fip: s6 bringup [7/7]
PD#SWPL-149281
Problem:
s6 bringup on z1
Solution:
add s6 bringup config
Verify:
z1
Change-Id: I003a3e0857a590138851e2e0febc27645c17bad1
Signed-off-by: Bo Lv <bo.lv@amlogic.com>
diff --git a/build_bl31.sh b/build_bl31.sh
index d7359af..e048aa8 100755
--- a/build_bl31.sh
+++ b/build_bl31.sh
@@ -3,7 +3,7 @@
# these soc use old bl31 code, others use new one
declare -a BL31_OLD_VER_SOC_LIST=("gxb" "gxtvbb" "gxl" "txl")
-declare -a BL31_VER2_7_SOC_LIST=("t3x" "a4" "s1a" "s7" "s7d")
+declare -a BL31_VER2_7_SOC_LIST=("t3x" "a4" "s1a" "s7" "s7d" "s6")
declare BL31_V2_7_SRC_FOLDER="bl31/bl31_2.7/src"
declare BL31_V1_3_SRC_FOLDER="bl31/bl31_1.3/src"
declare BL31_V1_0_SRC_FOLDER="bl31/bl31_1.0/src"
diff --git a/s6/Makefile b/s6/Makefile
new file mode 100644
index 0000000..3492b05
--- /dev/null
+++ b/s6/Makefile
@@ -0,0 +1,50 @@
+
+#
+# Rules
+#
+
+DEVICE_SCS_KEY_TOP ?= $(CURDIR)/keys/dev-keys/s7d/device/
+DEVICE_ROOTRSA_INDEX ?= 0
+PROJECT ?= a113l2
+SOC_FAMILY ?= s5
+DEVICE_SCS_SEGID ?= 0x0
+DEVICE_VENDOR_SEGID ?= 0x0
+DEVICE_SCS_VERS ?= 0x0
+DEVICE_TEE_VERS ?= 0x0
+DEVICE_REE_VERS ?= 0x0
+
+ARGS += "DEVICE_SCS_KEY_TOP=$(DEVICE_SCS_KEY_TOP)"
+ARGS += "DEVICE_ROOTRSA_INDEX=$(DEVICE_ROOTRSA_INDEX)"
+ARGS += "PROJECT=$(PROJECT)"
+ARGS += "SOC_FAMILY=$(SOC_FAMILY)"
+ARGS += "DEVICE_INPUT_PATH=${DEVICE_INPUT_PATH}"
+ARGS += "DEVICE_OUTPUT_PATH=${DEVICE_OUTPUT_PATH}"
+ARGS += "DEVICE_VARIANT_SUFFIX=${DEVICE_VARIANT_SUFFIX}"
+ARGS += "DEVICE_STORAGE_SUFFIX=${DEVICE_STORAGE_SUFFIX}"
+ARGS += "DEVICE_SCS_SEGID=${DEVICE_SCS_SEGID}"
+ARGS += "DEVICE_VENDOR_SEGID=${DEVICE_VENDOR_SEGID}"
+ARGS += "DEVICE_SCS_VERS=${DEVICE_SCS_VERS}"
+ARGS += "DEVICE_TEE_VERS=${DEVICE_TEE_VERS}"
+ARGS += "DEVICE_REE_VERS=${DEVICE_REE_VERS}"
+
+all: build
+
+dv-template:
+ make -C create-template/run $(ARGS)
+
+dv-sign:
+ make -C generate-binaries/run $(ARGS)
+
+dv-boot-blobs:
+ make -C generate-binaries/run $(ARGS) build-boot-blobs
+
+dv-device-fip:
+ make -C generate-binaries/run $(ARGS) build-device-fip
+
+build:
+ make -C create-template/run $(ARGS)
+ make -C generate-binaries/run $(ARGS)
+
+clean:
+ make clean -C create-template/run
+ make clean -C generate-binaries/run
diff --git a/s6/aml_encrypt_s6 b/s6/aml_encrypt_s6
new file mode 100755
index 0000000..bc992e9
--- /dev/null
+++ b/s6/aml_encrypt_s6
Binary files differ
diff --git a/s6/bin/add-dvinit-params.sh b/s6/bin/add-dvinit-params.sh
new file mode 100755
index 0000000..17ffeca
--- /dev/null
+++ b/s6/bin/add-dvinit-params.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../binary-tool/acpu-imagetool
+
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+
+BASEDIR_TEMPLATE=$1
+BASEDIR_PAYLOAD=$2
+BASEDIR_OUTPUT_BLOB=$3
+SOC_FAMILY=$4
+
+#
+# Arguments
+#
+
+BB1ST_ARGS="${BB1ST_ARGS}"
+
+### Input: template ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-template-bb1st=${BASEDIR_TEMPLATE}"
+
+### Input: payloads ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-dvinit-params=${BASEDIR_PAYLOAD}"
+
+BB1ST_ARGS="${BB1ST_ARGS} --scs-family=s5"
+
+### Output: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}"
+
+#
+# Main
+#
+
+set -x
+
+${ACPU_IMAGETOOL} \
+ create-boot-blobs \
+ ${BB1ST_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/bin/device-vendor-scs-signing.sh b/s6/bin/device-vendor-scs-signing.sh
new file mode 100755
index 0000000..2da5937
--- /dev/null
+++ b/s6/bin/device-vendor-scs-signing.sh
@@ -0,0 +1,323 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+version=1.0
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+function mk_uboot() {
+ output_images=$1
+ input_payloads=$2
+ postfix=$3
+ storage_type_suffix=$4
+ chipset_variant_suffix=$5
+
+ device_fip="${input_payloads}/device-fip.bin${postfix}"
+ bb1st="${input_payloads}/bb1st${storage_type_suffix}${chipset_variant_suffix}.bin${postfix}"
+ bl2e="${input_payloads}/blob-bl2e${storage_type_suffix}${chipset_variant_suffix}.bin${postfix}"
+ bl2x="${input_payloads}/blob-bl2x.bin${postfix}"
+
+ if [ ! -f ${device_fip} ] || \
+ [ ! -f ${bb1st} ] || \
+ [ ! -f ${bl2e} ] || \
+ [ ! -f ${bl2x} ]; then
+ echo fip:${device_fip}
+ echo bb1st:${bb1st}
+ echo bl2e:${bl2e}
+ echo bl2x:${bl2x}
+ echo "Error: ${input_payloads}/ bootblob does not all exist... abort"
+ ls -la ${input_payloads}/
+ exit -1
+ fi
+
+ file_info_cfg="${output_images}/aml-payload.cfg"
+ file_info_cfg_temp=${temp_cfg}.temp
+
+ bootloader="${output_images}/u-boot.bin${storage_type_suffix}${postfix}"
+ sdcard_image="${output_images}/u-boot.bin.sd.bin${postfix}"
+
+ #fake ddr fip 256KB
+ ddr_fip="${input_payloads}/ddr-fip.bin"
+ #if [ ! -f ${ddr_fip} ]; then
+ #dd if=/dev/zero of=${ddr_fip} bs=1024 count=256 status=none
+ #fi
+
+ #cat those together with 4K upper aligned for sdcard
+ align_base=4096
+ total_size=0
+ for file in ${bb1st} ${bl2e} ${bl2x} ${ddr_fip} ${device_fip}; do
+ size=`stat -c "%s" ${file}`
+ upper=$[(size+align_base-1)/align_base*align_base]
+ total_size=$[total_size+upper]
+ #echo ${file} ${size} ${upper}
+ done
+
+ echo ${bootloader} ${total_size}
+ rm -f ${bootloader}
+ dd if=/dev/zero of=${bootloader} bs=${total_size} count=1 status=none
+
+ sector=512
+ seek=0
+ seek_sector=0
+ dateStamp=A4-${part}-`date +%y%m%d%H%M%S`
+
+ echo @AMLBOOT > ${file_info_cfg_temp}
+ dd if=${file_info_cfg_temp} of=${file_info_cfg} bs=1 count=8 conv=notrunc &> /dev/null
+ nItemNum=5
+ nSizeHDR=$[64+nItemNum*16]
+ printf "02 %02x %02x %02x" $[(nItemNum)&0xFF] $[(nSizeHDR)&0xFF] $[((nSizeHDR)>>8)&0xFF] \
+ | xxd -r -ps > ${file_info_cfg_temp}
+ cat ${file_info_cfg_temp} >> ${file_info_cfg}
+
+ echo ${dateStamp} > ${file_info_cfg_temp}
+ dd if=${file_info_cfg_temp} of=${file_info_cfg} bs=1 count=20 oflag=append conv=notrunc &> /dev/null
+
+ index=0
+ arrPayload=("BBST" "BL2E" "BL2X" "DDRF" "DEVF");
+ nPayloadOffset=0
+ nPayloadSize=0
+ for file in ${bb1st} ${bl2e} ${bl2x} ${ddr_fip} ${device_fip}; do
+ size=`stat -c "%s" ${file}`
+ size_sector=$[(size+align_base-1)/align_base*align_base]
+ nPayloadSize=$[size_sector]
+ size_sector=$[size_sector/sector]
+ seek_sector=$[seek/sector+seek_sector]
+ #nPayloadOffset=$[sector*(seek_sector+1)]
+ nPayloadOffset=$[sector*(seek_sector)]
+ #echo ${file} ${seek_sector} ${size_sector}
+ dd if=${file} of=${bootloader} bs=${sector} seek=${seek_sector} conv=notrunc status=none
+
+ echo ${arrPayload[$index]} > ${file_info_cfg_temp}.x
+ index=$((index+1))
+ dd if=${file_info_cfg_temp}.x of=${file_info_cfg_temp} bs=1 count=4 &> /dev/null
+ rm -f ${file_info_cfg_temp}.x
+ printf "%02x %02x %02x %02x %02x %02x %02x %02x 00 00 00 00" $[(nPayloadOffset)&0xFF] $[((nPayloadOffset)>>8)&0xFF] $[((nPayloadOffset)>>16)&0xFF] $[((nPayloadOffset)>>24)&0xFF] \
+ $[(nPayloadSize)&0xFF] $[((nPayloadSize)>>8)&0xFF] $[((nPayloadSize)>>16)&0xFF] $[((nPayloadSize)>>24)&0xFF] | xxd -r -ps >> ${file_info_cfg_temp}
+ dd if=${file_info_cfg_temp} of=${file_info_cfg} oflag=append conv=notrunc &> /dev/null
+ rm -f ${file_info_cfg_temp}
+ seek=$[(size+align_base-1)/align_base*align_base]
+ done
+
+ openssl dgst -sha256 -binary ${file_info_cfg} > ${file_info_cfg}.sha256
+ cat ${file_info_cfg} >> ${file_info_cfg}.sha256
+ #cat ${file_info_cfg}.sha256 >> ${file_info_cfg}
+ rm -f ${file_info_cfg}
+ mv -f ${file_info_cfg}.sha256 ${file_info_cfg}
+
+ dd if=${file_info_cfg} of=${bootloader} bs=512 seek=404 conv=notrunc status=none
+
+ if [ ${storage_type_suffix} == ".sto" ]; then
+ total_size=$[total_size+512]
+ echo ${sdcard_image} ${total_size}
+ rm -f ${sdcard_image}
+ dd if=/dev/zero of=${sdcard_image} bs=${total_size} count=1 status=none
+ dd if=${file_info_cfg} of=${sdcard_image} conv=notrunc status=none
+ dd if=${bootloader} of=${sdcard_image} bs=512 seek=1 conv=notrunc status=none
+
+ mv ${bootloader} ${output_images}/u-boot.bin${postfix}
+ fi
+
+ rm -f ${file_info_cfg}
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Amlogic Device Vendor Secure Chipset Startup (SCS) Signing
+
+ $(basename $0)
+ --key-dir <key-dir> \\
+ --project <project-name> \\
+ --input-dir <input-dir> \\
+ {--input-package <input-package>} \\
+ {--rootkey-index [0 | 1 | 2 | 3]} \\
+ {--chipset-variant <chipset-variant>} \\
+ {--arb-config <arb-config-file>} \\
+ --out-dir <output-dir>
+EOF
+ exit 1
+}
+
+key_dir=""
+part=""
+input_dir=""
+input_package=""
+rootkey_index=0
+chipset_variant=""
+arb_config=""
+output_dir=""
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --input-dir)
+ input_dir="${argv[$i]}"
+ check_dir "${input_dir}"
+ ;;
+ --input-package)
+ input_package="${argv[$i]}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value "${rootkey_index}" 0 3
+ ;;
+ --chipset-variant)
+ chipset_variant="${argv[$i]}"
+ ;;
+ --arb-config)
+ arb_config="${argv[$i]}"
+ ;;
+ --out-dir)
+ output_dir="${argv[$i]}"
+ check_dir "${output_dir}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir ${key_dir}"
+trace " project ${part}"
+trace " input_dir ${input_dir}"
+trace " input_package ${input_package}"
+trace " rootkey-index ${rootkey_index}"
+trace " chipset-variant ${chipset_variant}"
+trace " arb-config ${arb_config}"
+trace " out-dir ${output_dir}"
+
+
+if [ -z "${key_dir}" ]; then
+ usage
+fi
+
+if [ -z "${part}" ]; then
+ usage
+fi
+
+if [ -z "${input_dir}" ] && [[ ! -f ${input_package} ]]; then
+ usage
+fi
+
+if [[ -f ${input_package} ]]; then
+ temp_dir="$input_package"-`date +%Y%m%d-%H%M%S`
+ if [[ -d ${input_dir} ]]; then
+ echo "error!input package and input dir conflicts! Only one set is legal!"
+ exit 1;
+ else
+ input_dir=${temp_dir}
+ fi
+ mkdir -p ${temp_dir}
+ if [[ -d ${temp_dir} ]]; then
+ unzip ${input_package} -d ${temp_dir} >& /dev/null
+ fi
+fi
+
+if [ -z "${rootkey_index}" ]; then
+ rootkey_index=0
+fi
+
+if [ -z "${chipset_variant}" ] || [ "${chipset_variant}" == "no_variant" ]; then
+ chipset_variant_suffix=""
+else
+ chipset_variant_suffix=".${chipset_variant}"
+fi
+
+if [ -z "${output_dir}" ]; then
+ usage
+fi
+
+fw_arb_cfg=${arb_config}
+if [ -s "${fw_arb_cfg}" ]; then
+ source ${fw_arb_cfg}
+ export DEVICE_SCS_SEGID=${DEVICE_SCS_SEGID}
+ export DEVICE_VENDOR_SEGID=${DEVICE_VENDOR_SEGID}
+ export DEVICE_SCS_VERS=${DEVICE_SCS_VERS}
+ export DEVICE_TEE_VERS=${DEVICE_TEE_VERS}
+ export DEVICE_REE_VERS=${DEVICE_REE_VERS}
+fi
+
+#export DEVICE_SCS_KEY_TOP=$(pwd)/${key_dir}
+#export DEVICE_INPUT_PATH=$(pwd)/${input_dir}
+#export DEVICE_OUTPUT_PATH=$(pwd)/${input_dir}
+export DEVICE_SCS_KEY_TOP=$(readlink -f ${key_dir})
+export DEVICE_INPUT_PATH=$(readlink -f ${input_dir})
+export DEVICE_OUTPUT_PATH=$(readlink -f ${input_dir})
+export PROJECT=${part}
+export DEVICE_ROOTRSA_INDEX=${rootkey_index}
+
+export DEVICE_VARIANT_SUFFIX=${chipset_variant_suffix}
+
+export DEVICE_STORAGE_SUFFIX=.sto
+make -C ${BASEDIR_TOP} dv-boot-blobs
+export DEVICE_STORAGE_SUFFIX=.usb
+make -C ${BASEDIR_TOP} dv-boot-blobs
+
+make -C ${BASEDIR_TOP} dv-device-fip
+postfix=.device.signed
+
+# build final bootloader
+mk_uboot ${output_dir} ${input_dir} ${postfix} .sto ${chipset_variant_suffix}
+mk_uboot ${output_dir} ${input_dir} ${postfix} .usb ${chipset_variant_suffix}
+
+if [ -d ${temp_dir} ]; then
+ rm -rf ${temp_dir}
+fi
\ No newline at end of file
diff --git a/s6/bin/device.license.bin b/s6/bin/device.license.bin
new file mode 100755
index 0000000..bbc3717
--- /dev/null
+++ b/s6/bin/device.license.bin
Binary files differ
diff --git a/s6/bin/download-keys.sh b/s6/bin/download-keys.sh
new file mode 100755
index 0000000..2a5ee5c
--- /dev/null
+++ b/s6/bin/download-keys.sh
@@ -0,0 +1,43 @@
+ #!/bin/bash
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+REPO_ADDR_HEAD="ssh://scgit.amlogic.com:29418/security"
+
+key_type=$1
+soc=$2
+key_name=$3
+key_path=$4
+
+#chipset repo-name
+CHIPSET_REPO_NAME[0]="/keys/${key_type}/${soc}/chipset/bl2/aes"
+CHIPSET_REPO_NAME[1]="/keys/${key_type}/${soc}/chipset/bl2/rsa"
+CHIPSET_REPO_NAME[2]="/keys/${key_type}/${soc}/chipset/bl31/aes"
+CHIPSET_REPO_NAME[3]="/keys/${key_type}/${soc}/chipset/bl31/rsa"
+CHIPSET_REPO_NAME[4]="/keys/${key_type}/${soc}/chipset/bl32/aes"
+CHIPSET_REPO_NAME[5]="/keys/${key_type}/${soc}/chipset/bl32/rsa"
+CHIPSET_REPO_NAME[6]="/keys/${key_type}/${soc}/chipset/bl40/aes"
+CHIPSET_REPO_NAME[7]="/keys/${key_type}/${soc}/chipset/bl40/rsa"
+CHIPSET_REPO_NAME[8]="/keys/${key_type}/${soc}/chipset/cert-template"
+
+#device repo-name
+DEVICE_REPO_FOLDER="/keys/${key_type}/${soc}/device/"
+DEVICE_REPO_NAME[0]="boot-blobs"
+DEVICE_REPO_NAME[1]="fip"
+
+if [ ${key_name} == "chipset" ]; then
+ for NAME in ${CHIPSET_REPO_NAME[@]};
+ do
+ if [ ! -d ${BASEDIR_TOP}/${NAME} ]; then
+ git clone ${REPO_ADDR_HEAD}${NAME} ${BASEDIR_TOP}/${NAME}
+ fi
+ done
+elif [ ${key_name} == "device" ]; then
+ for NAME in ${DEVICE_REPO_NAME[@]};
+ do
+ if [ ! -d ${key_path}/${NAME} ]; then
+ git clone ${REPO_ADDR_HEAD}${DEVICE_REPO_FOLDER}${NAME} ${key_path}/${NAME}
+ fi
+ done
+fi
\ No newline at end of file
diff --git a/s6/bin/efuse-gen.sh b/s6/bin/efuse-gen.sh
new file mode 100755
index 0000000..baa104b
--- /dev/null
+++ b/s6/bin/efuse-gen.sh
@@ -0,0 +1,308 @@
+ #!/bin/bash
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+VENDOR_KEYTOOL=${EXEC_BASEDIR}/../binary-tool/vendor-keytool
+#
+# Settings
+#
+VERSION=0.4
+
+# Check file
+check_file() {
+ if [ ! -f "$2" ]; then echo Error: Unable to open $1: \""$2"\"; exit 1 ; fi
+}
+
+# Check file is size or exit. $1: file, $2: size
+check_size() {
+ local filesize=$(wc -c < "$1")
+ if [ $filesize -ne $2 ]; then
+ echo "Error: File \"$1\" incorrect size. Was $filesize, expected $2"
+ exit 1
+ fi
+}
+
+# Check optional file argument exists and is given size
+# $1 arg name
+# $2 size
+# $3 file
+check_opt_file() {
+ if [ -n "$3" ]; then
+ check_file "$1" "$3"
+ local filesize=$(wc -c < "$3")
+ if [ $filesize -ne $2 ]; then
+ echo "Incorrect size $filesize != $2 for $1 $3"
+ exit 1
+ fi
+ fi
+}
+
+check_opt_boolean() {
+ if [ -n "$2" ]; then
+ if [ "$2" != "true" ] && [ "$2" != "false" ]; then
+ echo Error: invalid value $1: \""$2"\"
+ exit 1
+ fi
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help
+ $(basename $0) --version
+ $(basename $0) [--device-roothash device_roothash.bin] \\
+ [--dvgk dvgk.bin] \\
+ [--dvuk dvuk.bin] \\
+ [--enable-usb-password true] \\
+ [--enable-dif-password true] \\
+ [--enable-dvuk-derive-with-cid true] \\
+ [--enable-device-vendor-scs true] \\
+ -o pattern.efuse
+ $(basename $0) --audio-id audio_id_value \\
+ -o audio_id.efuse
+ $(basename $0) --device-scs-segid seg_id_value \\
+ -o device-scs-id.efuse
+ $(basename $0) --device-vendor-segid vend_id_value \\
+ -o device-vendor-id.efuse
+EOF
+ exit 1
+}
+
+function generate_efuse_device_pattern() {
+ local argv=("$@")
+ local i=0
+ local patt_text=$(mktemp --tmpdir)
+
+ # Parse args
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ #echo "i=$i argv[$i]=${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -o)
+ output="${argv[$i]}" ;;
+ --dvgk)
+ dvgk="${argv[$i]}" ;;
+ --dvuk)
+ dvuk="${argv[$i]}" ;;
+ --device-roothash)
+ device_roothash="${argv[$i]}" ;;
+ --enable-usb-password)
+ enable_usb_password="${argv[$i]}" ;;
+ --enable-dif-password)
+ enable_dif_password="${argv[$i]}" ;;
+ --enable-dvuk-derive-with-cid)
+ enable_dvuk_derive_with_cid="${argv[$i]}" ;;
+ --enable-device-vendor-scs)
+ enable_device_vendor_scs="${argv[$i]}" ;;
+ *)
+ echo "Unknown option $arg"; exit 1
+ ;;
+ esac
+ i=$((i + 1))
+ done
+
+ # Verify args
+ if [ -z "$output" ]; then echo Error: Missing output file option -o; exit 1; fi
+
+ check_opt_file input 1024 "$input"
+ check_opt_file dvgk 16 "$dvgk"
+ check_opt_file dvuk 16 "$dvuk"
+ check_opt_file device_roothash 32 "$device_roothash"
+
+ check_opt_boolean enable-usb-password "$enable_usb_password"
+ check_opt_boolean enable-dif-password "$enable_dif_password"
+ check_opt_boolean enable-dvuk-derive-with-cid "$enable_dvuk_derive_with_cid"
+ check_opt_boolean enable-device-vendor-scs "$enable_device_vendor_scs"
+
+ if [ "$dvgk" != "" ]; then
+ keyinfo="$(xxd -p -c 16 $dvgk)"
+ echo "efuse_obj set DVGK $keyinfo" >> $patt_text
+ echo "efuse_obj lock DVGK" >> $patt_text
+ fi
+
+ if [ "$dvuk" != "" ]; then
+ keyinfo="$(xxd -p -c 16 $dvuk)"
+ echo "efuse_obj set DVUK $keyinfo" >> $patt_text
+ echo "efuse_obj lock DVUK" >> $patt_text
+ fi
+
+ if [ "$device_roothash" != "" ]; then
+ keyinfo="$(xxd -p -c 32 $device_roothash)"
+ echo "efuse_obj set HASH_NORMAL_DEVICE_ROOTCERT $keyinfo" >> $patt_text
+ echo "efuse_obj lock HASH_NORMAL_DEVICE_ROOTCERT" >> $patt_text
+ fi
+
+ if [ "$enable_device_vendor_scs" == "true" ]; then
+ echo "efuse_obj set FEAT_ENABLE_DEVICE_ROOT_PUBRSA_PROT 01" >> $patt_text
+ echo "efuse_obj set FEAT_ENABLE_DEVICE_LVL1_PUBRSA_PROT 01" >> $patt_text
+ echo "efuse_obj set FEAT_ENABLE_DEVICE_LVLX_PUBRSA_PROT 01" >> $patt_text
+ echo "efuse_obj set FEAT_ENABLE_DEVICE_VENDOR_SIG 01" >> $patt_text
+ echo "efuse_obj set FEAT_ENABLE_DEVICE_PROT 01" >> $patt_text
+ echo "efuse_obj set FEAT_ENABLE_DEVICE_SCS_SIG 01" >> $patt_text
+ fi
+
+ if [ "$enable_usb_password" == "true" ]; then
+ echo "efuse_obj set FEAT_ENABLE_USB_AUTH 01" >> $patt_text
+ fi
+
+ if [ "$enable_dif_password" == "true" ]; then
+ echo "efuse_obj set FEAT_ENABLE_DIF_MASTER_PROT 01" >> $patt_text
+ fi
+
+ if [ "$enable_dvuk_derive_with_cid" == "true" ]; then
+ echo "efuse_obj set FEAT_ENABLE_DVUK_DERIVE_WITH_CID 01" >> $patt_text
+ fi
+
+ cp $patt_text $output
+ rm -f $patt_text
+}
+
+function generate_audio_id_pattern() {
+ local argv=("$@")
+ local i=0
+ local patt_text=$(mktemp --tmpdir)
+
+ # Parse args
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ #echo "i=$i argv[$i]=${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ --audio-id)
