot-sign-bootloader ------ - rm $(PRODUCT_OUT)/bl_tmp -rf - unzip $(2) -d $(PRODUCT_OUT)/bl_tmp - mkdir -p $(PRODUCT_UPGRADE_OUT) - bash $(PRODUCT_SBV3_SIGBL_TOOL) -p $(PRODUCT_OUT)/bl_tmp \ - -r $(PRODUCT_AML_SECUREBOOT_RSAKEY_DIR) -a $(PRODUCT_AML_SECUREBOOT_AESKEY_DIR) \ - -b $(PRODUCT_AML_FIRMWARE_ANTIROLLBACK_CONFIG) -o $(PRODUCT_OUT) - mv $(PRODUCT_OUT)/u-boot.bin.unsigned $(basename $(1)) - mv $(PRODUCT_OUT)/u-boot.bin.signed.encrypted $(1) - mv $(PRODUCT_OUT)/u-boot.bin.signed.encrypted.sd.bin $(1).sd.bin - mv $(PRODUCT_OUT)/u-boot.bin.usb.bl2.signed.encrypted $(1).usb.bl2 - mv $(PRODUCT_OUT)/u-boot.bin.usb.tpl.signed.encrypted $(1).usb.tpl - mv $(PRODUCT_OUT)/pattern.efuse $(1).encrypt.efuse - @echo ----- Made aml secure-boot singed bootloader: $(1) -------- -endef #define aml-secureboot-sign-bootloader -define aml-secureboot-sign-kernel - @echo -----aml-secureboot-sign-kernel V3------ - $(hide) mv -f $(1) $(basename $(1)) - bash $(PRODUCT_SBV3_SIGIMG_TOOL) $(basename $(1)) $(PRODUCT_AML_SECUREBOOT_RSAKEY_DIR) $(1) - @echo ----- Made aml secure-boot singed kernel v3: $(1) -------- -endef #define aml-secureboot-sign-kernel -define aml-secureboot-sign-bin - @echo -----aml-secureboot-sign-bin v3------ - $(hide) mv -f $(1) $(basename $(1)) - bash $(PRODUCT_SBV3_SIGIMG_TOOL) $(basename $(1)) $(PRODUCT_AML_SECUREBOOT_RSAKEY_DIR) $(1) - @echo ----- Made aml secure-boot singed bin v3: $(1) -------- -endef #define aml-secureboot-sign-bin -else #follows secureboot v2 -define aml-secureboot-sign-bootloader - @echo -----aml-secureboot-sign-bootloader ------ - $(hide) $(PRODUCT_AML_SECUREBOOT_SIGNBOOTLOADER) --input $(basename $(1)) --output $(1) - @echo ----- Made aml secure-boot singed bootloader: $(1) -------- -endef #define aml-secureboot-sign-bootloader -define aml-secureboot-sign-kernel - @echo -----aml-secureboot-sign-kernel ------ - $(hide) mv -f $(1) $(basename $(1)) - $(hide) $(PRODUCT_AML_SECUREBOOT_SIGNIMAGE) --input $(basename $(1)) --output $(1) - @echo ----- Made aml secure-boot singed kernel: $(1) -------- -endef #define aml-secureboot-sign-kernel -define aml-secureboot-sign-bin - @echo -----aml-secureboot-sign-bin------ - $(hide) mv -f $(1) $(basename $(1)) - $(hide) $(PRODUCT_AML_SECUREBOOT_SIGBIN) --input $(basename $(1)) --output $(1) - @echo ----- Made aml secure-boot singed bin: $(1) -------- -endef #define aml-secureboot-sign-bin -endif#ifeq ($(PRODUCT_AML_SECURE_BOOT_VERSION3),true) -endif# ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) - TARGET_USB_BURNING_V2_DEPEND_MODULES := $(AML_TARGET).zip #copy xx.img to $(AML_TARGET)/IMAGES for diff upgrade INTERNAL_SUPERIMAGE_DIST_TARGET := $(PRODUCT_OUT)/obj/PACKAGING/super.img_intermediates/super.img @@ -469,23 +402,20 @@ ifneq ($(PRODUCT_USE_DYNAMIC_PARTITIONS), true) ln -sf $(shell readlink -f $(AML_TARGET)/IMAGES/$(file)) $(PRODUCT_UPGRADE_OUT)/$(file); \ ) endif -ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) - $(hide) rm -f $(PRODUCT_UPGRADE_OUT)/bootloader.img.encrypt.* - $(hide) $(ACP) $(PRODUCT_OUT)/bootloader.img.encrypt.* $(PRODUCT_UPGRADE_OUT)/ - ln -sf $(shell readlink -f $(PRODUCT_OUT)/dt.img) $(PRODUCT_UPGRADE_OUT)/dt.img - ln -sf $(shell readlink -f $(basename $(INSTALLED_AMLOGIC_BOOTLOADER_TARGET))) \ - $(PRODUCT_UPGRADE_OUT)/$(notdir $(basename $(INSTALLED_AMLOGIC_BOOTLOADER_TARGET))) - ln -sf $(shell readlink -f $(PRODUCT_OUT)/bootloader.img.encrypt.efuse) $(PRODUCT_UPGRADE_OUT)/SECURE_BOOT_SET -endif# ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) $(security_dm_verity_conf) $(update-aml_upgrade-conf) $(hide) $(foreach userPartName, $(BOARD_USER_PARTS_NAME), \ $(call aml-user-img-update-pkg,$(userPartName),$(PACKAGE_CONFIG_FILE))) @echo "Package: $@" - @echo ./$(BOARD_AML_VENDOR_PATH)/tools/aml_upgrade/aml_image_v2_packer -r \ - $(PACKAGE_CONFIG_FILE) $(PRODUCT_UPGRADE_OUT)/ $@ - ./$(BOARD_AML_VENDOR_PATH)/tools/aml_upgrade/aml_image_v2_packer -r \ - $(PACKAGE_CONFIG_FILE) $(PRODUCT_UPGRADE_OUT)/ $@ +ifeq ($(PRODUCT_USE_PREBUILD_SECURE_BOOTLOADER),true) + @echo $(AML_PKG_ADD_USB_BIN) --unpackDir $(PRODUCT_UPGRADE_OUT) --bootloader $(word 2,$(BOOTLOADER_INPUT)) --output $@ + $(hide) $(AML_PKG_ADD_USB_BIN) --appimage-extract-and-run --amlImgPacker $(AML_IMG_PKG_TOOL) \ + --unpackDir $(PRODUCT_UPGRADE_OUT) --imageCfg $(PACKAGE_CONFIG_FILE) \ + --bootloader $(word 2,$(BOOTLOADER_INPUT)) --output $@ +else + @echo $(AML_IMG_PKG_TOOL) -r $(PACKAGE_CONFIG_FILE) $(PRODUCT_UPGRADE_OUT) $@ + $(hide) $(AML_IMG_PKG_TOOL) -r $(PACKAGE_CONFIG_FILE) $(PRODUCT_UPGRADE_OUT) $@ +endif# ifeq ($(PRODUCT_USE_PREBUILD_SECURE_BOOTLOADER),true) @echo " $@ installed" else #none |