+ audio_id_value="${argv[$i]}" ;;
+ -o)
+ output="${argv[$i]}" ;;
+ *)
+ echo "Unknown option $arg"; exit 1
+ ;;
+ esac
+ i=$((i + 1))
+ done
+
+ # Verify args
+ if [ -z "$output" ]; then echo Error: Missing output file option -o; exit 1; fi
+
+ if [ -z $audio_id_value ]; then
+ echo Error: invalid audio_id_value
+ exit 1
+ fi
+
+ v=$(printf %08x $audio_id_value)
+ id_info=${v:6:2}${v:4:2}${v:2:2}${v:0:2}
+ echo "efuse_obj set AUDIO_VENDOR_ID $id_info" >> $patt_text
+ echo "efuse_obj lock AUDIO_VENDOR_ID" >> $patt_text
+
+ cp $patt_text $output
+ rm -f $patt_text
+}
+
+
+function generate_mkt_id_pattern() {
+ local argv=("$@")
+ local i=0
+ local patt_text=$(mktemp --tmpdir)
+
+ # Parse args
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ #echo "i=$i argv[$i]=${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ --device-scs-segid)
+ mkt_id_value="${argv[$i]}" ;;
+ -o)
+ output="${argv[$i]}" ;;
+ *)
+ echo "Unknown option $arg"; exit 1
+ ;;
+ esac
+ i=$((i + 1))
+ done
+
+ # Verify args
+ if [ -z "$output" ]; then echo Error: Missing output file option -o; exit 1; fi
+
+ if [ -z $mkt_id_value ]; then
+ echo Error: invalid mkt_id_value
+ exit 1
+ fi
+
+ v=$(printf %08x $mkt_id_value)
+ id_info=${v:6:2}${v:4:2}${v:2:2}${v:0:2}
+ echo "efuse_obj set DEVICE_SCS_SEGID $id_info" >> $patt_text
+ echo "efuse_obj lock DEVICE_SCS_SEGID" >> $patt_text
+
+ cp $patt_text $output
+ rm -f $patt_text
+}
+
+function generate_vendor_id_pattern() {
+ local argv=("$@")
+ local i=0
+ local patt_text=$(mktemp --tmpdir)
+
+ # Parse args
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ #echo "i=$i argv[$i]=${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ --device-vendor-segid)
+ vend_id_value="${argv[$i]}" ;;
+ -o)
+ output="${argv[$i]}" ;;
+ *)
+ echo "Unknown option $arg"; exit 1
+ ;;
+ esac
+ i=$((i + 1))
+ done
+
+ # Verify args
+ if [ -z "$output" ]; then echo Error: Missing output file option -o; exit 1; fi
+
+ if [ -z $vend_id_value ]; then
+ echo Error: invalid vendor_id_value
+ exit 1
+ fi
+
+ v=$(printf %08x $vend_id_value)
+ id_info=${v:6:2}${v:4:2}${v:2:2}${v:0:2}
+ echo "efuse_obj set DEVICE_VENDOR_SEGID $id_info" >> $patt_text
+ echo "efuse_obj lock DEVICE_VENDOR_SEGID" >> $patt_text
+
+ cp $patt_text $output
+ rm -f $patt_text
+}
+
+parse_main() {
+ case "$@" in
+ --help)
+ usage
+ ;;
+ --version)
+ echo "$(basename $0) version $VERSION"
+ ;;
+ *--audio-id*)
+ generate_audio_id_pattern "$@"
+ ;;
+ *--device-vendor-segid*)
+ generate_vendor_id_pattern "$@"
+ ;;
+ *--device-scs-segid*)
+ generate_mkt_id_pattern "$@"
+ ;;
+ *-o*)
+ generate_efuse_device_pattern "$@"
+ ;;
+ *)
+ usage "$@"
+ ;;
+ esac
+}
+
+parse_main "$@"
diff --git a/s6/bin/gen-bl.sh b/s6/bin/gen-bl.sh
new file mode 100755
index 0000000..9122db6
--- /dev/null
+++ b/s6/bin/gen-bl.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../binary-tool/acpu-imagetool
+CP=cp
+
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+
+BASEDIR_TEMPLATE=$1
+
+BASEDIR_PAYLOAD=$2
+
+BASEDIR_INPUT_BLOB=$3
+
+BASEDIR_OUTPUT=$4
+
+CHIPSET_VARIANT_SUFFIX=$5
+
+#
+# Arguments
+#
+
+EXEC_ARGS="${EXEC_ARGS}"
+
+### Input: template ###
+EXEC_ARGS="${EXEC_ARGS} --infile-template-chipset-fip-header=${BASEDIR_TEMPLATE}/device-fip-header.bin"
+
+### Input: payload ###
+EXEC_ARGS="${EXEC_ARGS} --infile-bl30-payload=${BASEDIR_PAYLOAD}/bl30-payload.bin"
+EXEC_ARGS="${EXEC_ARGS} --infile-bl33-payload=${BASEDIR_PAYLOAD}/bl33-payload.bin"
+
+### Input: chipset blobs ###
+
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl40=${BASEDIR_INPUT_BLOB}/blob-bl40.bin.signed"
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl31=${BASEDIR_INPUT_BLOB}/blob-bl31.bin.signed"
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl32=${BASEDIR_INPUT_BLOB}/blob-bl32.bin.signed"
+
+### Features, flags and switches ###
+
+### Output: Device FIP ###
+EXEC_ARGS="${EXEC_ARGS} --outfile-device-fip=${BASEDIR_OUTPUT}/device-fip.bin.signed"
+
+#echo ${EXEC_ARGS}
+
+#
+# Main
+#
+
+set -x
+
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${EXEC_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/bin/gen-bl3x-blobs.sh b/s6/bin/gen-bl3x-blobs.sh
new file mode 100755
index 0000000..ebb5ad6
--- /dev/null
+++ b/s6/bin/gen-bl3x-blobs.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../binary-tool/acpu-imagetool
+
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+
+BASEDIR_TEMPLATE="${BASEDIR_TOP}/templates"
+
+BASEDIR_PAYLOAD=$2
+
+BASEDIR_NONCE="./nonce"
+
+CHIPSET_NAME=$4
+KEY_TYPE=$5
+SOC=$6
+
+BASEDIR_AESKEY_PROT_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl2/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl2/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl31/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl31/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl32/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl32/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl40/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl40/rsa/${CHIPSET_NAME}"
+
+BASEDIR_OUTPUT_BLOB=$3
+postfix=.signed
+#
+# Arguments
+#
+
+BLOB_NAME=$1
+_BASEDIR_AESKEY_PROT_DIR="BASEDIR_AESKEY_PROT_BL${BLOB_NAME}"
+BASEDIR_AESKEY_PROT_DIR=${!_BASEDIR_AESKEY_PROT_DIR}
+_BASEDIR_RSAKEY_LVLX_DIR="BASEDIR_RSAKEY_LVLX_BL${BLOB_NAME}"
+BASEDIR_RSAKEY_LVLX_DIR=${!_BASEDIR_RSAKEY_LVLX_DIR}
+
+EXEC_ARGS="${EXEC_ARGS}"
+
+### Input: payload ###
+EXEC_ARGS="${EXEC_ARGS} --infile-bl${BLOB_NAME}-payload=${BASEDIR_PAYLOAD}/bl${BLOB_NAME}-payload.bin"
+
+### Input: Chipset Level-1/2 Private RSA keys
+
+EXEC_ARGS="${EXEC_ARGS} --infile-signkey-bl${BLOB_NAME}-chipset-lvl3=${BASEDIR_RSAKEY_LVLX_DIR}/bl${BLOB_NAME}-level-3-rsa-priv.pem"
+
+### Input: nonce for binary protection ###
+#EXEC_ARGS="${EXEC_ARGS} --infile-nonce-blob-bl${BLOB_NAME}=${BASEDIR_NONCE}/chipset/blob/blob-bl${BLOB_NAME}-nonce.bin"
+
+### Input: pre-generated ProtKey for payload
+EXEC_ARGS="${EXEC_ARGS} --infile-aes256-bl${BLOB_NAME}-payload=${BASEDIR_AESKEY_PROT_DIR}/genkey-prot-bl${BLOB_NAME}.bin"
+
+### Features, flags and switches ###
+
+### Output: blobs ###
+EXEC_ARGS="${EXEC_ARGS} --outfile-blob-bl${BLOB_NAME}=${BASEDIR_OUTPUT_BLOB}/blob-bl${BLOB_NAME}.bin${postfix}"
+
+#echo ${EXEC_ARGS}
+
+#
+# Main
+#
+
+set -x
+
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${EXEC_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/bin/gen-boot-blob-bl2-final.sh b/s6/bin/gen-boot-blob-bl2-final.sh
new file mode 100755
index 0000000..24e0484
--- /dev/null
+++ b/s6/bin/gen-boot-blob-bl2-final.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../binary-tool/acpu-imagetool
+
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+
+BASEDIR_PAYLOAD=$1
+
+BASEDIR_NONCE="./nonce"
+
+CHIPSET_NAME=$3
+KEY_TYPE=$4
+SOC_FAMILY=$5
+CHIPSET_VARIANT_SUFFIX=$6
+
+BASEDIR_AESKEY_PROT_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/rsa/${CHIPSET_NAME}"
+
+BASEDIR_TEMPLATE="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/cert-template/${CHIPSET_NAME}"
+
+BASEDIR_OUTPUT_BLOB=$2
+postfix=.signed
+#
+# Arguments
+#
+#stage 2
+BB1ST_ARGS="${BB1ST_ARGS}"
+
+### Input: template ###
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-template-bb1st=${BASEDIR_PAYLOAD}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${CHIPSET_VARIANT_SUFFIX}.bin.bl2-only"
+
+### Input: payloads ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-csinit-params=${BASEDIR_PAYLOAD}/csinit-params.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-ddr-fwdata=${BASEDIR_PAYLOAD}/ddr-fwdata.bin"
+
+### Input: Chipset Level-1/2 Private RSA keys
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-chipset-lvl1=${BASEDIR_RSAKEY_LVLX_BL2}/level-1-rsa-priv.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-chipset-lvl2=${BASEDIR_RSAKEY_LVLX_BL2}/level-2-rsa-priv.pem"
+
+### Input: pre-generated ProtKey for payloads
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-csinit-params=${BASEDIR_AESKEY_PROT_BL2}/genkey-prot-csinit-params.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-ddr-fwdata=${BASEDIR_AESKEY_PROT_BL2}/genkey-prot-ddr-fwdata.bin"
+
+### Features, flags and switches ###
+BB1ST_ARGS="${BB1ST_ARGS} --switch-chipset-sign-bl2=0"
+
+BB1ST_ARGS="${BB1ST_ARGS} --scs-family=s5"
+
+### Output: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${CHIPSET_VARIANT_SUFFIX}.bin${postfix}"
+
+#
+# Main
+#
+
+set -x
+
+${ACPU_IMAGETOOL} \
+ create-boot-blobs \
+ ${BB1ST_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/bin/gen-boot-blob-bl2-only.sh b/s6/bin/gen-boot-blob-bl2-only.sh
new file mode 100755
index 0000000..99f01c0
--- /dev/null
+++ b/s6/bin/gen-boot-blob-bl2-only.sh
@@ -0,0 +1,82 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../binary-tool/acpu-imagetool
+
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+
+BASEDIR_PAYLOAD=$1
+
+BASEDIR_NONCE="./nonce"
+
+CHIPSET_NAME=$3
+KEY_TYPE=$4
+SOC_FAMILY=$5
+CHIPSET_VARIANT_SUFFIX=$6
+
+BASEDIR_AESKEY_PROT_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/rsa/${CHIPSET_NAME}"
+
+BASEDIR_TEMPLATE="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/cert-template/${CHIPSET_NAME}"
+
+BASEDIR_OUTPUT_BLOB=$2
+postfix=.signed
+#
+# Arguments
+#
+#stage 1
+BB1ST_ARGS="${BB1ST_ARGS}"
+
+### Input: template ###
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-template-bb1st=${BASEDIR_TEMPLATE}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${CHIPSET_VARIANT_SUFFIX}.bin"
+
+### Input: payloads ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-bl2-payload=${BASEDIR_PAYLOAD}/bl2-payload.bin"
+
+### Input: Chipset Level-1/2 Private RSA keys
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-chipset-lvl1=${BASEDIR_RSAKEY_LVLX_BL2}/level-1-rsa-priv.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-chipset-lvl2=${BASEDIR_RSAKEY_LVLX_BL2}/level-2-rsa-priv.pem"
+
+### Input: pre-generated ProtKey for payloads
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-bl2-payload=${BASEDIR_AESKEY_PROT_BL2}/genkey-prot-bl2.bin"
+
+BB1ST_ARGS="${BB1ST_ARGS} --scs-family=s5"
+
+### Features, flags and switches ###
+
+### Output: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${CHIPSET_VARIANT_SUFFIX}.bin.bl2-only"
+
+#
+# Main
+#
+
+set -x
+
+${ACPU_IMAGETOOL} \
+ create-boot-blobs \
+ ${BB1ST_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/bin/gen-boot-blobs.sh b/s6/bin/gen-boot-blobs.sh
new file mode 100755
index 0000000..e9b2103
--- /dev/null
+++ b/s6/bin/gen-boot-blobs.sh
@@ -0,0 +1,109 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../binary-tool/acpu-imagetool
+
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+
+BASEDIR_PAYLOAD=$1
+
+BASEDIR_NONCE="./nonce"
+
+CHIPSET_NAME=$3
+KEY_TYPE=$4
+SOC_FAMILY=$5
+CHIPSET_VARIANT_SUFFIX=$6
+
+BASEDIR_AESKEY_PROT_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/rsa/${CHIPSET_NAME}"
+
+BASEDIR_AESKEY_PROT_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/aes/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/rsa/${CHIPSET_NAME}"
+
+BASEDIR_TEMPLATE="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/cert-template/${CHIPSET_NAME}"
+
+BASEDIR_OUTPUT_BLOB=$2
+postfix=.signed
+#
+# Arguments
+#
+
+BB1ST_ARGS="${BB1ST_ARGS}"
+
+### Input: template ###
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-template-bb1st=${BASEDIR_TEMPLATE}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${CHIPSET_VARIANT_SUFFIX}.bin"
+
+### Input: payloads ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-bl2-payload=${BASEDIR_PAYLOAD}/bl2-payload.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-bl2e-payload=${BASEDIR_PAYLOAD}/bl2e-payload.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-bl2x-payload=${BASEDIR_PAYLOAD}/bl2x-payload.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-dvinit-params=${BASEDIR_PAYLOAD}/dvinit-params.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-csinit-params=${BASEDIR_PAYLOAD}/csinit-params.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-ddr-fwdata=${BASEDIR_PAYLOAD}/ddr-fwdata.bin"
+
+### Input: Chipset Level-1/2 Private RSA keys
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-chipset-lvl1=${BASEDIR_RSAKEY_LVLX_BL2}/level-1-rsa-priv.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-chipset-lvl2=${BASEDIR_RSAKEY_LVLX_BL2}/level-2-rsa-priv.pem"
+
+### Input: nonce for binary protection ###
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-csinit-params=${BASEDIR_NONCE}/chipset/blob/csinit-params-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-ddr-fwdata=${BASEDIR_NONCE}/chipset/blob/ddr-fwdata-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-blob-bl2=${BASEDIR_NONCE}/chipset/blob/blob-bl2-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-blob-bl2e=${BASEDIR_NONCE}/chipset/blob/blob-bl2e-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-blob-bl2x=${BASEDIR_NONCE}/chipset/blob/blob-bl2x-nonce.bin"
+
+
+### Input: pre-generated ProtKey for payloads
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-csinit-params=${BASEDIR_AESKEY_PROT_BL2}/genkey-prot-csinit-params.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-ddr-fwdata=${BASEDIR_AESKEY_PROT_BL2}/genkey-prot-ddr-fwdata.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-bl2-payload=${BASEDIR_AESKEY_PROT_BL2}/genkey-prot-bl2.bin"
+if [ "x${FEAT_BL2E_SIGPROT_MODE}" == "x0" ]; then
+ BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-bl2e-payload=${BASEDIR_AESKEY_PROT_BL2}/genkey-prot-bl2e.bin"
+fi
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-bl2x-payload=${BASEDIR_AESKEY_PROT_BL2}/genkey-prot-bl2x.bin"
+
+### Features, flags and switches ###
+
+if [ "x${FEAT_BL2E_SIGPROT_MODE}" != "x0" ]; then
+ BB1ST_ARGS="${BB1ST_ARGS} --feature-bl2e-sigprot-mode"
+fi
+
+BB1ST_ARGS="${BB1ST_ARGS} --scs-family=s5"
+
+### Output: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${CHIPSET_VARIANT_SUFFIX}.bin${postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-blob-bl2e=${BASEDIR_OUTPUT_BLOB}/blob-bl2e.bin${postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-blob-bl2x=${BASEDIR_OUTPUT_BLOB}/blob-bl2x.bin${postfix}"
+
+echo ${TOOLS_ARGS}
+
+#
+# Main
+#
+
+set -x
+
+${ACPU_IMAGETOOL} \
+ create-boot-blobs \
+ ${BB1ST_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/bin/gen-merge-bin.sh b/s6/bin/gen-merge-bin.sh
new file mode 100755
index 0000000..df2943d
--- /dev/null
+++ b/s6/bin/gen-merge-bin.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+
+function process_join() {
+ local input0=$1
+ local size0=$2
+ local input1=$3
+ local size1=$4
+ local output=$5
+ local temp_output=${output}.temp
+ local temp_size=`expr ${size0} + ${size1}`
+
+ #cat ${input0} > ${input0}.orig
+ #cat ${input1} > ${input1}.orig
+ dd if=/dev/zero of=${temp_output} bs=1 count=${temp_size}
+ input_size=`stat -c %s ${input0}`
+ if [ $input_size -gt ${size0} ]; then
+ dd if=${input0} of=${temp_output} bs=1 count=${size0}
+ else
+ dd if=${input0} of=${temp_output} bs=1 conv=notrunc
+ fi
+ input_size=`stat -c %s ${input1}`
+ if [ $input_size -gt ${size1} ]; then
+ dd if=${input1} of=${temp_output} seek=${size0} bs=1 count=${size1}
+ else
+ dd if=${input1} of=${temp_output} seek=${size0} bs=1 conv=notrunc
+ fi
+ cat ${temp_output} > ${output}
+ rm -rf ${temp_output}
+ merge_size=`stat -c %s ${output}`
+ if [ ${merge_size} -ne ${temp_size} ]; then
+ echo "$output file size is not equal $temp_size, ${merge_size}"
+ echo -1
+ fi
+ return
+}
+
+function generate_joining() {
+ local argv=("$@")
+ local i=0
+
+ # Parse args
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ #echo "i=$i argv[$i]=${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ --input0)
+ input0="${argv[$i]}" ;;
+ --size0)
+ size0="${argv[$i]}" ;;
+ --input1)
+ input1="${argv[$i]}" ;;
+ --size1)
+ size1="${argv[$i]}" ;;
+ --output)
+ output="${argv[$i]}" ;;
+ esac
+ i=$((i + 1))
+ done
+
+ if [ -z ${input0} ] || [ ! -f ${input0} ] || [ -z ${size0} ]; then
+ return
+ fi
+ if [ -z ${input1} ] || [ ! -f ${input1} ] || [ -z ${size1} ]; then
+ return
+ fi
+ if [ -z ${output} ]; then
+ return
+ fi
+ echo "$BASH_SOURCE, $LINENO"
+ process_join ${input0} ${size0} ${input1} ${size1} ${output}
+ echo "$BASH_SOURCE, $LINENO"
+ return
+}
+
+generate_joining $@
diff --git a/s6/bin/pack_aucpu_key.sh b/s6/bin/pack_aucpu_key.sh
new file mode 100755
index 0000000..7688118
--- /dev/null
+++ b/s6/bin/pack_aucpu_key.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+BLOB_NAME=$1
+BASEDIR_PAYLOAD=$2
+BASEDIR_OUTPUT_BLOB=$3
+CHIPSET_NAME=$4
+KEY_TYPE=$5
+SOC=$6
+
+BASEDIR_AUCPU_CERT="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/cert-template/${CHIPSET_NAME}"
+
+
+#
+# Arguments
+#
+
+dd if=${BASEDIR_AUCPU_CERT}/fw-aucpu-cert.bin of=${BASEDIR_PAYLOAD}/bl${BLOB_NAME}-payload.bin bs=1 seek=1024 conv=notrunc >& /dev/null
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/bin/sign-blx.sh b/s6/bin/sign-blx.sh
new file mode 100755
index 0000000..a2e7063
--- /dev/null
+++ b/s6/bin/sign-blx.sh
@@ -0,0 +1,195 @@
+ #!/bin/bash
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+#BASEDIR_BUILD="${BASEDIR_TOP}/output"
+BASEDIR_BUILD="${BASEDIR_TOP}/`date +%Y%m%d%H%M%S%N`"
+postfix=.signed
+declare -a BLX_BIN_SIZE=("183200" "65536" "65536" "2048" "212992" "262144" "524288" "98304")
+
+declare CHIPACS_SIZE=${BLX_BIN_SIZE[3]}
+declare DDRFW_SIZE=${BLX_BIN_SIZE[4]}
+function split_ddrfw_from_chipacs() {
+ local input=$1
+ local output1=$2
+ local output2=$3
+ local size=`expr ${CHIPACS_SIZE} + ${DDRFW_SIZE}`
+ local input_size=`stat -c %s ${input}`
+
+ if [ $input_size -ne ${size} ]; then
+ echo "$input is not chipacs and ddrfw merge !!!"
+ return
+ fi
+ dd if=${input} of=${output1}.tmp bs=1 count=${CHIPACS_SIZE}
+ dd if=${input} of=${output2}.tmp skip=${CHIPACS_SIZE} bs=1 count=${DDRFW_SIZE}
+ cat ${output1}.tmp > ${output1}
+ cat ${output2}.tmp > ${output2}
+ rm -rf ${output1}.tmp ${output2}.tmp
+
+ return
+}
+
+function sign_blx() {
+ local argv=("$@")
+ local i=0
+
+ # Parse args
+
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ #echo "i=$i argv[$i]=${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ --blxname)
+ blxname="${argv[$i]}" ;;
+ --input)
+ input="${argv[$i]}" ;;
+ --output)
+ output="${argv[$i]}" ;;
+ --ddr_type)
+ ddr_type="${argv[$i]}" ;;
+ --chip_acs)
+ chip_acs="${argv[$i]}" ;;
+ --chipset_name)
+ chipset_name="${argv[$i]}" ;;
+ --chipset_variant)
+ chipset_variant="${argv[$i]}" ;;
+ --key_type)
+ key_type="${argv[$i]}" ;;
+ --soc)
+ soc="${argv[$i]}" ;;
+ --build_type)
+ build_type="${argv[$i]}" ;;
+ *)
+ echo "Unknown option $arg"; exit 1
+ ;;
+ esac
+ i=$((i + 1))
+ done
+
+ if [ -z ${input} ] || [ ! -f ${input} ]; then
+ echo "input ${input} invalid"
+ exit 1
+ fi
+
+ if [ -z ${output} ]; then
+ echo "output ${output} invalid"
+ exit 1
+ fi
+
+ if [ -z ${blxname} ]; then
+ echo "blxname ${blxname} invalid"
+ exit 1
+ fi
+
+ if [ -z ${chipset_name} ]; then
+ chipset_name="a113l2"
+ fi
+
+ # select bl2/bl2e sign template
+ FEAT_BL2_TEMPLATE_TYPE=
+ FEAT_BL2E_SIGPROT_MODE=0
+ if [ -z ${chipset_variant} ] || [ ${chipset_variant} == "no_variant" ]; then
+ chipset_variant_suffix=""
+ else
+ chipset_variant_suffix=".${chipset_variant}"
+ if [[ "${input}" =~ ".sto" ]]; then
+ FEAT_BL2_TEMPLATE_TYPE=".sto"
+ if [[ "${chipset_variant}" =~ "nocs" ]]; then
+ FEAT_BL2E_SIGPROT_MODE=1
+ fi
+ elif [[ "${input}" =~ ".usb" ]]; then
+ FEAT_BL2_TEMPLATE_TYPE=".usb"
+ else
+ # for BL2X, it need a default value if chipset_variant
+ # is set
+ FEAT_BL2_TEMPLATE_TYPE=".sto"
+ fi
+ fi
+ export FEAT_BL2_TEMPLATE_TYPE
+ export FEAT_BL2E_SIGPROT_MODE
+
+ if [ -z ${key_type} ]; then
+ key_type="dev-keys"
+ fi
+
+ if [ -z ${soc} ]; then
+ soc="s7d"
+ fi
+
+ if [ -z ${build_type} ]; then
+ build_type=normal
+ fi
+
+ mkdir ${BASEDIR_BUILD}
+
+ if [ ${blxname} == "bl2" ] || [ ${blxname} == "bl2e" ] || [ ${blxname} == "bl2x" ]; then
+ dd if=/dev/zero of=${BASEDIR_BUILD}/bl2-payload.bin bs=${BLX_BIN_SIZE[0]} count=1 &> /dev/null
+ dd if=/dev/zero of=${BASEDIR_BUILD}/bl2e-payload.bin bs=${BLX_BIN_SIZE[1]} count=1 &> /dev/null
+ dd if=/dev/zero of=${BASEDIR_BUILD}/bl2x-payload.bin bs=${BLX_BIN_SIZE[2]} count=1 &> /dev/null
+ dd if=/dev/zero of=${BASEDIR_BUILD}/csinit-params.bin bs=${BLX_BIN_SIZE[3]} count=1 &> /dev/null
+ #dd if=/dev/zero of=${BASEDIR_BUILD}/ddr-fwdata.bin bs=${BLX_BIN_SIZE[4]} count=1 &> /dev/null
+ elif [ ${blxname} == "bl31" ]; then
+ dd if=/dev/zero of=${BASEDIR_BUILD}/${blxname}-payload.bin bs=${BLX_BIN_SIZE[5]} count=1 &> /dev/null
+ elif [ ${blxname} == "bl32" ]; then
+ dd if=/dev/zero of=${BASEDIR_BUILD}/${blxname}-payload.bin bs=${BLX_BIN_SIZE[6]} count=1 &> /dev/null
+ elif [ ${blxname} == "bl40" ]; then
+ dd if=/dev/zero of=${BASEDIR_BUILD}/${blxname}-payload.bin bs=${BLX_BIN_SIZE[7]} count=1 &> /dev/null
+ else
+ echo invalid blxname [$blxname]
+ exit 1
+ fi
+
+ ${EXEC_BASEDIR}/download-keys.sh ${key_type} ${soc} chipset
+
+ ddrfw_split_flag=0
+ if [ ${blxname} == "bl2" ] && [ ${build_type} == "normal" ]; then
+ if [ -z ${chip_acs} ] || [ ! -f ${chip_acs} ]; then
+ echo "chip_acs ${chip_acs} invalid"
+ exit 1
+ fi
+ dd if=${chip_acs} of=${BASEDIR_BUILD}/csinit-params.bin conv=notrunc &> /dev/null
+ dd if=${input} of=${BASEDIR_BUILD}/${blxname}-payload.bin conv=notrunc &> /dev/null
+
+ ${EXEC_BASEDIR}/gen-boot-blobs.sh ${BASEDIR_BUILD} ${BASEDIR_BUILD} ${chipset_name} ${key_type} ${soc} ${chipset_variant_suffix}
+ elif [ ${blxname} == "bl2" ] && [ ${build_type} == "bl2-only" ]; then
+ dd if=${input} of=${BASEDIR_BUILD}/${blxname}-payload.bin conv=notrunc &> /dev/null
+ ${EXEC_BASEDIR}/gen-boot-blob-bl2-only.sh ${BASEDIR_BUILD} ${BASEDIR_BUILD} ${chipset_name} ${key_type} ${soc} ${chipset_variant_suffix}
+ elif [ ${blxname} == "bl2" ] && [ ${build_type} == "bl2-final" ]; then
+ if [ -z ${chip_acs} ] || [ ! -f ${chip_acs} ]; then
+ echo "chip_acs ${chip_acs} invalid"
+ exit 1
+ fi
+ dd if=${chip_acs} of=${BASEDIR_BUILD}/csinit-params.bin conv=notrunc &> /dev/null
+
+ dd if=${input} of=${BASEDIR_BUILD}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${chipset_variant_suffix}.bin.bl2-only conv=notrunc &> /dev/null
+ ${EXEC_BASEDIR}/gen-boot-blob-bl2-final.sh ${BASEDIR_BUILD} ${BASEDIR_BUILD} ${chipset_name} ${key_type} ${soc} ${chipset_variant_suffix}
+ elif [ ${blxname} == "bl2e" ] || [ ${blxname} == "bl2x" ]; then
+ dd if=${input} of=${BASEDIR_BUILD}/${blxname}-payload.bin conv=notrunc &> /dev/null
+ ${EXEC_BASEDIR}/gen-boot-blobs.sh ${BASEDIR_BUILD} ${BASEDIR_BUILD} ${chipset_name} ${key_type} ${soc} ${chipset_variant_suffix}
+ elif [ ${blxname} == "bl31" ] || [ ${blxname} == "bl32" ] || [ ${blxname} == "bl40" ]; then
+ dd if=${input} of=${BASEDIR_BUILD}/${blxname}-payload.bin conv=notrunc &> /dev/null
+ if [ ${blxname} == "bl31" ]; then
+ ${EXEC_BASEDIR}/pack_aucpu_key.sh ${blxname:2:2} ${BASEDIR_BUILD} ${BASEDIR_BUILD} ${chipset_name} ${key_type} ${soc}
+ fi
+ ${EXEC_BASEDIR}/gen-bl3x-blobs.sh ${blxname:2:2} ${BASEDIR_BUILD} ${BASEDIR_BUILD} ${chipset_name} ${key_type} ${soc}
+ fi
+
+ if [ ${blxname} == "bl2" ]; then
+ if [ ${build_type} == "bl2-only" ]; then
+ cp ${BASEDIR_BUILD}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${chipset_variant_suffix}.bin.bl2-only $output
+ else
+ cp ${BASEDIR_BUILD}/bb1st${FEAT_BL2_TEMPLATE_TYPE}${chipset_variant_suffix}.bin${postfix} $output
+ fi
+ else
+ cp ${BASEDIR_BUILD}/blob-${blxname}.bin${postfix} $output
+ fi
+}
+
+rm -rf ${BASEDIR_BUILD}
+sign_blx $@
+rm -rf ${BASEDIR_BUILD}
diff --git a/s6/bin/sign-kernel-boot.sh b/s6/bin/sign-kernel-boot.sh
new file mode 100755
index 0000000..7ffe458
--- /dev/null
+++ b/s6/bin/sign-kernel-boot.sh
@@ -0,0 +1,399 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+
+SCRIPT_PATH=${SCRIPT_PATH:-$(dirname $(readlink -f $0))}
+
+# Temporary files directory
+if [ "$TMP" == "/tmp" ] || [ -z "$TMP" ]; then
+ TMP=${SCRIPT_PATH}/tmp
+fi
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help
+
+ Amlogic Device Vendor Secure Chipset Startup (SCS) Signing
+
+ $(basename $0) --sign-kernel \\
+ --key-dir <key-dir> \\
+ --project <project-name> \\
+ --input <input img> \\
+ {--rootkey-index [0 | 1 | 2 | 3]} \\
+ --output <output img>
+EOF
+ exit 1
+}
+
+check_file() {
+ if [ ! -f "$2" ]; then echo Error: Unable to open $1: \""$2"\"; exit 1 ; fi
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+# Calculate aligned file size
+# $1: file
+# $2: alignment requirement in bytes
+aligned_size() {
+ local file=$1
+ local skip=$2
+ local alignment=$3
+ local alignedsize=0
+
+ local filesize=$(wc -c < ${file})
+ #echo "Input $file filesize $filesize"
+ if [ $skip -ne 0 ]; then
+ filesize=$(( $filesize - $skip ))
+ fi
+ local rem=$(( $filesize % $alignment ))
+ if [ $rem -ne 0 ]; then
+ #echo "Input $file not $alignment byte aligned"
+ local padsize=$(( $alignment - $rem ))
+ alignedsize=$(( $filesize + $padsize ))
+ else
+ alignedsize=$filesize
+ fi
+ #echo "Aligned size $alignedsize"
+ echo $alignedsize
+}
+
+# Pad file to len by adding 0's to end of file
+# $1: file
+# $2: len
+pad_file() {
+ local file=$1
+ local len=$2
+ if [ ! -f "$1" ] || [ -z "$2" ]; then
+ echo "Argument error, \"$1\", \"$2\" "
+ exit 1
+ fi
+ local filesize=$(wc -c < ${file})
+ local padlen=$(( $len - $filesize ))
+ if [ $len -lt $filesize ]; then
+ echo "File larger than expected. $filesize, $len"
+ exit 1
+ fi
+ dd if=/dev/zero of=$file oflag=append conv=notrunc bs=1 \
+ count=$padlen >& /dev/null
+}
+
+append_uint32_le() {
+ local input=$1
+ local output=$2
+ local v=
+ local vrev=
+ v=$(printf %08x $input)
+ # 00010001
+ vrev=${v:6:2}${v:4:2}${v:2:2}${v:0:2}
+
+ echo $vrev | xxd -r -p >> $output
+}
+
+# $1: input
+# $2: output
+# $3: aes key file
+# $4: aes iv file
+internal_encrypt() {
+ local input=$1
+ local output=$2
+ local keyfile=$3
+ local ivfile=$4
+ if [ ! -f "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ]; then
+ echo "Argument error"
+ exit 1
+ fi
+ local key=$(xxd -p -c64 $keyfile)
+ local iv=$(xxd -p -c64 $ivfile)
+ local imagesize=$(wc -c < ${input})
+ local rem=$(( $imagesize % 16 ))
+ if [ $rem -ne 0 ]; then
+ echo "Input $input not 16 byte aligned?"
+ exit 1
+ fi
+ openssl enc -aes-256-cbc -K $key -iv $iv -e -in $input -out $output -nopad
+}
+
+# Check input is android format or not
+is_android_img() {
+ local input=$1
+ if [ ! -f "$1" ]; then
+ echo "Argument error, \"$1\""
+ exit 1
+ fi
+ local insize=$(wc -c < $input)
+ if [ $insize -le 2048 ]; then
+ # less than size of img header
+ echo False
+ return
+ fi
+
+ local inmagic=$(xxd -p -l 8 $input)
+
+ if [ "$inmagic" == "414e44524f494421" ]; then
+ echo True
+ else
+ echo False
+ fi
+}
+
+# Check input is android R format or not
+# 1: input
+# returns True or False
+# android R file format: 4KB header + kernel/ramdisk/dtb
+# file header as following
+#define ANDROID_R_IMG_VER (3)
+#typedef struct {
+# char magic[ANDR_BOOT_MAGIC_SIZE]; /*"ANDROID!"*/
+#
+# u32 kernel_size; /* size in bytes */
+# u32 ramdisk_size; /* size in bytes */
+#
+# /* Operating system version and security patch level.
+# For version "A.B.C" and patch level "Y-M-D":
+# (7 bits for each of A, B, C; 7 bits for (Y-2000), 4 bits for M)
+# os_version = A[31:25] B[24:18] C[17:11] (Y-2000)[10:4] M[3:0]
+# */
+#
+# uint32_t os_version;
+# uint32_t header_size;
+# uint32_t reserved[4];
+#
+# uint32_t header_version; /* Version of the boot image header */
+# char cmdline[BOOT_ARGS_SIZE + BOOT_EXTRA_ARGS_SIZE];
+# unsigned char szReserved[BOOT_IMG_V3_HDR_SIZE - 1580]; /*align to 4KB header,1580 is size before this*/
+#}boot_img_hdr_v3_t, * p_boot_img_hdr_v3_t;
+is_androidR_img() {
+ local input=$1
+ if [ ! -f "$1" ]; then
+ echo "Argument error, \"$1\""
+ exit 1
+ fi
+ local insize=$(wc -c < $input)
+ if [ $insize -le 4096 ]; then
+ # less than size of img header
+ echo False
+ return
+ fi
+
+ local inmagic=$(xxd -p -l 8 $input)
+
+ if [ "$inmagic" == "414e44524f494421" ]; then
+ inversion=$(xxd -p -seek 40 -l 4 $input)
+ if [ "$inversion" == "03000000" ]; then
+ echo True
+ else
+ echo False
+ fi
+ elif [ "$inmagic" == "564e4452424f4f54" ]; then
+ echo True
+ else
+ echo False
+ fi
+}
+
+# Encrypt/sign kernel
+#typedef struct {
+# uint32_t magic;
+# uint32_t version;
+# uint32_t flags;
+# uint32_t img_version;
+# uint32_t img_size;
+# uint32_t img_offset;
+# uint8_t img_hash[32];
+# uint8_t reserved[200];
+# uint8_t aesblk_sig[512];
+# uint8_t rsa_sig[512];
+#} aml_boot_header_t;
+#
+#CASSERT(sizeof(aml_boot_header_t) == 1280, assert_sizeof_aml_boot_header_t);
+sign_kernel() {
+ local input=""
+ local key_dir=""
+ local part=""
+ local rootkey_index=0
+ local output=""
+ local rsakey=""
+ local aeskey=""
+ local aesiv=$TMP/aesiv.bin
+ local argv=("$@")
+ local i=0
+
+ # Parse args
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --input)
+ input="${argv[$i]}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value "${rootkey_index}" 0 3
+ ;;
+ --output)
+ output="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg"; exit 1
+ ;;
+ esac
+ i=$((i + 1))
+ done
+
+ # Verify args
+ if [ -z "${key_dir}" ]; then
+ usage
+ fi
+
+ if [ -z "${part}" ]; then
+ echo "Error: project cannot be empty"
+ usage
+ fi
+
+ if [ -z "${rootkey_index}" ]; then
+ rootkey_index=0
+ fi
+
+ check_file "input" "${input}"
+ if [ -z "${output}" ]; then
+ echo Error: Missing output file option --output; exit 1;
+ fi
+
+ rsakey=$(readlink -f ${key_dir})/fip/rsa/${part}/rootrsa-${rootkey_index}/key/krnl-level-3-rsa-priv.pem
+ check_file "RSA key" "${rsakey}"
+ aeskey=$(readlink -f ${key_dir})/fip/aes/${part}/protkey/genkey-prot-krnl.bin
+ check_file "AES key" "${aeskey}"
+ dd if=/dev/zero of=${aesiv} bs=1 count=16 >& /dev/null
+ check_file "AES IV" "${aesiv}"
+
+ local imagesize=$(wc -c < ${input})
+ local rem=$(( $imagesize % 512 ))
+ if [ $rem -ne 0 ]; then
+ #echo "Input $input not 512 byte aligned?"
+ local topad=$(( 512 - $rem ))
+ imagesize=$(( $imagesize + $topad ))
+ cp $input $TMP/kernpad.bin
+ pad_file $TMP/kernpad.bin $imagesize
+ input=$TMP/kernpad.bin
+ fi
+
+ # Hash payload
+ openssl dgst -sha256 -binary $input > $TMP/kern-pl.sha
+
+ # Encrypt payload
+ internal_encrypt $input $TMP/kern-pl.bin $aeskey $aesiv
+
+ # Create header
+ # magic, version, flags, img_version
+ echo -n '@AML' > $TMP/kern.hdr
+ append_uint32_le 1 $TMP/kern.hdr
+ append_uint32_le 0 $TMP/kern.hdr
+ append_uint32_le 0 $TMP/kern.hdr
+ # img_size, img_offset, img_hash, reserved
+ append_uint32_le $imagesize $TMP/kern.hdr
+ append_uint32_le 768 $TMP/kern.hdr
+ cat $TMP/kern-pl.sha >> $TMP/kern.hdr
+ pad_file $TMP/kern.hdr 256
+
+ # Sign header
+ openssl dgst -sha256 -sign $rsakey -out $TMP/kern.hdr.sig $TMP/kern.hdr
+
+ # Combine header + signature
+ cat $TMP/kern.hdr.sig >> $TMP/kern.hdr
+
+ # Pad to 768 in case key/sig is smaller than maximum
+ pad_file $TMP/kern.hdr 768
+
+ # Combine hdr + payload
+ cat $TMP/kern.hdr $TMP/kern-pl.bin > $output
+
+ #......
+ #android boot/vendorboot special process
+ if [ "$(is_androidR_img ${input})" == "True" ]; then
+ local tempfile=${output}.`date +%Y%m%d%H%M%S`
+ dd if=${input} of=${tempfile} bs=512 count=8 &> /dev/null
+ cat ${output} >> ${tempfile}
+ mv -f ${tempfile} ${output}
+ elif [ "$(is_android_img ${input})" == "True" ]; then
+ local tempfile=${output}.`date +%Y%m%d%H%M%S`
+ dd if=${input} of=${tempfile} bs=512 count=4 &> /dev/null
+ dd if=/dev/zero of=${tempfile} bs=512 count=4 oflag=append conv=notrunc &> /dev/null
+ cat ${output} >> ${tempfile}
+ mv -f ${tempfile} ${output}
+ fi
+
+ echo
+ echo Created signed kernel $output successfully
+}
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ case "$arg" in
+ -h|--help)
+ usage
+ break ;;
+ --sign-kernel)
+ sign_kernel "${argv[@]:$((i + 1))}"
+ break ;;
+ *)
+ echo "Unknown first option $1"; exit 1
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+cleanup() {
+ if [ ! -d "$TMP" ]; then return; fi
+ local tmpfiles="kernpad.bin kern.hdr kern.hdr.sig kern-pl.sha kern-pl.bin aesiv.bin"
+ for i in $tmpfiles ; do
+ rm -f $TMP/$i
+ done
+ rm -fr $TMP
+}
+
+trap cleanup EXIT
+
+cleanup
+if [ ! -d "$TMP" ]; then mkdir "$TMP" ; fi
+parse_main "$@"
diff --git a/s6/binary-tool/acpu-imagetool b/s6/binary-tool/acpu-imagetool
new file mode 100755
index 0000000..d3915e8
--- /dev/null
+++ b/s6/binary-tool/acpu-imagetool
Binary files differ
diff --git a/s6/binary-tool/vendor-keytool b/s6/binary-tool/vendor-keytool
new file mode 100755
index 0000000..689d788
--- /dev/null
+++ b/s6/binary-tool/vendor-keytool
Binary files differ
diff --git a/s6/build.sh b/s6/build.sh
new file mode 100755
index 0000000..d510d02
--- /dev/null
+++ b/s6/build.sh
@@ -0,0 +1,791 @@
+#!/bin/bash
+
+# include uboot pre-build macros
+#declare CONFIG_FILE=("${buildtree}/.config")
+#declare AUTOCFG_FILE=("${buildtree}/include/autoconf.mk")
+
+function init_vari() {
+ #source ${CONFIG_FILE} &> /dev/null # ignore warning/error
+ #source ${AUTOCFG_FILE} &> /dev/null # ignore warning/error
+
+ AML_BL2_NAME="bl2.bin"
+ AML_KEY_BLOB_NAME="aml-user-key.sig"
+
+ if [ "y" == "${CONFIG_AML_SECURE_BOOT_V3}" ]; then
+ V3_PROCESS_FLAG="--level v3"
+ fi
+
+ if [ "y" == "${CONFIG_AML_CRYPTO_AES}" ]; then
+ BOOT_SIG_FLAG="--aeskey enable"
+ EFUSE_GEN_FLAG="--aeskey enable"
+ fi
+
+ if [ "y" == "${CONFIG_AML_EFUSE_GEN_AES_ONLY}" ]; then
+ EFUSE_GEN_FLAG="--aeskey only"
+ fi
+
+ if [ "y" == "${CONFIG_AML_BL33_COMPRESS_ENABLE}" ]; then
+ BL33_COMPRESS_FLAG="--compress lz4"
+ fi
+
+ if [ "y" == "${CONFIG_FIP_IMG_SUPPORT}" ]; then
+ BL3X_SUFFIX="img"
+ fi
+
+ if [ -n "${CONFIG_DDRFW_TYPE}" ]; then
+ DDRFW_TYPE="${CONFIG_DDRFW_TYPE}"
+ else
+ DDRFW_TYPE="ddr4"
+ fi
+
+ if [ -n "${BLX_BIN_SUB_CHIP}" ]; then
+ CHIPSET_NAME=`echo ${BLX_BIN_SUB_CHIP} | tr 'A-Z' 'a-z'`
+ fi
+
+ # script can use chipset varient to override config varient
+ if [ -n "${SCRIPT_ARG_CHIPSET_VARIANT}" ]; then
+ CHIPSET_VARIANT="${SCRIPT_ARG_CHIPSET_VARIANT}"
+ CHIPSET_VARIANT_SUFFIX=".${CHIPSET_VARIANT}"
+ elif [ -n "${CONFIG_CHIPSET_VARIANT}" ]; then
+ CHIPSET_VARIANT="${CONFIG_CHIPSET_VARIANT}"
+ CHIPSET_VARIANT_SUFFIX=".${CHIPSET_VARIANT}"
+ else
+ if [ -n "${CONFIG_FORMER_SIGN}" ]; then
+ CHIPSET_VARIANT="no_variant"
+ else
+ CHIPSET_VARIANT="general"
+ fi
+ CHIPSET_VARIANT_SUFFIX=""
+ fi
+
+ if [ -n "${CONFIG_AMLOGIC_KEY_TYPE}" ]; then
+ AMLOGIC_KEY_TYPE="${CONFIG_AMLOGIC_KEY_TYPE}"
+ fi
+
+ echo "------------------------------------------------------"
+ echo "DDRFW_TYPE: ${DDRFW_TYPE} CHIPSET_NAME: ${CHIPSET_NAME} CHIPSET_VARIANT: ${CHIPSET_VARIANT} AMLOGIC_KEY_TYPE: ${AMLOGIC_KEY_TYPE}"
+ echo "------------------------------------------------------"
+}
+
+function mk_bl2ex() {
+ output=$1
+ payload=$2
+ ddr_type=$3
+
+ if [ ! -f ${output}/bl2.bin.sto ] || \
+ [ ! -f ${output}/bl2.bin.usb ] || \
+ [ ! -f ${output}/bl2e.bin.sto ] || \
+ [ ! -f ${output}/bl2e.bin.usb ] || \
+ [ ! -f ${output}/bl2x.bin ]; then
+ echo "Error: ${output}/bl2/e/x.bin does not all exist... abort"
+ ls -la ${output}
+ exit -1
+ fi
+
+ echo "================================================================="
+ echo "image packing with acpu-imagetool for bl2 bl2e bl2x"
+
+ dd if=/dev/zero of=${payload}/bl2.bin.sto bs=183200 count=1
+ dd if=${output}/bl2.bin.sto of=${payload}/bl2.bin.sto conv=notrunc
+
+ dd if=/dev/zero of=${payload}/bl2.bin.usb bs=183200 count=1
+ dd if=${output}/bl2.bin.usb of=${payload}/bl2.bin.usb conv=notrunc
+
+ dd if=/dev/zero of=${payload}/bl2e.bin.sto bs=65536 count=1
+ dd if=${output}/bl2e.bin.sto of=${payload}/bl2e.bin.sto conv=notrunc
+
+ dd if=/dev/zero of=${payload}/bl2e.bin.usb bs=65536 count=1
+ dd if=${output}/bl2e.bin.usb of=${payload}/bl2e.bin.usb conv=notrunc
+
+ dd if=/dev/zero of=${payload}/bl2x.bin bs=65536 count=1
+ dd if=${output}/bl2x.bin of=${payload}/bl2x.bin conv=notrunc
+
+
+
+
+
+
+
+
+ echo "===================================================="
+ echo "------ process for device and chip params ------"
+ INPUT_PARAMS=${output}
+
+ if [ ! -f ${INPUT_PARAMS}/device_acs.bin ]; then
+ echo "dev acs params not exist !"
+ exit -1
+ fi
+
+ if [ ! -f ${INPUT_PARAMS}/chip_acs.bin ]; then
+ echo "chip acs params not exist !"
+ exit -1
+ fi
+ chip_acs_size=`stat -c %s ${INPUT_PARAMS}/chip_acs.bin`
+ dev_acs_size=`stat -c %s ${INPUT_PARAMS}/device_acs.bin`
+
+ if [ $chip_acs_size -gt 2048 ]; then
+ echo "chip acs size exceed limit 2048, $chip_acs_size"
+ exit -1
+ else
+ dd if=/dev/zero of=${payload}/chip_acs.bin bs=2048 count=1
+ dd if=${INPUT_PARAMS}/chip_acs.bin of=${payload}/chip_acs.bin conv=notrunc
+ fi
+
+ if [ $dev_acs_size -gt 8192 ]; then
+ echo "dev acs size exceed limit 8192, $dev_acs_size"
+ exit -1
+ else
+ dd if=/dev/zero of=${payload}/device_acs.bin bs=8192 count=1
+ dd if=${INPUT_PARAMS}/device_acs.bin of=${payload}/device_acs.bin conv=notrunc
+ fi
+
+ ./${FIP_FOLDER}${CUR_SOC}/binary-tool/acpu-imagetool create-boot-blobs \
+ --infile-bl2-payload=${payload}/bl2.bin.sto \
+ --infile-bl2e-payload=${payload}/bl2e.bin.sto \
+ --infile-bl2x-payload=${payload}/bl2x.bin \
+ --infile-dvinit-params=${payload}/device_acs.bin \
+ --infile-csinit-params=${payload}/chip_acs.bin \
+ --scs-family=s5 \
+ --outfile-bb1st=${output}/bb1st.sto.bin \
+ --outfile-blob-bl2e=${output}/blob-bl2e.sto.bin \
+ --outfile-blob-bl2x=${output}/blob-bl2x.bin
+
+ ./${FIP_FOLDER}${CUR_SOC}/binary-tool/acpu-imagetool create-boot-blobs \
+ --infile-bl2-payload=${payload}/bl2.bin.usb \
+ --infile-bl2e-payload=${payload}/bl2e.bin.usb \
+ --infile-bl2x-payload=${payload}/bl2x.bin \
+ --infile-dvinit-params=${payload}/device_acs.bin \
+ --infile-csinit-params=${payload}/chip_acs.bin \
+ --scs-family=s5 \
+ --outfile-bb1st=${output}/bb1st.usb.bin \
+ --outfile-blob-bl2e=${output}/blob-bl2e.usb.bin \
+ --outfile-blob-bl2x=${output}/blob-bl2x.bin
+
+
+ if [ ! -f ${output}/bb1st.sto.bin ] || \
+ [ ! -f ${output}/bb1st.usb.bin ] || \
+ [ ! -f ${output}/blob-bl2e.sto.bin ] || \
+ [ ! -f ${output}/blob-bl2e.usb.bin ] || \
+ [ ! -f ${output}/blob-bl2x.bin ]; then
+ echo "Error: ${output}/ bootblobs do not all exist... abort"
+ ls -la ${output}/
+ exit -1
+ fi
+ echo "done to generate bb1st.bin folder"
+}
+
+function mk_devfip() {
+ output=$1
+ payload=$2
+
+ # fix size for BL30 128KB --> 64KB
+ if [ -f ${output}/bl30.bin ]; then
+ blx_size=`stat -c %s ${output}/bl30.bin`
+ if [ $blx_size -gt ${BL30_BIN_SIZE} ]; then
+ echo "Error: bl30 size exceed limit ${BL30_BIN_SIZE}"
+ exit -1
+ fi
+ else
+ echo "Warning: null bl30"
+ dd if=/dev/random of=${output}/bl30.bin bs=4096 count=1
+ #dd if=bl30/bin/sc2/bl30.bin of=${output}/bl30.bin
+ fi
+ dd if=/dev/zero of=${payload}/bl30.bin bs=${BL30_BIN_SIZE} count=1
+ dd if=${output}/bl30.bin of=${payload}/bl30.bin conv=notrunc
+
+ # fix size for BL40 96KB
+ if [ -f ${output}/bl40.bin ]; then
+ blx_size=`stat -c %s ${output}/bl40.bin`
+ if [ $blx_size -gt 98304 ]; then
+ echo "Error: bl40 size exceed limit 98304"
+ exit -1
+ fi
+ else
+ echo "Warning: null bl40"
+ #dd if=/dev/random of=${output}/bl40.bin bs=4096 count=1
+ dd if=/dev/zero of=${output}/bl40.bin bs=4096 count=1
+ fi
+ dd if=/dev/zero of=${payload}/bl40.bin bs=98304 count=1
+ dd if=${output}/bl40.bin of=${payload}/bl40.bin conv=notrunc
+
+
+ # fix size for BL31 256KB
+ if [ ! -f ${output}/bl31.bin ]; then
+ echo "Error: ${output}/bl31.bin does not exist... abort"
+ exit -1
+ fi
+ blx_size=`stat -c %s ${output}/bl31.bin`
+ echo "BL31 size: ${blx_size}"
+ if [ $blx_size -gt 262144 ]; then
+ echo "Error: bl31 size exceed limit 262144"
+ exit -1
+ fi
+ dd if=/dev/zero of=${payload}/bl31.bin bs=262144 count=1
+ dd if=${output}/bl31.bin of=${payload}/bl31.bin conv=notrunc
+
+
+ # fix size for BL32 512KB
+ if [ -f ${output}/bl32.bin ]; then
+ blx_size=`stat -c %s ${output}/bl32.bin`
+ if [ $blx_size -gt 524288 ]; then
+ echo "Error: bl32 size exceed limit 524288"
+ exit -1
+ fi
+ else
+ echo "Warning: null bl32"
+ dd if=/dev/random of=${output}/bl32.bin bs=4096 count=1
+ #dd if=bl32/bin/sc2/bl32.bin of=${output}/bl32.bin
+ fi
+ dd if=/dev/zero of=${payload}/bl32.bin bs=524288 count=1
+ dd if=${output}/bl32.bin of=${payload}/bl32.bin conv=notrunc
+
+ if [ "y" == "${CONFIG_AML_BL33_COMPRESS_ENABLE}" ]; then
+ mv -f ${output}/bl33.bin ${output}/bl33.bin.org
+ encrypt_step --bl3sig --input ${output}/bl33.bin.org --output ${output}/bl33.bin.org.lz4 --compress lz4 --level v3 --type bl33
+ #get LZ4 format bl33 image from bl33.bin.enc with offset 0x720
+ dd if=${output}/bl33.bin.org.lz4 of=${output}/bl33.bin bs=1 skip=1824 >& /dev/null
+ fi
+ # fix size for BL33 1024KB + 512 KB
+ if [ ! -f ${output}/bl33.bin ]; then
+ echo "Error: ${output}/bl33.bin does not exist... abort"
+ exit -1
+ fi
+ blx_size=`stat -c %s ${output}/bl33.bin`
+ if [ $blx_size -gt 1572864 ]; then
+ echo "Error: bl33 size exceed limit 0x180000"
+ exit -1
+ fi
+ dd if=/dev/zero of=${payload}/bl33.bin bs=1572864 count=1
+ dd if=${output}/bl33.bin of=${payload}/bl33.bin conv=notrunc
+
+
+ ./${FIP_FOLDER}${CUR_SOC}/binary-tool/acpu-imagetool create-device-fip \
+ --infile-bl30-payload=${payload}/bl30.bin \
+ --infile-bl40-payload=${payload}/bl40.bin \
+ --infile-bl31-payload=${payload}/bl31.bin \
+ --infile-bl32-payload=${payload}/bl32.bin \
+ --infile-bl33-payload=${payload}/bl33.bin \
+ --outfile-device-fip=${output}/device-fip.bin
+
+ if [ ! -f ${output}/device-fip.bin ]; then
+ echo "Error: ${output}/device-fip.bin does not exist... abort"
+ exit -1
+ fi
+ echo "done to generate device-fip.bin"
+}
+
+# due to size limit of BL2, only one type of DDR firmware is
+# built into bl2 code package. For support other ddr types, we
+# need bind them to ddr_fip.bin and let bl2 fw to try it.
+#
+# Note: No piei fw in following arry because it have build into
+# bl2
+# Total ddr-fip.bin size: 256KB, 4KB for header, 252(36*7)KB for fw
+# so max 7 ddr fw support
+declare -a DDR_FW_NAME=("aml_ddr.fw" \
+ "ddr4_1d.fw" \
+ "ddr4_2d.fw" \
+ "lpddr4_1d.fw" \
+ "lpddr4_2d.fw")
+declare -a DDR_FW_MAGIC=("AML0" \
+ "d444" \
+ "d422" \
+ "dl44" \
+ "dl42")
+function mk_ddr_fip()
+{
+ local outpath=$1
+ local out_hdr=$1/ddr-hdr.bin
+ local out_fip=$1/ddr-fip.bin
+ local offset=4096 # start offset inside ddr-fip.bin
+ local fw_size=
+ local rem_val=
+ local fw_cnt=0
+ local hdr_size=64
+ local input_dir=./${FIP_FOLDER}${CUR_SOC}
+
+ # first: make a empty ddr-fip.bin and ddr-fip-hdr.bin
+ rm -rf ${out_hdr}
+ rm -rf ${out_fip}
+ touch ${out_fip}
+ touch ${out_hdr}
+
+ # count firmware number we need package
+ for i in ${!DDR_FW_NAME[@]}; do
+ if [[ "${DDR_FW_NAME[${i}]}" == "${DDRFW_TYPE}"* ]]; then
+ echo "==== skip ${DDR_FW_NAME[${i}]} ===="
+ continue
+ fi
+ fw_cnt=`expr ${fw_cnt} + 1`
+ done
+
+ # build header for ddr-hdr.bin
+ # dwMagic
+ printf "%s" "@DFM" >> ${out_hdr}
+ # nCount of firmware
+ printf "%02x%02x" $[(fw_cnt) & 0xff] $[((fw_cnt) >> 8) & 0xff] | xxd -r -ps >> ${out_hdr}
+ # padding nVersion/szReserved to 0
+ printf "\0\0\0\0\0\0\0\0\0\0" >> ${out_hdr}
+
+ # build ddr-fip.bin and ddr-hdr.bin
+ for i in ${!DDR_FW_NAME[@]}; do
+ if [[ "${DDR_FW_NAME[${i}]}" == "${DDRFW_TYPE}"* ]]; then
+ continue
+ fi
+
+ # ============= package ddr-fip.bin =============
+ # get size of fw and align up to 4KB for
+ # some strage device such as nand
+ fw_size=`stat -c %s ${input_dir}/${DDR_FW_NAME[${i}]}`
+ fw_size=`expr ${fw_size} + 4095`
+ rem_val=`expr ${fw_size} % 4096`
+ fw_size=`expr ${fw_size} - ${rem_val}`
+
+ # 1. make sure we only copy 36KB, 32KB IMEM + 4KB DMEM
+ # 2. make a empty bin with fw_size
+ # 3. copy from fw to empty bin
+ # 4. padding this bin to final output
+ if [ ${fw_size} -gt "36864" ]; then
+ fw_size="36864"
+ fi
+ dd if=/dev/zero of=${outpath}/_tmp.bin bs=1 count=${fw_size} &> /dev/null
+ dd if=${input_dir}/${DDR_FW_NAME[${i}]} of=${outpath}/_tmp.bin skip=96 bs=1 count=${fw_size} conv=notrunc &> /dev/null
+ cat ${outpath}/_tmp.bin >> ${out_fip}
+
+ # ============= make ddr-hdr.bin =============
+ # dwMagic
+ printf "%s" "@DFM" >> ${out_hdr}
+ # nVersion, fix to 0
+ printf "\0\0" >> ${out_hdr}
+ # nSize, fix to 64 bytes
+ printf "%02x%02x" $[(hdr_size) & 0xff] $[((hdr_size) >> 8) & 0xff] | xxd -r -ps >> ${out_hdr}
+ # nIMGOffset
+ printf "%02x%02x%02x%02x" $[(offset) & 0xff] $[((offset) >> 8) & 0xff] \
+ $[((offset) >> 16) & 0xff] $[((offset) >> 24) & 0xff] | xxd -r -ps >> ${out_hdr}
+ # nIMGSize
+ printf "%02x%02x%02x%02x" $[(fw_size) & 0xff] $[((fw_size) >> 8) & 0xff] \
+ $[((fw_size) >> 16) & 0xff] $[((fw_size) >> 24) & 0xff] | xxd -r -ps >> ${out_hdr}
+ # fw_ver, fix to 0
+ printf "\0\0\0\0" >> ${out_hdr}
+ # fw_magic
+ printf "%s" ${DDR_FW_MAGIC[${i}]} >> ${out_hdr}
+ # szRerved2
+ printf "\0\0\0\0\0\0\0\0" >> ${out_hdr}
+ # szIMGSHA2
+ openssl dgst -sha256 -binary ${outpath}/_tmp.bin >> ${out_hdr}
+
+ offset=`expr ${offset} + ${fw_size}`
+ done;
+ rm ${outpath}/_tmp.bin
+
+ # generate ddr-fip.bin
+ fw_size=`stat -c "%s" ${out_fip}`
+ if [ ${fw_size} -gt "258048" ]; then
+ echo "==== size of ${out_fip}:${fw_size}, over limit ===="
+ exit -1
+ else
+ dd if=/dev/zero of=${out_fip}.tmp bs=1024 count=252 status=none
+ dd if=${out_fip} of=${out_fip}.tmp bs=1 count=${fw_size} conv=notrunc
+ fi
+
+ # bind to final ddr-fip.bin
+ fw_size=`stat -c "%s" ${out_hdr}`
+ if [ ${fw_size} -gt "4096" ]; then
+ echo "==== size of ${ot_hdr}:${fw_size}, over limit ===="
+ exit -1
+ else
+ dd if=/dev/zero of=${out_hdr}.tmp bs=1 count=4096 status=none
+ dd if=${out_hdr} of=${out_hdr}.tmp bs=1 count=${fw_size} conv=notrunc
+ fi
+ cat ${out_hdr}.tmp > ${out_fip}
+ cat ${out_fip}.tmp >> ${out_fip}
+ rm -rf ${out_fip}.tmp
+ rm -rf ${out_hdr}.tmp
+}
+
+
+function mk_uboot() {
+ output_images=$1
+ input_payloads=$2
+ postfix=$3
+ storage_type_suffix=$4
+ chipset_variant_suffix=$5
+
+ device_fip="${input_payloads}/device-fip.bin${postfix}"
+ bb1st="${input_payloads}/bb1st${storage_type_suffix}${chipset_variant_suffix}.bin${postfix}"
+ bl2e="${input_payloads}/blob-bl2e${storage_type_suffix}${chipset_variant_suffix}.bin${postfix}"
+ bl2x="${input_payloads}/blob-bl2x.bin${postfix}"
+
+ if [ ! -f ${device_fip} ] || \
+ [ ! -f ${bb1st} ] || \
+ [ ! -f ${bl2e} ] || \
+ [ ! -f ${bl2x} ]; then
+ echo fip:${device_fip}
+ echo bb1st:${bb1st}
+ echo bl2e:${bl2e}
+ echo bl2x:${bl2x}
+ echo "Error: ${input_payloads}/ bootblob does not all exist... abort"
+ ls -la ${input_payloads}/
+ exit -1
+ fi
+
+ file_info_cfg="${output_images}/aml-payload.cfg"
+ file_info_cfg_temp=${temp_cfg}.temp
+
+ bootloader="${output_images}/u-boot.bin${storage_type_suffix}${postfix}"
+ sdcard_image="${output_images}/u-boot.bin.sd.bin${postfix}"
+
+ #fake ddr fip 256KB
+ ddr_fip="${input_payloads}/ddr-fip.bin"
+ if [ ! -f ${ddr_fip} ]; then
+ echo "==== use empty ddr-fip ===="
+ dd if=/dev/zero of=${ddr_fip} bs=1024 count=256 status=none
+ fi
+
+ #cat those together with 4K upper aligned for sdcard
+ align_base=4096
+ total_size=0
+ for file in ${bb1st} ${bl2e} ${bl2x} ${ddr_fip} ${device_fip}; do
+ size=`stat -c "%s" ${file}`
+ upper=$[(size+align_base-1)/align_base*align_base]
+ total_size=$[total_size+upper]
+ echo ${file} ${size} ${upper}
+ done
+
+ echo ${total_size}
+ rm -f ${bootloader}
+ dd if=/dev/zero of=${bootloader} bs=${total_size} count=1 status=none
+
+ sector=512
+ seek=0
+ seek_sector=0
+ dateStamp=A4-${CHIPSET_NAME}-`date +%y%m%d%H%M%S`
+
+ echo @AMLBOOT > ${file_info_cfg_temp}
+ dd if=${file_info_cfg_temp} of=${file_info_cfg} bs=1 count=8 conv=notrunc &> /dev/null
+ nItemNum=5
+ nSizeHDR=$[64+nItemNum*16]
+ printf "02 %02x %02x %02x" $[(nItemNum)&0xFF] $[(nSizeHDR)&0xFF] $[((nSizeHDR)>>8)&0xFF] \
+ | xxd -r -ps > ${file_info_cfg_temp}
+ cat ${file_info_cfg_temp} >> ${file_info_cfg}
+
+ echo ${dateStamp} > ${file_info_cfg_temp}
+ dd if=${file_info_cfg_temp} of=${file_info_cfg} bs=1 count=20 oflag=append conv=notrunc &> /dev/null
+
+ index=0
+ arrPayload=("BBST" "BL2E" "BL2X" "DDRF" "DEVF");
+ nPayloadOffset=0
+ nPayloadSize=0
+ for file in ${bb1st} ${bl2e} ${bl2x} ${ddr_fip} ${device_fip}; do
+ size=`stat -c "%s" ${file}`
+ size_sector=$[(size+align_base-1)/align_base*align_base]
+ nPayloadSize=$[size_sector]
+ size_sector=$[size_sector/sector]
+ seek_sector=$[seek/sector+seek_sector]
+ #nPayloadOffset=$[sector*(seek_sector+1)]
+ nPayloadOffset=$[sector*(seek_sector)]
+ echo ${file} ${seek_sector} ${size_sector}
+ dd if=${file} of=${bootloader} bs=${sector} seek=${seek_sector} conv=notrunc status=none
+
+ echo ${arrPayload[$index]} > ${file_info_cfg_temp}.x
+ index=$((index+1))
+ dd if=${file_info_cfg_temp}.x of=${file_info_cfg_temp} bs=1 count=4 &> /dev/null
+ rm -f ${file_info_cfg_temp}.x
+ printf "%02x %02x %02x %02x %02x %02x %02x %02x 00 00 00 00" $[(nPayloadOffset)&0xFF] $[((nPayloadOffset)>>8)&0xFF] $[((nPayloadOffset)>>16)&0xFF] $[((nPayloadOffset)>>24)&0xFF] \
+ $[(nPayloadSize)&0xFF] $[((nPayloadSize)>>8)&0xFF] $[((nPayloadSize)>>16)&0xFF] $[((nPayloadSize)>>24)&0xFF] | xxd -r -ps >> ${file_info_cfg_temp}
+ dd if=${file_info_cfg_temp} of=${file_info_cfg} oflag=append conv=notrunc &> /dev/null
+ rm -f ${file_info_cfg_temp}
+ seek=$[(size+align_base-1)/align_base*align_base]
+ done
+
+ openssl dgst -sha256 -binary ${file_info_cfg} > ${file_info_cfg}.sha256
+ cat ${file_info_cfg} >> ${file_info_cfg}.sha256
+ #cat ${file_info_cfg}.sha256 >> ${file_info_cfg}
+ rm -f ${file_info_cfg}
+ mv -f ${file_info_cfg}.sha256 ${file_info_cfg}
+
+ dd if=${file_info_cfg} of=${bootloader} bs=512 seek=404 conv=notrunc status=none
+
+ if [ ${storage_type_suffix} == ".sto" ]; then
+ echo "Image SDCARD"
+ total_size=$[total_size+512]
+ rm -f ${sdcard_image}
+ dd if=/dev/zero of=${sdcard_image} bs=${total_size} count=1 status=none
+ dd if=${file_info_cfg} of=${sdcard_image} conv=notrunc status=none
+ dd if=${bootloader} of=${sdcard_image} bs=512 seek=1 conv=notrunc status=none
+
+ mv ${bootloader} ${output_images}/u-boot.bin${postfix}
+ fi
+
+ rm -f ${file_info_cfg}
+}
+
+
+function cleanup() {
+ cp ${FIP_BUILD_FOLDER}u-boot.bin* ${BUILD_FOLDER}
+ # cp bootblobs for PXP
+ #cp ${FIP_BUILD_FOLDER}device-fip.bin ${BUILD_FOLDER} -f
+ #cp ${FIP_BUILD_FOLDER}bb1st.bin ${BUILD_FOLDER} -f
+ #cp ${FIP_BUILD_FOLDER}blob-bl* ${BUILD_FOLDER} -f
+ echo "output file are generated in ${BUILD_FOLDER} folder"
+ #rm -f ${BUILD_PATH}/test-*
+ #rm -rf ${BUILD_PAYLOAD}
+ rm -f ${BUILD_PATH}/bl*.enc ${BUILD_PATH}/bl2*.sig
+}
+
+function encrypt_step() {
+ dbg "encrypt: $@"
+ local ret=0
+ ./${FIP_FOLDER}${CUR_SOC}/aml_encrypt_${CUR_SOC} $@
+ ret=$?
+ if [ 0 != $ret ]; then
+ echo "Err! aml_encrypt_${CUR_SOC} return $ret"
+ exit $ret
+ fi
+}
+
+function encrypt() {
+ #u-boot.bin generate
+
+ return
+}
+
+function build_fip() {
+
+ # acs_tool process ddr timing and configurable parameters
+ #python ${FIP_FOLDER}/acs_tool.pyc ${BUILD_PATH}/${AML_BL2_NAME} ${BUILD_PATH}/bl2_acs.bin ${BUILD_PATH}/acs.bin 0
+
+ # fix bl2/bl2e/bl2x
+ if [ -d ${BUILD_PAYLOAD} ]; then
+ rm -rf ${BUILD_PAYLOAD}
+ fi
+ mkdir -p ${BUILD_PAYLOAD}/
+
+ # make boot blobs
+ mk_bl2ex ${BUILD_PATH} ${BUILD_PAYLOAD} ${DDRFW_TYPE}
+
+ # make devicefip
+ mk_devfip ${BUILD_PATH} ${BUILD_PAYLOAD}
+
+
+ # build final bootloader
+ #mk_uboot ${BUILD_PATH} ${BUILD_PATH}
+ mk_uboot ${BUILD_PATH} ${BUILD_PATH} "" .sto ${CHIPSET_VARIANT_SUFFIX}
+ mk_uboot ${BUILD_PATH} ${BUILD_PATH} "" .usb ${CHIPSET_VARIANT_SUFFIX}
+
+ return
+}
+
+declare CHIPACS_SIZE="8192"
+declare DDRFW_SIZE="212992"
+function process_blx() {
+
+
+ # process loop
+ for loop in ${!BLX_NAME[@]}; do
+ if [ "NULL" != "${BLX_RAWBIN_NAME[$loop]}" ] && \
+ [ -n "${BLX_RAWBIN_NAME[$loop]}" ] && \
+ [ -f ${BUILD_PATH}/${BLX_RAWBIN_NAME[$loop]} ]; then
+ if [ -n "${CONFIG_FORMER_SIGN}" ]; then
+ if [ ${BLX_NAME[$loop]} == "bl2" ]; then
+ ./${FIP_FOLDER}${CUR_SOC}/bin/gen-merge-bin.sh --input0 ${BUILD_PATH}/chip_acs.bin --size0 ${CHIPACS_SIZE} \
+ --input1 ${BUILD_PATH}/ddrfw_data.bin --size1 ${DDRFW_SIZE} --output ${BUILD_PATH}/chip_acs.bin
+ fi
+ ./${FIP_FOLDER}${CUR_SOC}/bin/sign-blx.sh --blxname ${BLX_NAME[$loop]} --input ${BUILD_PATH}/${BLX_RAWBIN_NAME[$loop]} \
+ --output ${BUILD_PATH}/${BLX_BIN_NAME[$loop]} --chipset_name ${CHIPSET_NAME} --chipset_variant ${CHIPSET_VARIANT} \
+ --key_type ${AMLOGIC_KEY_TYPE} --soc ${CUR_SOC} --chip_acs ${BUILD_PATH}/chip_acs.bin --ddr_type ${DDRFW_TYPE}
+ else
+ if [ -n "${CONFIG_JENKINS_SIGN}" ]; then
+ if [ ${BLX_NAME[$loop]} == "bl2" ]; then
+ ./${FIP_FOLDER}${CUR_SOC}/bin/gen-merge-bin.sh --input0 ${BUILD_PATH}/chip_acs.bin --size0 ${CHIPACS_SIZE} \
+ --input1 ${BUILD_PATH}/ddrfw_data.bin --size1 ${DDRFW_SIZE} --output ${BUILD_PATH}/chip_acs.bin
+ fi
+ /usr/bin/python3 ./sign.py --type ${BLX_NAME[$loop]} --in ${BUILD_PATH}/${BLX_RAWBIN_NAME[$loop]} \
+ --out ${BUILD_PATH}/${BLX_BIN_NAME[$loop]} --chip ${CHIPSET_NAME} --chipVariant ${CHIPSET_VARIANT} \
+ --keyType ${AMLOGIC_KEY_TYPE} --chipAcsFile ${BUILD_PATH}/chip_acs.bin --ddrType ${DDRFW_TYPE}
+ else
+ if [ ${BLX_NAME[$loop]} == "bl2" ]; then
+ ./${FIP_FOLDER}${CUR_SOC}/bin/gen-merge-bin.sh --input0 ${BUILD_PATH}/chip_acs.bin --size0 ${CHIPACS_SIZE} \
+ --input1 ${BUILD_PATH}/ddrfw_data.bin --size1 ${DDRFW_SIZE} --output ${BUILD_PATH}/chip_acs.bin
+ fi
+ /usr/bin/python3 ./${FIP_FOLDER}/jenkins_sign.py --type ${BLX_NAME[$loop]} --in ${BUILD_PATH}/${BLX_RAWBIN_NAME[$loop]} \
+ --out ${BUILD_PATH}/${BLX_BIN_NAME[$loop]} --chip ${CHIPSET_NAME} --chipVariant ${CHIPSET_VARIANT} --keyType ${AMLOGIC_KEY_TYPE} \
+ --chipAcsFile ${BUILD_PATH}/chip_acs.bin --ddrType ${DDRFW_TYPE}
+ fi
+ fi
+ fi
+ if [ "NULL" != "${BLX_BIN_SIZE[$loop]}" ] && \
+ [ "NULL" != "${BLX_BIN_NAME[$loop]}" ] && \
+ [ -n "${BLX_BIN_NAME[$loop]}" ] && \
+ [ -f ${BUILD_PATH}/${BLX_BIN_NAME[$loop]} ]; then
+ blx_size=`stat -c %s ${BUILD_PATH}/${BLX_BIN_NAME[$loop]}`
+ if [ $blx_size -ne ${BLX_BIN_SIZE[$loop]} ]; then
+ echo "Error: ${BUILD_PATH}/${BLX_BIN_NAME[$loop]} size not match"
+ exit -1
+ fi
+ fi
+ done
+
+ if [ ! -f ${BUILD_PATH}/device_acs.bin ]; then
+ echo "dev acs params not exist !"
+ exit -1
+ fi
+
+ dev_acs_size=`stat -c %s ${BUILD_PATH}/device_acs.bin`
+
+ if [ $dev_acs_size -gt ${DEV_ACS_BIN_SIZE} ]; then
+ echo "chip acs size exceed limit ${DEV_ACS_BIN_SIZE}, $dev_acs_size"
+ exit -1
+ else
+ dd if=/dev/zero of=${BUILD_PATH}/dvinit-params.bin bs=${DEV_ACS_BIN_SIZE} count=1 &> /dev/null
+ dd if=${BUILD_PATH}/device_acs.bin of=${BUILD_PATH}/dvinit-params.bin conv=notrunc &> /dev/null
+ fi
+
+ ./${FIP_FOLDER}${CUR_SOC}/bin/add-dvinit-params.sh ${BUILD_PATH}/bb1st.sto${CHIPSET_VARIANT_SUFFIX}.bin.signed ${BUILD_PATH}/dvinit-params.bin ${BUILD_PATH}/bb1st.sto${CHIPSET_VARIANT_SUFFIX}.bin.signed ${CUR_SOC}
+ ./${FIP_FOLDER}${CUR_SOC}/bin/add-dvinit-params.sh ${BUILD_PATH}/bb1st.usb${CHIPSET_VARIANT_SUFFIX}.bin.signed ${BUILD_PATH}/dvinit-params.bin ${BUILD_PATH}/bb1st.usb${CHIPSET_VARIANT_SUFFIX}.bin.signed ${CUR_SOC}
+
+ # fix size for BL30 128KB
+ if [ -f ${BUILD_PATH}/bl30.bin ]; then
+ #blx_size=`du -b ${BUILD_PATH}/bl30.bin | awk '{print int(${BUILD_PATH}/bl30.bin)}'`
+ blx_size=`stat -c %s ${BUILD_PATH}/bl30.bin`
+ if [ $blx_size -gt ${BL30_BIN_SIZE} ]; then
+ echo "Error: bl30 size exceed limit ${BL30_BIN_SIZE}"
+ exit -1
+ fi
+ else
+ echo "Warning: local bl30"
+ #dd if=/dev/random of=${BUILD_PATH}/bl30.bin bs=4096 count=1
+ dd if=bl30/bin/sc2/bl30.bin of=${BUILD_PATH}/bl30.bin &> /dev/null
+ fi
+ dd if=/dev/zero of=${BUILD_PATH}/bl30-payload.bin bs=${BL30_BIN_SIZE} count=1 &> /dev/null
+ dd if=${BUILD_PATH}/bl30.bin of=${BUILD_PATH}/bl30-payload.bin conv=notrunc &> /dev/null
+
+ if [ "y" == "${CONFIG_AML_BL33_COMPRESS_ENABLE}" ]; then
+ mv -f ${BUILD_PATH}/bl33.bin ${BUILD_PATH}/bl33.bin.org
+ encrypt_step --bl3sig --input ${BUILD_PATH}/bl33.bin.org --output ${BUILD_PATH}/bl33.bin.org.lz4 --compress lz4 --level v3 --type bl33
+ #get LZ4 format bl33 image from bl33.bin.enc with offset 0x720
+ dd if=${BUILD_PATH}/bl33.bin.org.lz4 of=${BUILD_PATH}/bl33.bin bs=1 skip=1824 >& /dev/null
+ fi
+
+ # fix size for BL33 1024KB
+ if [ ! -f ${BUILD_PATH}/bl33.bin ]; then
+ echo "Error: ${BUILD_PATH}/bl33.bin does not exist... abort"
+ exit -1
+ fi
+ #blx_size=`du -b ${BUILD_PATH}/bl33.bin | awk '{print int(${BUILD_PATH}/bl33.bin)}'`
+ blx_size=`stat -c %s ${BUILD_PATH}/bl33.bin`
+ if [ $blx_size -gt ${BL33_BIN_SIZE} ]; then
+ echo "Error: bl33 size exceed limit ${BL33_BIN_SIZE}"
+ exit -1
+ fi
+ dd if=/dev/zero of=${BUILD_PATH}/bl33-payload.bin bs=${BL33_BIN_SIZE} count=1 &> /dev/null
+ dd if=${BUILD_PATH}/bl33.bin of=${BUILD_PATH}/bl33-payload.bin conv=notrunc &> /dev/null
+
+ if [ ! -f ${BUILD_PATH}/blob-bl40.bin.signed ]; then
+ echo "Warning: local bl40"
+ cp bl40/bin/${CUR_SOC}/${BLX_BIN_SUB_CHIP}/blob-bl40.bin.signed ${BUILD_PATH}
+ fi
+ if [ ! -f ${BUILD_PATH}/device-fip-header.bin ]; then
+ echo "Warning: local device fip header templates"
+ cp ${CHIPSET_TEMPLATES_PATH}/${CUR_SOC}/${BLX_BIN_SUB_CHIP}/device-fip-header.bin ${BUILD_PATH}
+ fi
+
+ #./${FIP_FOLDER}${CUR_SOC}/bin/gen-bl.sh ${BUILD_PATH} ${BUILD_PATH} ${BUILD_PATH}
+
+ return
+}
+
+function build_signed() {
+
+ process_blx $@
+
+ # package ddr-fip.bin
+ if [[ "y" == ${CONFIG_DDR_FULL_FW} ]]; then
+ mk_ddr_fip ${BUILD_PATH}
+ fi
+
+ ./${FIP_FOLDER}${CUR_SOC}/bin/gen-bl.sh ${BUILD_PATH} ${BUILD_PATH} ${BUILD_PATH} ${BUILD_PATH} ${CHIPSET_VARIANT_SUFFIX}
+ postfix=.signed
+ mk_uboot ${BUILD_PATH} ${BUILD_PATH} ${postfix} .sto ${CHIPSET_VARIANT_SUFFIX}
+ mk_uboot ${BUILD_PATH} ${BUILD_PATH} ${postfix} .usb ${CHIPSET_VARIANT_SUFFIX}
+
+ list_pack="${BUILD_PATH}/bb1st.sto${CHIPSET_VARIANT_SUFFIX}.bin.signed ${BUILD_PATH}/bb1st.usb${CHIPSET_VARIANT_SUFFIX}.bin.signed"
+ list_pack="$list_pack ${BUILD_PATH}/blob-bl2e.sto${CHIPSET_VARIANT_SUFFIX}.bin.signed ${BUILD_PATH}/blob-bl2e.usb${CHIPSET_VARIANT_SUFFIX}.bin.signed"
+ list_pack="$list_pack ${BUILD_PATH}/blob-bl2x.bin.signed ${BUILD_PATH}/blob-bl31.bin.signed ${BUILD_PATH}/blob-bl32.bin.signed ${BUILD_PATH}/blob-bl40.bin.signed"
+ list_pack="$list_pack ${BUILD_PATH}/bl30-payload.bin ${BUILD_PATH}/bl33-payload.bin ${BUILD_PATH}/dvinit-params.bin"
+ if [ -f ${BUILD_PATH}/ddr-fip.bin ]; then
+ list_pack="$list_pack ${BUILD_PATH}/ddr-fip.bin"
+ fi
+ u_pack=${BUILD_FOLDER}/"$(basename ${BOARD_DIR})"-u-boot.aml.zip
+ zip -j $u_pack ${list_pack} >& /dev/null
+
+ if [ "y" == "${CONFIG_AML_SIGNED_UBOOT}" ]; then
+ if [ ! -d "${UBOOT_SRC_FOLDER}/${BOARD_DIR}/device-keys" ]; then
+ ./${FIP_FOLDER}${CUR_SOC}/bin/download-keys.sh ${AMLOGIC_KEY_TYPE} ${CUR_SOC} device ${UBOOT_SRC_FOLDER}/${BOARD_DIR}/device-keys/
+ fi
+
+ fw_arb_cfg=${UBOOT_SRC_FOLDER}/${BOARD_DIR}/fw_arb.cfg
+ if [ -s "${fw_arb_cfg}" ]; then
+ source ${fw_arb_cfg}
+ export DEVICE_SCS_SEGID=${DEVICE_SCS_SEGID}
+ export DEVICE_VENDOR_SEGID=${DEVICE_VENDOR_SEGID}
+ export DEVICE_SCS_VERS=${DEVICE_SCS_VERS}
+ export DEVICE_TEE_VERS=${DEVICE_TEE_VERS}
+ export DEVICE_REE_VERS=${DEVICE_REE_VERS}
+ fi
+ export DEVICE_SCS_KEY_TOP=$(pwd)/${UBOOT_SRC_FOLDER}/${BOARD_DIR}/device-keys
+ export DEVICE_INPUT_PATH=$(pwd)/${BUILD_PATH}
+ export DEVICE_OUTPUT_PATH=$(pwd)/${BUILD_PATH}
+ export PROJECT=${CHIPSET_NAME}
+ if [ "y" == "${CONFIG_DEVICE_ROOTRSA_INDEX}" ]; then
+ export DEVICE_ROOTRSA_INDEX=1
+ elif [ -n "${CONFIG_DEVICE_ROOTRSA_INDEX}" ]; then
+ export DEVICE_ROOTRSA_INDEX=${CONFIG_DEVICE_ROOTRSA_INDEX}
+ fi
+ export DEVICE_VARIANT_SUFFIX=${CHIPSET_VARIANT_SUFFIX}
+
+ export DEVICE_STORAGE_SUFFIX=.sto
+ make -C ./${FIP_FOLDER}${CUR_SOC} dv-boot-blobs
+ export DEVICE_STORAGE_SUFFIX=.usb
+ make -C ./${FIP_FOLDER}${CUR_SOC} dv-boot-blobs
+
+ make -C ./${FIP_FOLDER}${CUR_SOC} dv-device-fip
+ # build final bootloader
+ postfix=.device.signed
+ mk_uboot ${BUILD_PATH} ${BUILD_PATH} ${postfix} .sto ${CHIPSET_VARIANT_SUFFIX}
+ mk_uboot ${BUILD_PATH} ${BUILD_PATH} ${postfix} .usb ${CHIPSET_VARIANT_SUFFIX}
+ fi
+
+ return
+}
+
+function copy_other_soc() {
+ cp ${BL33_BUILD_FOLDER}${BOARD_DIR}/firmware/acs.bin ${BUILD_PATH}/device_acs.bin -f
+
+ if [ ! -f ${BUILD_PATH}/chip_acs.bin ]; then
+ cp ./${FIP_FOLDER}${CUR_SOC}/chip_acs.bin ${BUILD_PATH}/chip_acs.bin -f
+ fi
+
+ # device acs params parse for ddr timing
+ #./${FIP_FOLDER}parse ${BUILD_PATH}/device_acs.bin
+}
+
+function package() {
+ # BUILD_PATH without "/"
+ x=$((${#BUILD_PATH}-1))
+ if [ "\\" == "${BUILD_PATH:$x:1}" ] || [ "/" == "${BUILD_PATH:$x:1}" ]; then
+ BUILD_PATH=${BUILD_PATH:0:$x}
+ fi
+
+ init_vari $@
+ # Enable Clear Image Packing for PXP
+ if [ -n "${CONFIG_BUILD_UNSIGN}" ]; then
+ build_fip $@
+ else
+ # Bypass Sign Process for PXP
+ build_signed $@
+ fi
+ #copy_file
+ cleanup
+ echo "Bootloader build done!"
+}
diff --git a/s6/chip_acs.bin b/s6/chip_acs.bin
new file mode 100755
index 0000000..753af8f
--- /dev/null
+++ b/s6/chip_acs.bin
Binary files differ
diff --git a/s6/generate-binaries/bin/gen-boot-blobs.sh b/s6/generate-binaries/bin/gen-boot-blobs.sh
new file mode 100755
index 0000000..a580b8a
--- /dev/null
+++ b/s6/generate-binaries/bin/gen-boot-blobs.sh
@@ -0,0 +1,109 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool
+
+#
+# Settings
+#
+
+#BASEDIR_DEVICE_TEMPLATE="${BASEDIR_ROOTRSA_X}/data/template/device"
+BASEDIR_CHIPSET_TEMPLATE=$1
+
+BASEDIR_ROOT=${BASEDIR_ROOT:-$BASEDIR_TEMPLATE}
+
+#BASEDIR_RSAKEY_LVLX="${BASEDIR_ROOTRSA_X}/data/key/lvlxrsa"
+
+BASEDIR_OUTPUT_BLOB=$2
+
+SOC_FAMILY=$3
+
+input_postfix=.signed
+output_postfix=.device.signed
+
+echo "============ ROOTRSA_INDEX ${DEVICE_ROOTRSA_INDEX}"
+echo "============ KEY_DIR ${BASEDIR_ROOT}"
+echo "============ PROJECT ${PROJECT}"
+
+if [ -z "$PROJECT" ]; then
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/protkey"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+else
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/${PROJECT}/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/${PROJECT}"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/${PROJECT}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/${PROJECT}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/${PROJECT}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/${PROJECT}/protkey"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/${PROJECT}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+fi
+
+BASEDIR_DEVICE_TEMPLATE="${BASEDIR_BOOTBLOBS_TEMPLATE_ROOT}"
+
+#
+# Arguments
+#
+
+#
+# Arguments
+#
+
+BB1ST_ARGS="${BB1ST_ARGS}"
+
+### Input: template ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-template-bb1st=${BASEDIR_DEVICE_TEMPLATE}/bb1st.bin"
+
+### Input: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-dvinit-params=${BASEDIR_CHIPSET_TEMPLATE}/dvinit-params.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bl2e=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl2e${DEVICE_STORAGE_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${input_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bl2x=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl2x.bin${input_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bb1st-ref=${BASEDIR_CHIPSET_TEMPLATE}/bb1st${DEVICE_STORAGE_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${input_postfix}"
+
+### Input: Device Level-1/2 Private RSA keys
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-device-lvl1=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-priv.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-device-lvl2=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-priv.pem"
+
+### Input: Device Level-2 Public RSA key
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-device-lvl2cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-pub.pem"
+
+### Features, flags and switches ###
+BB1ST_ARGS="${BB1ST_ARGS} --switch-keep-device-lvl2-pubrsa=1"
+
+BB1ST_ARGS="${BB1ST_ARGS} --scs-family=${SOC_FAMILY}"
+
+# arb info
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-scs-segid=${DEVICE_SCS_SEGID}"
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-vendor-segid=${DEVICE_VENDOR_SEGID}"
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-scs-vers=${DEVICE_SCS_VERS}"
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-tee-vers=${DEVICE_TEE_VERS}"
+
+### Output: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}/bb1st${DEVICE_STORAGE_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${output_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-blob-bl2e=${BASEDIR_OUTPUT_BLOB}/blob-bl2e${DEVICE_STORAGE_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${output_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-blob-bl2x=${BASEDIR_OUTPUT_BLOB}/blob-bl2x.bin${output_postfix}"
+
+echo ${TOOLS_ARGS}
+
+#
+# Main
+#
+
+set -x
+
+${ACPU_IMAGETOOL} \
+ create-boot-blobs \
+ ${BB1ST_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/generate-binaries/bin/gen-device-fip.sh b/s6/generate-binaries/bin/gen-device-fip.sh
new file mode 100755
index 0000000..6bac99a
--- /dev/null
+++ b/s6/generate-binaries/bin/gen-device-fip.sh
@@ -0,0 +1,116 @@
+#!/bin/bash
+
+set -e
+# set -x
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool
+
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+#
+# Settings
+#
+
+#BASEDIR_DEVICE_TEMPLATE="${BASEDIR_ROOTRSA_X}/data/template/device"
+BASEDIR_CHIPSET_TEMPLATE=$1
+
+BASEDIR_ROOT=${BASEDIR_ROOT:-$BASEDIR_TEMPLATE}
+
+#BASEDIR_AESKEY_PROT="${BASEDIR_ROOTRSA_X}/data/key/aesroot"
+#BASEDIR_RSAKEY_LVLX="${BASEDIR_ROOTRSA_X}/data/key/lvlxrsa"
+
+BASEDIR_PAYLOAD=$2
+
+#BASEDIR_EPK="${BASEDIR_ROOTRSA_X}/data/epk"
+
+BASEDIR_OUTPUT=$3
+
+input_postfix=.signed
+output_postfix=.device.signed
+
+echo "============ ROOTRSA_INDEX ${DEVICE_ROOTRSA_INDEX}"
+echo "============ KEY_DIR ${BASEDIR_ROOT}"
+echo "============ PROJECT ${PROJECT}"
+
+if [ -z "$PROJECT" ]; then
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/protkey"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+else
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/${PROJECT}/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/${PROJECT}"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/${PROJECT}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/${PROJECT}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/${PROJECT}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/${PROJECT}/protkey"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/${PROJECT}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+fi
+
+BASEDIR_DEVICE_TEMPLATE="${BASEDIR_FIP_TEMPLATE_ROOT}"
+
+#
+# Arguments
+#
+
+BLOB_NAME=$1
+
+EXEC_ARGS="${EXEC_ARGS}"
+
+### Input: template ###
+EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin"
+
+### Input: payload ###
+EXEC_ARGS="${EXEC_ARGS} --infile-bl30-payload=${BASEDIR_PAYLOAD}/bl30-payload.bin"
+EXEC_ARGS="${EXEC_ARGS} --infile-bl33-payload=${BASEDIR_PAYLOAD}/bl33-payload.bin"
+
+### Input: Device Level-3 private RSA keys and EPKs ###
+
+# Device Vendor binaries
+EXEC_ARGS="${EXEC_ARGS} --infile-signkey-bl30-device-lvl3=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl30-level-3-rsa-priv.pem"
+EXEC_ARGS="${EXEC_ARGS} --infile-aes256-bl30-payload=${BASEDIR_FIP_AESKEY_ROOT}/genkey-prot-bl30.bin"
+
+EXEC_ARGS="${EXEC_ARGS} --infile-signkey-bl33-device-lvl3=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl33-level-3-rsa-priv.pem"
+EXEC_ARGS="${EXEC_ARGS} --infile-aes256-bl33-payload=${BASEDIR_FIP_AESKEY_ROOT}/genkey-prot-bl33.bin"
+
+# Chipset Manufacturer binaries
+EXEC_ARGS="${EXEC_ARGS} --infile-signkey-bl40-device-lvl3=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl40-level-3-rsa-priv.pem"
+EXEC_ARGS="${EXEC_ARGS} --infile-signkey-bl31-device-lvl3=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl31-level-3-rsa-priv.pem"
+EXEC_ARGS="${EXEC_ARGS} --infile-signkey-bl32-device-lvl3=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl32-level-3-rsa-priv.pem"
+
+### Input: chipset blobs ###
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl40=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl40.bin${input_postfix}"
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl31=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl31.bin${input_postfix}"
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl32=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl32.bin${input_postfix}"
+
+### Features, flags and switches ###
+
+# arb info
+EXEC_ARGS="${EXEC_ARGS} --val-device-vendor-segid=${DEVICE_VENDOR_SEGID}"
+EXEC_ARGS="${EXEC_ARGS} --val-device-tee-vers=${DEVICE_TEE_VERS}"
+EXEC_ARGS="${EXEC_ARGS} --val-device-ree-vers=${DEVICE_REE_VERS}"
+
+### Output: Device FIP ###
+EXEC_ARGS="${EXEC_ARGS} --outfile-device-fip=${BASEDIR_OUTPUT}/device-fip.bin${output_postfix}"
+
+#echo ${EXEC_ARGS}
+
+#
+# Main
+#
+
+set -x
+
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${EXEC_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/generate-binaries/run/Makefile b/s6/generate-binaries/run/Makefile
new file mode 100644
index 0000000..644df02
--- /dev/null
+++ b/s6/generate-binaries/run/Makefile
@@ -0,0 +1,28 @@
+
+#
+# Rules
+#
+
+DEVICE_SCS_KEY_TOP ?= $(CURDIR)/../../sc2/device
+DEVICE_ROOTRSA_INDEX ?= 0
+PROJECT ?= s905x4
+
+ARGS += "DEVICE_SCS_KEY_TOP=$(DEVICE_SCS_KEY_TOP)"
+ARGS += "DEVICE_ROOTRSA_INDEX=$(DEVICE_ROOTRSA_INDEX)"
+ARGS += "PROJECT=$(PROJECT)"
+
+all: clean build
+
+build:
+ make -C rootrsa-0/boot-blobs $(ARGS)
+ make -C rootrsa-0/device-fip $(ARGS)
+
+build-boot-blobs:
+ make -C rootrsa-0/boot-blobs $(ARGS)
+
+build-device-fip:
+ make -C rootrsa-0/device-fip $(ARGS)
+
+clean:
+ make clean -C rootrsa-0/boot-blobs
+ make clean -C rootrsa-0/device-fip
diff --git a/s6/generate-binaries/run/common-rootrsa-x.mk b/s6/generate-binaries/run/common-rootrsa-x.mk
new file mode 100644
index 0000000..ebc03ba
--- /dev/null
+++ b/s6/generate-binaries/run/common-rootrsa-x.mk
@@ -0,0 +1,37 @@
+
+### Variables ###
+BASEDIR_TOP := $(BASEDIR_RUN)/..
+
+GEN_BOOT_BLOBS := $(BASEDIR_TOP)/bin/gen-boot-blobs.sh
+GEN_DEVICE_FIP := $(BASEDIR_TOP)/bin/gen-device-fip.sh
+
+#
+# Rules
+#
+
+.PHONY:
+
+boot_blobs:
+ #@-mkdir -p output
+ env BASEDIR_TOP=$(BASEDIR_TOP) \
+ BASEDIR_RUN=$(BASEDIR_RUN) \
+ BASEDIR_ROOTRSA_X=$(BASEDIR_ROOTRSA_X) \
+ DEVICE_ROOTRSA_INDEX=$(DEVICE_ROOTRSA_INDEX) \
+ BASEDIR_ROOT=$(DEVICE_SCS_KEY_TOP) \
+ PROJECT=$(PROJECT) \
+ DEVICE_VARIANT_SUFFIX=${DEVICE_VARIANT_SUFFIX} \
+ DEVICE_STORAGE_SUFFIX=${DEVICE_STORAGE_SUFFIX} \
+ $(GEN_BOOT_BLOBS) $(DEVICE_INPUT_PATH) $(DEVICE_OUTPUT_PATH) $(SOC_FAMILY)
+
+device_fip:
+ #@-mkdir -p output
+ env BASEDIR_TOP=$(BASEDIR_TOP) \
+ BASEDIR_RUN=$(BASEDIR_RUN) \
+ BASEDIR_ROOTRSA_X=$(BASEDIR_ROOTRSA_X) \
+ DEVICE_ROOTRSA_INDEX=$(DEVICE_ROOTRSA_INDEX) \
+ BASEDIR_ROOT=$(DEVICE_SCS_KEY_TOP) \
+ PROJECT=$(PROJECT) \
+ $(GEN_DEVICE_FIP) $(DEVICE_INPUT_PATH) $(DEVICE_INPUT_PATH) $(DEVICE_OUTPUT_PATH)
+
+clean:
+ @-rm -fr output
diff --git a/s6/generate-binaries/run/rootrsa-0/boot-blobs/Makefile b/s6/generate-binaries/run/rootrsa-0/boot-blobs/Makefile
new file mode 100644
index 0000000..28917ea
--- /dev/null
+++ b/s6/generate-binaries/run/rootrsa-0/boot-blobs/Makefile
@@ -0,0 +1,12 @@
+
+### Variables ###
+BASEDIR_ROOTRSA_X := $(CURDIR)/..
+
+#
+# Rules
+#
+
+all: boot_blobs
+
+### Common makefile ###
+include $(BASEDIR_ROOTRSA_X)/common.mk
diff --git a/s6/generate-binaries/run/rootrsa-0/common.mk b/s6/generate-binaries/run/rootrsa-0/common.mk
new file mode 100644
index 0000000..6a5bfff
--- /dev/null
+++ b/s6/generate-binaries/run/rootrsa-0/common.mk
@@ -0,0 +1,6 @@
+
+### Variables ###
+BASEDIR_RUN := $(BASEDIR_ROOTRSA_X)/..
+
+### Common makefile ###
+include $(BASEDIR_RUN)/common-rootrsa-x.mk
diff --git a/s6/generate-binaries/run/rootrsa-0/device-fip/Makefile b/s6/generate-binaries/run/rootrsa-0/device-fip/Makefile
new file mode 100644
index 0000000..f797506
--- /dev/null
+++ b/s6/generate-binaries/run/rootrsa-0/device-fip/Makefile
@@ -0,0 +1,12 @@
+
+### Variables ###
+BASEDIR_ROOTRSA_X := $(CURDIR)/..
+
+#
+# Rules
+#
+
+all: device_fip
+
+### Common makefile ###
+include $(BASEDIR_ROOTRSA_X)/common.mk
diff --git a/s6/generate-device-keys/bin/derive_device_aes_rootkey.sh b/s6/generate-device-keys/bin/derive_device_aes_rootkey.sh
new file mode 100755
index 0000000..947b7c3
--- /dev/null
+++ b/s6/generate-device-keys/bin/derive_device_aes_rootkey.sh
@@ -0,0 +1,150 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+set -e
+set -o pipefail
+
+version=1.2
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+VENDOR_KEYTOOL=${EXEC_BASEDIR}/../../binary-tool/vendor-keytool
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+gen_rootkey()
+{
+ outfile=$1
+ mrkname=$2
+ boot_stage=$3
+
+ trace " mrk_file $mrk_file"
+ trace " outfile $outfile_suffix"
+ trace " mrk_name $mrkname"
+ trace " boot_stage $boot_stage"
+
+ $VENDOR_KEYTOOL gen-root-aes256 --chipset=SC2 --mrk-file=${mrk_file} --mrk-name=${mrkname} --boot-stage=$3 | xxd -r -p > $outfile
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Generate Amlogic SC2 chipset Device Vendor Secure Chipset Startup (SCS) AES root key
+
+ $(basename $0)
+ --key-dir <root-key-dir> \\
+ --mrk-bin <master-root-key-bin-file> \\
+ {--mrk-name [DVGK | ACGK]} \\
+ {--project <project-name>}
+EOF
+ exit 1
+}
+
+key_dir=""
+part=""
+mrk_file=""
+stage="root"
+mrk_name=""
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --mrk-bin)
+ mrk_file="${argv[$i]}"
+ ;;
+ --mrk-name)
+ mrk_name="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir $key_dir"
+trace " project $part"
+trace " mrk-bin $mrk_file"
+trace " mrk-name $mrk_name"
+
+if [ -z "$key_dir" ]; then
+ usage
+fi
+
+if [ -z "$stage" ]; then
+ usage
+fi
+
+if [ -z "$mrk_name" ]; then
+ mrk_name="DVGK"
+fi
+
+if [ ${stage,,} != "root" ] && [ ${stage,,} != "boot-blobs" ] && [ ${stage,,} != "fip" ]; then
+ echo "Error: Invalid stage $stage"
+ usage
+fi
+
+if [ ${mrk_name^^} != "ACGK" ] && [ ${mrk_name^^} != "DVGK" ]; then
+ echo "Error: Invalid MRK name $mrk_name"
+ usage
+fi
+
+if [ $stage == "root" ]; then
+ if [ -z "$part" ]; then
+ root_aes_path=${key_dir}/root/aes
+ else
+ root_aes_path=${key_dir}/root/aes/$part
+ fi
+
+ trace " root_aes_path $root_aes_path"
+ mkdir -p $root_aes_path/rootkey
+
+ echo "Generate 256-bit AES root key(s)"
+
+ for i in 0 1 2 3
+ do
+ gen_rootkey $root_aes_path/rootkey/aes256-device-rootkey-bootstage-${i}.bin $mrk_name $i
+ done
+fi
diff --git a/s6/generate-device-keys/bin/dvgk_gen.sh b/s6/generate-device-keys/bin/dvgk_gen.sh
new file mode 100755
index 0000000..b8f0dca
--- /dev/null
+++ b/s6/generate-device-keys/bin/dvgk_gen.sh
@@ -0,0 +1,34 @@
+#!/bin/bash -e
+
+#set -x
+version=1.0
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+mrk_gen() {
+ mrk_file=$1
+
+ echo "Generating MRK $mrk_file ..."
+ dd if=/dev/random of=$mrk_file.bin iflag=fullblock bs=16 count=1
+ xxd -ps $mrk_file.bin $mrk_file.txt
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) <mrk-file-name>
+EOF
+ exit 1
+}
+
+if [ $# -ne 1 ]; then
+ usage
+fi
+
+echo "mrk-file : $1"
+echo ""
+
+mrk_gen $1
diff --git a/s6/generate-device-keys/bin/dvuk_gen.sh b/s6/generate-device-keys/bin/dvuk_gen.sh
new file mode 100755
index 0000000..b8f0dca
--- /dev/null
+++ b/s6/generate-device-keys/bin/dvuk_gen.sh
@@ -0,0 +1,34 @@
+#!/bin/bash -e
+
+#set -x
+version=1.0
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+mrk_gen() {
+ mrk_file=$1
+
+ echo "Generating MRK $mrk_file ..."
+ dd if=/dev/random of=$mrk_file.bin iflag=fullblock bs=16 count=1
+ xxd -ps $mrk_file.bin $mrk_file.txt
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) <mrk-file-name>
+EOF
+ exit 1
+}
+
+if [ $# -ne 1 ]; then
+ usage
+fi
+
+echo "mrk-file : $1"
+echo ""
+
+mrk_gen $1
diff --git a/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh b/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh
new file mode 100755
index 0000000..ca3e23f
--- /dev/null
+++ b/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh
@@ -0,0 +1,257 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+version=1.1
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ echo ">>> $@"
+}
+
+check_file() {
+ if [ ! -f "$1" ]; then echo "Error: file \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Export Amlogic SC2 Device Vendor Secure Chipset Startup (SCS) key release for image signing
+
+ $(basename $0)
+ --key-dir <key-dir> \\
+ --out-dir <key-dir> \\
+ --rootkey-index [0 | 1 | 2 | 3] \\
+ {--project <project-name>}
+EOF
+ exit 1
+}
+
+key_dir=""
+project=""
+rootkey_index=0
+output_dir=""
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --out-dir)
+ output_dir="${argv[$i]}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value $rootkey_index 0 3
+ ;;
+ --project)
+ project="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir $key_dir"
+trace " project $project"
+trace " out-dir $output_dir"
+trace " rootkey-index $rootkey_index"
+
+if [ -z "$key_dir" ]; then
+ usage
+fi
+
+if [ -z "$output_dir" ]; then
+ usage
+fi
+
+BASEDIR_ROOT=$key_dir
+BASEDIR_OUT_ROOT=$output_dir
+DEVICE_ROOTRSA_INDEX=$rootkey_index
+
+if [ -z "$project" ]; then
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/protkey"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+
+ BASEDIR_AESKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/aes/rootkey"
+ BASEDIR_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/rsa/"
+ BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/aes/protkey"
+
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+else
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/${project}/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/${project}"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/${project}/protkey"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+
+ BASEDIR_AESKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/aes/${project}/rootkey"
+ BASEDIR_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/rsa/${project}"
+ BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/aes/${project}/protkey"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+fi
+
+### Input: Root Cert ###
+### Required to generate Device Vendor SCS Cert ###
+### Required to generate Device Vendor root hash ###
+#EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/key/rootrsa-0-pub.pem "
+#EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/key/rootrsa-1-pub.pem "
+#EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/key/rootrsa-2-pub.pem "
+#EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/key/rootrsa-3-pub.pem "
+#EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/key/rootrsa-3-pub.pem "
+#EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/epk/rootcert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/nonce/rootrsa-${DEVICE_ROOTRSA_INDEX}-nonce.bin "
+EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/roothash/hash-device-rootcert.bin "
+
+### Input: Selected Root RSA index (0 - 3)
+### Required to generate Device Vendor Lvl-1 Cert ###
+#EXPORT_FILES+="${BASEDIR_RSAKEY_ROOT}/key/rootrsa-${DEVICE_ROOTRSA_INDEX}-priv.pem "
+
+### Input: Device Level-1/2 Cert ###
+### Required to generate Device Vendor Lvl-1/2 Cert ###
+#EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-pub.pem "
+#EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl1cert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl1rsa-nonce.bin "
+EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-pub.pem "
+#EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl2cert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl2rsa-nonce.bin "
+
+### Input: Device Level-1/2 Private Key ###
+### Required to generate Device Vendor Lvl-2 and Lvl-3 Cert ###
+EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-priv.pem "
+EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-priv.pem "
+
+### Input: Device Level-3 Cert ###
+### Required to generate Device Vendor Lvl-3 Cert ###
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl30-level-3-rsa-pub.pem "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl30-lvl3cert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl30-dvlvl3cert-nonce.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl31-level-3-rsa-pub.pem "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl31-lvl3cert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl31-dvlvl3cert-nonce.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl32-level-3-rsa-pub.pem "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl32-lvl3cert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl32-dvlvl3cert-nonce.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl33-level-3-rsa-pub.pem "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl33-lvl3cert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl33-dvlvl3cert-nonce.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl40-level-3-rsa-pub.pem "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl40-lvl3cert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl40-dvlvl3cert-nonce.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/krnl-level-3-rsa-pub.pem "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/epk/krnl-lvl3cert-epks.bin "
+#EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/nonce/krnl-dvlvl3cert-nonce.bin "
+
+### Input: Device Level-3 Private Key ###
+### Required to sign Device Vendor bootloader ###
+### Required to sign BL30 and BL33
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl30-level-3-rsa-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl31-level-3-rsa-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl32-level-3-rsa-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl33-level-3-rsa-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl40-level-3-rsa-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/krnl-level-3-rsa-priv.pem "
+### Input: DVGK derived AES-256 root key ###
+### Required to generate Device Root cert and Lvl-1/2 cert ###
+#EXPORT_FILES+="${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-2.bin "
+#EXPORT_FILES+="${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-3.bin "
+
+### Input: DVGK derived AES-256 root key ###
+### Required to derive protkey for Device Root Lvl-3 cert and BL30/BL33/Kernel ###
+#EXPORT_FILES+="${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-1.bin "
+
+### Input (Required for Device Bootloader Encryption) ###
+### Required to protect BL30/BL33 and kernel protection ###
+EXPORT_FILES+="${BASEDIR_FIP_AESKEY_ROOT}/genkey-prot-bl30.bin "
+EXPORT_FILES+="${BASEDIR_FIP_AESKEY_ROOT}/genkey-prot-bl33.bin "
+EXPORT_FILES+="${BASEDIR_FIP_AESKEY_ROOT}/genkey-prot-krnl.bin "
+
+EXPORT_FILES+="${BASEDIR_BOOTBLOBS_TEMPLATE_ROOT}/bb1st.bin "
+EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin "
+
+for f in $EXPORT_FILES
+do
+ check_file $f
+done
+
+#mkdir -p ${BASEDIR_RSAKEY_OUT_ROOT}/key
+#mkdir -p ${BASEDIR_RSAKEY_OUT_ROOT}/epk
+#mkdir -p ${BASEDIR_RSAKEY_OUT_ROOT}/nonce
+mkdir -p ${BASEDIR_RSAKEY_OUT_ROOT}/roothash
+#mkdir -p ${BASEDIR_AESKEY_OUT_ROOT}
+mkdir -p ${BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT}/key
+#mkdir -p ${BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT}/epk
+#mkdir -p ${BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT}/nonce
+mkdir -p ${BASEDIR_FIP_RSAKEY_OUT_ROOT}/key
+#mkdir -p ${BASEDIR_FIP_RSAKEY_OUT_ROOT}/epk
+#mkdir -p ${BASEDIR_FIP_RSAKEY_OUT_ROOT}/nonce
+mkdir -p ${BASEDIR_FIP_AESKEY_OUT_ROOT}
+mkdir -p ${BASEDIR_BOOTBLOBS_TEMPLATE_OUT_ROOT}
+mkdir -p ${BASEDIR_FIP_TEMPLATE_OUT_ROOT}
+
+for f in $EXPORT_FILES
+do
+ out=${f/#$key_dir/$output_dir}
+ echo cp $f $out
+ cp $f $out
+done
diff --git a/s6/generate-device-keys/bin/gen_device_aes_protkey.sh b/s6/generate-device-keys/bin/gen_device_aes_protkey.sh
new file mode 100755
index 0000000..929bde5
--- /dev/null
+++ b/s6/generate-device-keys/bin/gen_device_aes_protkey.sh
@@ -0,0 +1,282 @@
+#!/bin/bash
+
+set -e
+#set -x
+
+version=1.2
+
+#
+# Utilities
+#
+
+check_file() {
+ if [ ! -f "$1" ]; then echo "Error: file \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Generate Amlogic SC2 chipset Device Vendor Secure Chipset Startup (SCS) root hash and template
+
+ $(basename $0)
+ --key-dir <root-key-dir> \\
+ --template-dir <template-dir> \\
+ --rootkey-index [0 | 1 | 2 | 3] \\
+ {--output-dir <output-dir>} \\
+ {--project <project-name>}
+EOF
+ exit 1
+}
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --project)
+ project="${argv[$i]}"
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --template-dir)
+ template_dir="${argv[$i]}"
+ check_dir "${template_dir}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value $rootkey_index 0 3
+ ;;
+ --device-vendor-segid)
+ device_vendor_segid="${argv[$i]}"
+ ;;
+ --device-tee-vers)
+ device_tee_vers="${argv[$i]}"
+ ;;
+ --device-ree-vers)
+ device_ree_vers="${argv[$i]}"
+ ;;
+ --output-dir)
+ output_dir="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool
+key_dir=""
+template_dir=""
+rootkey_index=0
+output_dir=""
+project=""
+device_vendor_segid=0x0
+device_tee_vers=0x0
+device_ree_vers=0x0
+
+parse_main "$@"
+
+if [ -z "$key_dir" ]; then
+ key_dir="."
+fi
+
+#
+# Settings
+#
+
+BASEDIR_ROOT=${key_dir}
+BASEDIR_TEMPLATE="${template_dir}"
+BASEDIR_OUTPUT="${output_dir}"
+
+DEVICE_ROOTRSA_INDEX=${rootkey_index}
+
+DEVICE_VENDOR_SEGID=${device_vendor_segid}
+DEVICE_TEE_VERS=${device_tee_vers}
+DEVICE_REE_VERS=${device_ree_vers}
+
+echo DEVICE_VENDOR_SEGID=${DEVICE_VENDOR_SEGID}
+echo DEVICE_TEE_VERS=${DEVICE_TEE_VERS}
+echo DEVICE_REE_VERS=${DEVICE_REE_VERS}
+if [ -z "$project" ]; then
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/protkey"
+
+ BASEDIR_ROOTHASH_OUTPUT="${BASEDIR_RSAKEY_ROOT}/roothash"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+else
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/${project}/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/${project}"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/${project}/protkey"
+
+ BASEDIR_ROOTHASH_OUTPUT="${BASEDIR_RSAKEY_ROOT}/roothash"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+fi
+
+if [ -z "$output_dir" ]; then
+ BASEDIR_OUTPUT_HASH="${BASEDIR_ROOTHASH_OUTPUT}"
+ BASEDIR_OUTPUT_BLOB="${BASEDIR_FIP_TEMPLATE_OUTPUT}"
+ BASEDIR_OUTPUT_PROTKEY="${BASEDIR_FIP_AESKEY_ROOT}"
+ mkdir -p ${BASEDIR_OUTPUT_HASH}
+ mkdir -p ${BASEDIR_OUTPUT_BLOB}
+ mkdir -p ${BASEDIR_OUTPUT_PROTKEY}
+else
+ check_dir "${output_dir}"
+ BASEDIR_OUTPUT_HASH="${output_dir}"
+ BASEDIR_OUTPUT_BLOB="${output_dir}"
+ BASEDIR_OUTPUT_PROTKEY="${output_dir}"
+fi
+
+#BASEDIR_OUTPUT_BLOB="./output/blob"
+#BASEDIR_OUTPUT_HASH="./output/hash"
+#BASEDIR_OUTPUT_PROTKEY="./output/protkey"
+
+#
+# Check inputs
+#
+
+check_dir "${BASEDIR_ROOT}"
+check_dir "${BASEDIR_AESKEY_ROOT}"
+check_dir "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}"
+check_dir "${BASEDIR_FIP_RSAKEY_ROOT}"
+check_dir "${BASEDIR_TEMPLATE}"
+
+check_file "${BASEDIR_TEMPLATE}/${project}/device-fip-header.bin"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-priv.pem"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl2cert-epks.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/key/bl30-level-3-rsa-pub.pem"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl30-lvl3cert-epks.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl30-dvlvl3cert-nonce.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/key/bl40-level-3-rsa-pub.pem"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl40-lvl3cert-epks.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl40-dvlvl3cert-nonce.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/key/bl31-level-3-rsa-pub.pem"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl31-lvl3cert-epks.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl31-dvlvl3cert-nonce.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/key/bl32-level-3-rsa-pub.pem"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl32-lvl3cert-epks.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl32-dvlvl3cert-nonce.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/key/bl33-level-3-rsa-pub.pem"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl33-lvl3cert-epks.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl33-dvlvl3cert-nonce.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/key/krnl-level-3-rsa-pub.pem"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/epk/krnl-lvl3cert-epks.bin"
+check_file "${BASEDIR_FIP_RSAKEY_ROOT}/nonce/krnl-dvlvl3cert-nonce.bin"
+check_file "${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-1.bin"
+
+#
+# Arguments
+#
+
+BB1ST_ARGS="${BB1ST_ARGS}"
+
+### Input: template
+BB1ST_ARGS="${BB1ST_ARGS} --infile-template-chipset-fip-header=${BASEDIR_TEMPLATE}/${project}/device-fip-header.bin"
+
+### Input: Device Level-2 private RSA Key ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-device-lvl2=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-priv.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-device-lvl2cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl2cert-epks.bin"
+
+### Input: Device Level-3 Certs ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-bl30-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl30-level-3-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-bl30-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl30-lvl3cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl30-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl30-dvlvl3cert-nonce.bin"
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-bl40-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl40-level-3-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-bl40-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl40-lvl3cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl40-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl40-dvlvl3cert-nonce.bin"
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-bl31-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl31-level-3-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-bl31-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl31-lvl3cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl31-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl31-dvlvl3cert-nonce.bin"
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-bl32-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl32-level-3-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-bl32-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl32-lvl3cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl32-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl32-dvlvl3cert-nonce.bin"
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-bl33-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl33-level-3-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-bl33-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl33-lvl3cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl33-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl33-dvlvl3cert-nonce.bin"
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-krnl-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/krnl-level-3-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-krnl-device-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/krnl-lvl3cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-krnl-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/krnl-dvlvl3cert-nonce.bin"
+
+### Input: Device RootKey (generated from DVGK) ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-device-rootkey-1=${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-1.bin"
+
+### Features, flags and switches ###
+BB1ST_ARGS="${BB1ST_ARGS} --feature-enable-device-lvlx-pubrsa-prot"
+
+# arb info
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-vendor-segid=${DEVICE_VENDOR_SEGID}"
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-tee-vers=${DEVICE_TEE_VERS}"
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-ree-vers=${DEVICE_REE_VERS}"
+
+### Output: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-device-fip-header=${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin"
+
+### Output: generated protection keys ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-protkey-bl30=${BASEDIR_OUTPUT_PROTKEY}/genkey-prot-bl30.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-protkey-bl33=${BASEDIR_OUTPUT_PROTKEY}/genkey-prot-bl33.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-protkey-krnl=${BASEDIR_OUTPUT_PROTKEY}/genkey-prot-krnl.bin"
+
+echo ${TOOLS_ARGS}
+
+#
+# Main
+#
+
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${BB1ST_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/generate-device-keys/bin/gen_device_root_cert.sh b/s6/generate-device-keys/bin/gen_device_root_cert.sh
new file mode 100755
index 0000000..1e1b5a8
--- /dev/null
+++ b/s6/generate-device-keys/bin/gen_device_root_cert.sh
@@ -0,0 +1,234 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+version=1.1
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+rsa_gen() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local size=$4
+
+ echo "Generating $chain_num RSA key ..."
+
+ for f in $files
+ do
+ local kpriv="$path/$f-priv.pem"
+ local kpub="$path/$f-pub.pem"
+ openssl genrsa -out $kpriv $size
+ echo $kpriv
+ echo $kpub
+ openssl rsa -in $kpriv -outform PEM -pubout -out $kpub
+ #openssl rsa -noout -text -inform PEM -in $kpub -pubin
+ done
+}
+
+ek_gen() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+
+ echo "Generating $chain_num EKs ..."
+
+ for f in $files
+ do
+ local file="$path/$f"
+ echo $file
+ dd if=/dev/random of=$file iflag=fullblock bs=64 count=1
+ #xxd -p -c16 $file
+ done
+}
+
+nonce_gen() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+
+ echo "Generating $chain_num NONCE ..."
+
+ for f in $files
+ do
+ local file="$path/$f"
+ echo $file
+ dd if=/dev/random of=$file iflag=fullblock bs=16 count=1
+ #xxd -p -c16 $file
+ done
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Generate Amlogic SC2 chipset Device Vendor Secure Chipset Startup (SCS) chain root keys
+
+ $(basename $0)
+ --key-dir <key-dir> \\
+ --stage [root | boot-blobs | fip] \\
+ {--rsa-size [2048 | 4096]} \\
+ {--project <project-name>}
+EOF
+ exit 1
+}
+
+key_dir=""
+part=""
+size=""
+stage=""
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --rsa-size)
+ size="${argv[$i]}"
+ ;;
+ --stage)
+ stage="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir $key_dir"
+trace " project $part"
+trace " rsa-size $size"
+trace " stage $stage"
+
+if [ -z "$key_dir" ]; then
+ usage
+fi
+
+if [ -z "$size" ]; then
+ size=4096
+fi
+
+if [ -z "$stage" ]; then
+ usage
+fi
+
+if [ $size -ne 2048 ] && [ $size -ne 4096 ]; then
+ echo "Error: Invalid RSA key size $size"
+ usage
+fi
+
+if [ $stage != "root" ] && [ $stage != "boot-blobs" ] && [ $stage != "fip" ]; then
+ echo "Error: Invalid stage $stage"
+ usage
+fi
+
+if [ $stage == "root" ]; then
+ if [ -z "$part" ]; then
+ root_rsa_path=${key_dir}/root/rsa
+ else
+ root_rsa_path=${key_dir}/root/rsa/$part
+ fi
+
+ trace " root_rsa_path $root_rsa_path"
+ mkdir -p $root_rsa_path/key
+ mkdir -p $root_rsa_path/epk
+ mkdir -p $root_rsa_path/nonce
+
+ echo "Generate root certificate(s)"
+
+ rsa_gen "Root" "$root_rsa_path/key" "rootrsa-0 rootrsa-1 rootrsa-2 rootrsa-3" $size
+ ek_gen "Root" "$root_rsa_path/epk" "rootcert-epks.bin"
+ nonce_gen "Root" "$root_rsa_path/nonce" "rootrsa-0-nonce.bin rootrsa-1-nonce.bin rootrsa-2-nonce.bin rootrsa-3-nonce.bin"
+fi
+
+if [ $stage == "boot-blobs" ]; then
+ if [ ! -z "$part" ]; then
+ boot_blobs_rsa_root=${key_dir}/boot-blobs/rsa/$part
+ else
+ boot_blobs_rsa_root=${key_dir}/boot-blobs/rsa
+ fi
+
+ trace " boot_blobs_rsa_root $boot_blobs_rsa_root"
+ mkdir -p $boot_blobs_rsa_root
+
+ for i in 0 1 2 3
+ do
+ boot_blobs_rsa_path=$boot_blobs_rsa_root/rootrsa-${i}
+ trace " boot_blobs_rsa_path $boot_blobs_rsa_path"
+
+ mkdir -p $boot_blobs_rsa_path/key
+ mkdir -p $boot_blobs_rsa_path/epk
+ mkdir -p $boot_blobs_rsa_path/nonce
+
+ echo "Generate $stage chain #$i certificate"
+ rsa_gen $i "$boot_blobs_rsa_path/key" "level-1-rsa level-2-rsa" $size
+ ek_gen $i "$boot_blobs_rsa_path/epk" "lvl1cert-epks.bin lvl2cert-epks.bin"
+ nonce_gen $i "$boot_blobs_rsa_path/nonce" "device-lvl1rsa-nonce.bin device-lvl2rsa-nonce.bin"
+ done
+fi
+
+if [ $stage == "fip" ]; then
+ if [ ! -z "$part" ]; then
+ fip_rsa_root=${key_dir}/fip/rsa/$part
+ else
+ fip_rsa_root=${key_dir}/fip/rsa
+ fi
+
+ trace " fip_rsa_root $fip_rsa_root"
+ mkdir -p $fip_rsa_root
+
+ for i in 0 1 2 3
+ do
+ fip_rsa_path=$fip_rsa_root/rootrsa-${i}
+ trace " fip_rsa_path $fip_rsa_path"
+
+ mkdir -p $fip_rsa_path/key
+ mkdir -p $fip_rsa_path/epk
+ mkdir -p $fip_rsa_path/nonce
+
+ echo "Generate ${stage^^} chain #$i certificate"
+ rsa_gen $i "$fip_rsa_path/key" "bl30-level-3-rsa bl31-level-3-rsa bl32-level-3-rsa bl33-level-3-rsa bl40-level-3-rsa krnl-level-3-rsa" $size
+ ek_gen $i "$fip_rsa_path/epk" "bl30-lvl3cert-epks.bin bl31-lvl3cert-epks.bin bl32-lvl3cert-epks.bin bl33-lvl3cert-epks.bin bl40-lvl3cert-epks.bin krnl-lvl3cert-epks.bin"
+ nonce_gen $i "$fip_rsa_path/nonce" "bl30-dvlvl3cert-nonce.bin bl31-dvlvl3cert-nonce.bin bl32-dvlvl3cert-nonce.bin bl33-dvlvl3cert-nonce.bin bl40-dvlvl3cert-nonce.bin krnl-dvlvl3cert-nonce.bin"
+ done
+fi
diff --git a/s6/generate-device-keys/bin/gen_device_root_hash.sh b/s6/generate-device-keys/bin/gen_device_root_hash.sh
new file mode 100755
index 0000000..ddf1255
--- /dev/null
+++ b/s6/generate-device-keys/bin/gen_device_root_hash.sh
@@ -0,0 +1,292 @@
+#!/bin/bash
+
+set -e
+#set -x
+
+version=1.2
+
+#
+# Utilities
+#
+
+check_file() {
+ if [ ! -f "$1" ]; then echo "Error: file \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Generate Amlogic SC2 chipset Device Vendor Secure Chipset Startup (SCS) root hash and template
+
+ $(basename $0)
+ --template-dir <template-dir> \\
+ --rootkey-index [0 | 1 | 2 | 3] \\
+ --key-dir <key-dir-prefix> \\
+ {--project <project-name>} \\
+ {--output-dir <output-dir>}
+EOF
+ exit 1
+}
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --project)
+ project="${argv[$i]}"
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --template-dir)
+ template_dir="${argv[$i]}"
+ check_dir "${template_dir}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value $rootkey_index 0 3
+ ;;
+ --device-scs-segid)
+ device_scs_segid="${argv[$i]}"
+ ;;
+ --device-vendor-segid)
+ device_vendor_segid="${argv[$i]}"
+ ;;
+ --device-scs-vers)
+ device_scs_vers="${argv[$i]}"
+ ;;
+ --device-tee-vers)
+ device_tee_vers="${argv[$i]}"
+ ;;
+ --device-soc)
+ device_soc="${argv[$i]}"
+ ;;
+ --output-dir)
+ output_dir="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool
+key_dir=""
+template_dir=""
+rootkey_index=0
+output_dir=""
+project=""
+device_scs_segid=0x0
+device_vendor_segid=0x0
+device_scs_vers=0x0
+device_tee_vers=0x0
+device_soc=""
+
+parse_main "$@"
+
+if [ -z "$key_dir" ]; then
+ key_dir="."
+fi
+
+#
+# Settings
+#
+BASEDIR_ROOT=${key_dir}
+BASEDIR_TEMPLATE="${template_dir}"
+
+DEVICE_ROOTRSA_INDEX=${rootkey_index}
+
+DEVICE_SCS_SEGID=${device_scs_segid}
+DEVICE_VENDOR_SEGID=${device_vendor_segid}
+DEVICE_SCS_VERS=${device_scs_vers}
+DEVICE_TEE_VERS=${device_tee_vers}
+
+echo DEVICE_SCS_SEGID=${DEVICE_SCS_SEGID}
+echo DEVICE_VENDOR_SEGID=${DEVICE_VENDOR_SEGID}
+echo DEVICE_SCS_VERS=${DEVICE_SCS_VERS}
+echo DEVICE_TEE_VERS=${DEVICE_TEE_VERS}
+
+if [ -z "$project" ]; then
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+
+ BASEDIR_ROOTHASH_OUTPUT="${BASEDIR_RSAKEY_ROOT}/roothash"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ #BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+else
+ BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/${project}/rootkey"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/${project}"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+
+ BASEDIR_ROOTHASH_OUTPUT="${BASEDIR_RSAKEY_ROOT}/roothash"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+ #BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+fi
+
+if [ -z "$output_dir" ]; then
+ BASEDIR_OUTPUT_HASH="${BASEDIR_ROOTHASH_OUTPUT}"
+ BASEDIR_OUTPUT_BLOB="${BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT}"
+ mkdir -p ${BASEDIR_OUTPUT_HASH}
+ mkdir -p ${BASEDIR_OUTPUT_BLOB}
+else
+ check_dir "${output_dir}"
+ BASEDIR_OUTPUT_HASH="${output_dir}"
+ BASEDIR_OUTPUT_BLOB="${output_dir}"
+fi
+
+#BASEDIR_OUTPUT_BLOB="./output/blob"
+#BASEDIR_OUTPUT_HASH="./output/hash"
+#BASEDIR_OUTPUT_PROTKEY="./output/protkey"
+
+#
+# Check inputs
+#
+
+check_dir "${BASEDIR_ROOT}"
+check_dir "${BASEDIR_AESKEY_ROOT}"
+check_dir "${BASEDIR_RSAKEY_ROOT}"
+check_dir "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}"
+check_dir "${BASEDIR_FIP_RSAKEY_ROOT}"
+check_dir "${BASEDIR_TEMPLATE}"
+
+check_file "${BASEDIR_TEMPLATE}/${project}/bb1st.bin"
+check_file "${BASEDIR_RSAKEY_ROOT}/key/rootrsa-0-pub.pem"
+check_file "${BASEDIR_RSAKEY_ROOT}/key/rootrsa-1-pub.pem"
+check_file "${BASEDIR_RSAKEY_ROOT}/key/rootrsa-2-pub.pem"
+check_file "${BASEDIR_RSAKEY_ROOT}/key/rootrsa-3-pub.pem"
+check_file "${BASEDIR_RSAKEY_ROOT}/epk/rootcert-epks.bin"
+check_file "${BASEDIR_RSAKEY_ROOT}/nonce/rootrsa-${DEVICE_ROOTRSA_INDEX}-nonce.bin"
+check_file "${BASEDIR_RSAKEY_ROOT}/key/rootrsa-${DEVICE_ROOTRSA_INDEX}-priv.pem"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-pub.pem"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl1cert-epks.bin"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl1rsa-nonce.bin"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-priv.pem"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-pub.pem"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl2cert-epks.bin"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl2rsa-nonce.bin"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-priv.pem"
+check_file "${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-2.bin"
+check_file "${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-3.bin"
+
+#
+# Arguments
+#
+
+BB1ST_ARGS="${BB1ST_ARGS}"
+
+### Input: template ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-template-bb1st=${BASEDIR_TEMPLATE}/${project}/bb1st.bin"
+
+### Input: Device RootCert ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-device-rootrsa-0=${BASEDIR_RSAKEY_ROOT}/key/rootrsa-0-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-device-rootrsa-1=${BASEDIR_RSAKEY_ROOT}/key/rootrsa-1-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-device-rootrsa-2=${BASEDIR_RSAKEY_ROOT}/key/rootrsa-2-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-device-rootrsa-3=${BASEDIR_RSAKEY_ROOT}/key/rootrsa-3-pub.pem"
+
+### RootCert EK and NONCE
+# EK is common for all root RSA
+# NONCE is per root RSA
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-device-rootcert=${BASEDIR_RSAKEY_ROOT}/epk/rootcert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-device-rootrsa=${BASEDIR_RSAKEY_ROOT}/nonce/rootrsa-${DEVICE_ROOTRSA_INDEX}-nonce.bin"
+
+# Select root RSA to use
+BB1ST_ARGS="${BB1ST_ARGS} --device-rootrsa-index=${DEVICE_ROOTRSA_INDEX}"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-device-root=${BASEDIR_RSAKEY_ROOT}/key/rootrsa-${DEVICE_ROOTRSA_INDEX}-priv.pem"
+
+### Input: Device Level-1 Cert ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-device-lvl1cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-device-lvl1cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl1cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-device-lvl1rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl1rsa-nonce.bin"
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-device-lvl1=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-priv.pem"
+
+### Input: Device Level-2 Cert ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-device-lvl2cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-device-lvl2cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl2cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-device-lvl2rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl2rsa-nonce.bin"
+
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-device-lvl2=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-priv.pem"
+
+### Input: Device RootKey (generated from DVGK) ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-device-rootkey-2=${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-2.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-device-rootkey-3=${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-3.bin"
+
+### Features, flags and switches ###
+BB1ST_ARGS="${BB1ST_ARGS} --feature-enable-device-root-pubrsa-prot"
+BB1ST_ARGS="${BB1ST_ARGS} --feature-enable-device-lvl1-pubrsa-prot"
+BB1ST_ARGS="${BB1ST_ARGS} --feature-enable-device-lvlx-pubrsa-prot"
+
+BB1ST_ARGS="${BB1ST_ARGS} --feature-device-root-pubrsa-prot-mrk"
+
+BB1ST_ARGS="${BB1ST_ARGS} --switch-device-sign-blob=0"
+
+BB1ST_ARGS="${BB1ST_ARGS} --scs-family=${device_soc}"
+
+# arb info
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-scs-segid=${DEVICE_SCS_SEGID}"
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-vendor-segid=${DEVICE_VENDOR_SEGID}"
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-scs-vers=${DEVICE_SCS_VERS}"
+BB1ST_ARGS="${BB1ST_ARGS} --val-device-tee-vers=${DEVICE_TEE_VERS}"
+
+### Output: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}/bb1st.bin"
+
+### Output: hash of root cert ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-hash-device-rootcert=${BASEDIR_OUTPUT_HASH}/hash-device-rootcert.bin"
+
+echo ${TOOLS_ARGS}
+
+#
+# Main
+#
+
+${ACPU_IMAGETOOL} \
+ create-boot-blobs \
+ ${BB1ST_ARGS}
+
+# vim: set tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/generate-device-keys/export_signing_keys_and_sign_template.sh b/s6/generate-device-keys/export_signing_keys_and_sign_template.sh
new file mode 100755
index 0000000..2b17c0d
--- /dev/null
+++ b/s6/generate-device-keys/export_signing_keys_and_sign_template.sh
@@ -0,0 +1,151 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+version=1.2
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Export signing keys and sign template
+
+ $(basename $0)
+ --key-dir <key-dir> \\
+ {--project <project-name>} \\
+ --template-dir <template-dir> \\
+ --rootkey-index [0 | 1 | 2 | 3] \\
+ --arb-config <arb-config-file> \\
+ --out-dir <output-dir>
+EOF
+ exit 1
+}
+
+key_dir=""
+part=""
+size=""
+template_dir=""
+rootkey_index=0
+output_dir=""
+boot_blobs_arb_args=
+device_fip_arb_args=
+device_soc="s5"
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --device-soc)
+ device_soc="${argv[$i]}"
+ ;;
+ --template-dir)
+ template_dir="${argv[$i]}"
+ check_dir "${template_dir}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value "$rootkey_index" 0 3
+ ;;
+ --arb-config)
+ arb_config="${argv[$i]}"
+ ;;
+ --out-dir)
+ output_dir="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir $key_dir"
+trace " project $part"
+trace " template_dir $template_dir"
+trace " rootkey-index $rootkey_index"
+trace " out-dir $output_dir"
+
+if [ -z "$key_dir" ]; then
+ usage
+fi
+
+if [ -z "$template_dir" ]; then
+ usage
+fi
+
+if [ -z "$rootkey_index" ]; then
+ usage
+fi
+
+if [ -z "$output_dir" ]; then
+ usage
+fi
+
+if [ -s "${arb_config}" ]; then
+ source ${arb_config}
+ boot_blobs_arb_args="--device-scs-segid ${DEVICE_SCS_SEGID} --device-vendor-segid ${DEVICE_VENDOR_SEGID} --device-scs-vers ${DEVICE_SCS_VERS} --device-tee-vers ${DEVICE_TEE_VERS}"
+ device_fip_arb_args="--device-vendor-segid ${DEVICE_VENDOR_SEGID} --device-tee-vers ${DEVICE_TEE_VERS} --device-ree-vers ${DEVICE_REE_VERS}"
+fi
+
+${EXEC_BASEDIR}/bin/gen_device_aes_protkey.sh --rootkey-index "$rootkey_index" --key-dir "$key_dir" --project "$part" --template-dir "${template_dir}" ${device_fip_arb_args}
+
+${EXEC_BASEDIR}/bin/gen_device_root_hash.sh --rootkey-index "$rootkey_index" --key-dir "$key_dir" --project "$part" --device-soc "$device_soc" --template-dir "${template_dir}" ${boot_blobs_arb_args}
+
+${EXEC_BASEDIR}/bin/export_dv_scs_signing_keys.sh --key-dir "$key_dir" --out-dir "$output_dir" --rootkey-index "$rootkey_index" --project "$part"
+
diff --git a/s6/generate-device-keys/gen_all_device_key.sh b/s6/generate-device-keys/gen_all_device_key.sh
new file mode 100755
index 0000000..531360c
--- /dev/null
+++ b/s6/generate-device-keys/gen_all_device_key.sh
@@ -0,0 +1,165 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+version=1.0
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Generate all Amlogic Device Vendor Secure Chipset Startup (SCS) keys
+
+ $(basename $0)
+ --key-dir <key-dir> \\
+ {--rsa-size [2048 | 4096]} \\
+ {--project <project-name>} \\
+ --template-dir <template-dir> \\
+ --rootkey-index [0 | 1 | 2 | 3] \\
+ --out-dir <output-dir>
+EOF
+ exit 1
+}
+
+key_dir=""
+part=""
+size=""
+template_dir=""
+rootkey_index=0
+output_dir=""
+device_soc="s5"
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --device-soc)
+ device_soc="${argv[$i]}"
+ ;;
+ --rsa-size)
+ size="${argv[$i]}"
+ ;;
+ --template-dir)
+ template_dir="${argv[$i]}"
+ check_dir "${template_dir}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value "$rootkey_index" 0 3
+ ;;
+ --out-dir)
+ output_dir="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir $key_dir"
+trace " project $part"
+trace " rsa-size $size"
+trace " template_dir $template_dir"
+trace " rootkey-index $rootkey_index"
+trace " out-dir $output_dir"
+
+if [ -z "$key_dir" ]; then
+ usage
+fi
+
+if [ -z "$size" ]; then
+ size=4096
+fi
+
+if [ -z "$template_dir" ]; then
+ usage
+fi
+
+if [ -z "$rootkey_index" ]; then
+ usage
+fi
+
+if [ -z "$output_dir" ]; then
+ usage
+fi
+
+if [ "$size" -ne 2048 ] && [ "$size" -ne 4096 ]; then
+ echo "Error: Invalid RSA key size $size"
+ usage
+fi
+
+mkdir -p "$key_dir"
+${EXEC_BASEDIR}/bin/gen_device_root_cert.sh --key-dir "$key_dir" --stage root --rsa-size "$size" --project "$part"
+${EXEC_BASEDIR}/bin/gen_device_root_cert.sh --key-dir "$key_dir" --stage boot-blobs --rsa-size "$size" --project "$part"
+${EXEC_BASEDIR}/bin/gen_device_root_cert.sh --key-dir "$key_dir" --stage fip --rsa-size "$size" --project "$part"
+
+mkdir -p "$key_dir"/root/dvgk/"$part"
+${EXEC_BASEDIR}/bin/dvgk_gen.sh "$key_dir"/root/dvgk/"$part"/dvgk
+
+mkdir -p "$key_dir"/root/dvuk/"$part"
+${EXEC_BASEDIR}/bin/dvuk_gen.sh "$key_dir"/root/dvuk/"$part"/dvuk
+
+${EXEC_BASEDIR}/bin/derive_device_aes_rootkey.sh --key-dir "$key_dir" --mrk-bin "$key_dir"/root/dvgk/"$part"/dvgk.bin --mrk-name DVGK --project "$part"
+
+${EXEC_BASEDIR}/bin/gen_device_aes_protkey.sh --rootkey-index "$rootkey_index" --key-dir "$key_dir" --project "$part" --template-dir "${template_dir}"
+
+${EXEC_BASEDIR}/bin/gen_device_root_hash.sh --rootkey-index "$rootkey_index" --key-dir "$key_dir" --project "$part" --device-soc "$device_soc" --template-dir "${template_dir}"
+
+${EXEC_BASEDIR}/bin/export_dv_scs_signing_keys.sh --key-dir "$key_dir" --out-dir "$output_dir" --rootkey-index "$rootkey_index" --project "$part"
+
diff --git a/s6/generate-device-keys/stbm-vmx-gen-device-keys/bin/stbm-prepare-sign-request.sh b/s6/generate-device-keys/stbm-vmx-gen-device-keys/bin/stbm-prepare-sign-request.sh
new file mode 100755
index 0000000..b5134be
--- /dev/null
+++ b/s6/generate-device-keys/stbm-vmx-gen-device-keys/bin/stbm-prepare-sign-request.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+#
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+set -e
+
+CURRENT_DIR=${PWD}
+
+# Uncomment follow line for debugging
+#set -x
+
+copy_files() {
+ src_dir=$1
+ dst_dir=$2
+ list=$3
+
+ for f in $list; do
+ d="$(dirname $f)"
+ mkdir -p ${dst_dir}/${d}
+ cp ${src_dir}/$f ${dst_dir}/${d}/.
+ done
+}
+
+#
+# Variables
+#
+
+STBM_DATA_BASEDIR=$1
+TO_VMX_BASEDIR=$2
+soc_device=$3
+
+LIST_KEYS=""
+LIST_KEYS="${LIST_KEYS} boot-blobs/rsa/${soc_device}/rootrsa-0/key/level-1-rsa-pub.pem"
+LIST_KEYS="${LIST_KEYS} boot-blobs/rsa/${soc_device}/rootrsa-0/key/level-2-rsa-pub.pem"
+LIST_KEYS="${LIST_KEYS} boot-blobs/rsa/${soc_device}/rootrsa-0/epk/lvl1cert-epks.bin"
+LIST_KEYS="${LIST_KEYS} boot-blobs/rsa/${soc_device}/rootrsa-0/epk/lvl2cert-epks.bin"
+
+LIST_TEMPLATES=""
+LIST_TEMPLATES="${LIST_TEMPLATES} boot-blobs/template/${soc_device}/rootrsa-0/bb1st.bin"
+LIST_TEMPLATES="${LIST_TEMPLATES} fip/template/${soc_device}/rootrsa-0/device-fip-header.bin"
+
+#
+# Main
+#
+
+### Copy files ###
+
+copy_files \
+ "${STBM_DATA_BASEDIR}/keydir" \
+ "${TO_VMX_BASEDIR}" \
+ "${LIST_KEYS}"
+
+copy_files \
+ "${STBM_DATA_BASEDIR}/outdir" \
+ "${TO_VMX_BASEDIR}" \
+ "${LIST_TEMPLATES}"
+
+
+cp ${TO_VMX_BASEDIR}/boot-blobs/template/${soc_device}/rootrsa-0/bb1st.bin \
+ ${TO_VMX_BASEDIR}/boot-blobs/template/${soc_device}/rootrsa-0/bb1st.usb.bin.signed
+mv ${TO_VMX_BASEDIR}/boot-blobs/template/${soc_device}/rootrsa-0/bb1st.bin \
+ ${TO_VMX_BASEDIR}/boot-blobs/template/${soc_device}/rootrsa-0/bb1st.sto.bin.signed
+
+#ln -fs ${TO_VMX_BASEDIR}/fip/template/${soc_device}/rootrsa-0/device-fip-header.bin \
+# ${TO_VMX_BASEDIR}/fip/template/${soc_device}/rootrsa-0/device-fip-header.ree-vers.0.tee-vers.0.bin
+cd ${TO_VMX_BASEDIR}/fip/template/${soc_device}/rootrsa-0/
+ln -fs device-fip-header.bin \
+ device-fip-header.ree-vers.0.tee-vers.0.bin
+cd ${CURRENT_DIR}
+
+### Show prepared files ###
+find ${TO_VMX_BASEDIR} -type f
+
+# vim: set filetype=sh tabstop=2 expandtab shiftwidth=2:
diff --git a/s6/generate-device-keys/stbm-vmx-gen-device-keys/bin/update-vmx-device-template-bb1st.sh b/s6/generate-device-keys/stbm-vmx-gen-device-keys/bin/update-vmx-device-template-bb1st.sh
new file mode 100755
index 0000000..68e457d
--- /dev/null
+++ b/s6/generate-device-keys/stbm-vmx-gen-device-keys/bin/update-vmx-device-template-bb1st.sh
@@ -0,0 +1,257 @@
+#!/bin/bash
+
+set -e
+#set -x
+
+version=1.0
+
+#
+# Utilities
+#
+
+check_file() {
+ if [ ! -f "$1" ]; then echo "Error: file \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Update VMX Device template bb1st
+
+ $(basename $0)
+ --vmx-cert-path <VMX cert path> \\
+ {--rootkey-index [0 | 1 | 2 | 3]} \\
+ --key-dir <key-dir-prefix> \\
+ --project <project-name> \\
+ --device-soc <device-name> \\
+ --output-dir <output-dir>
+EOF
+ exit 1
+}
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --project)
+ project="${argv[$i]}"
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --vmx-cert-path)
+ vmx_cert_path="${argv[$i]}"
+ check_dir "${vmx_cert_path}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value $rootkey_index 0 3
+ ;;
+ --device-scs-segid)
+ device_scs_segid="${argv[$i]}"
+ ;;
+ --device-vendor-segid)
+ device_vendor_segid="${argv[$i]}"
+ ;;
+ --device-scs-vers)
+ device_scs_vers="${argv[$i]}"
+ ;;
+ --device-tee-vers)
+ device_tee_vers="${argv[$i]}"
+ ;;
+ --device-soc)
+ device_soc="${argv[$i]}"
+ ;;
+ --storage-type)
+ storage_type="${argv[$i]}"
+ ;;
+ --output-dir)
+ output_dir="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+#
+# Variables
+#
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../../binary-tool/acpu-imagetool
+key_dir=""
+vmx_cert_path=""
+rootkey_index=0
+output_dir=""
+project=""
+device_scs_segid=0x0
+device_vendor_segid=0x0
+device_scs_vers=0x0
+device_tee_vers=0x0
+device_soc=s4
+storage_type=""
+
+parse_main "$@"
+
+if [ -z "$key_dir" ]; then
+ usage
+fi
+
+if [ -z "$project" ]; then
+ usage
+fi
+
+if [ -z "$vmx_cert_path" ]; then
+ usage
+fi
+
+if [ -z "$output_dir" ]; then
+ usage
+fi
+
+#
+# Settings
+#
+BASEDIR_ROOT=${key_dir}
+BASEDIR_TEMPLATE="${vmx_cert_path}"
+
+DEVICE_ROOTRSA_INDEX=${rootkey_index}
+
+DEVICE_SCS_SEGID=${device_scs_segid}
+DEVICE_VENDOR_SEGID=${device_vendor_segid}
+DEVICE_SCS_VERS=${device_scs_vers}
+DEVICE_TEE_VERS=${device_tee_vers}
+
+echo DEVICE_SCS_SEGID=${DEVICE_SCS_SEGID}
+echo DEVICE_VENDOR_SEGID=${DEVICE_VENDOR_SEGID}
+echo DEVICE_SCS_VERS=${DEVICE_SCS_VERS}
+echo DEVICE_TEE_VERS=${DEVICE_TEE_VERS}
+
+BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/${project}/rootkey"
+BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/rsa/${project}"
+BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+
+BASEDIR_ROOTHASH_OUTPUT="${BASEDIR_RSAKEY_ROOT}/roothash"
+BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+#BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/${project}/rootrsa-${DEVICE_ROOTRSA_INDEX}"
+
+check_dir "${output_dir}"
+BASEDIR_OUTPUT_HASH="${output_dir}"
+BASEDIR_OUTPUT_BLOB="${output_dir}"
+
+#BASEDIR_OUTPUT_BLOB="./output/blob"
+#BASEDIR_OUTPUT_HASH="./output/hash"
+#BASEDIR_OUTPUT_PROTKEY="./output/protkey"
+
+#
+# Check inputs
+#
+
+check_dir "${BASEDIR_ROOT}"
+check_dir "${BASEDIR_AESKEY_ROOT}"
+check_dir "${BASEDIR_RSAKEY_ROOT}"
+check_dir "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}"
+check_dir "${BASEDIR_FIP_RSAKEY_ROOT}"
+check_dir "${BASEDIR_TEMPLATE}"
+
+check_file "${BASEDIR_TEMPLATE}/${project}/bb1st${storage_type}.bin.device.cert.segid.${DEVICE_SCS_SEGID}"
+check_file "${BASEDIR_RSAKEY_ROOT}/nonce/rootrsa-${DEVICE_ROOTRSA_INDEX}-nonce.bin"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl1rsa-nonce.bin"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-pub.pem"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl2cert-epks.bin"
+check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl2rsa-nonce.bin"
+check_file "${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-2.bin"
+check_file "${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-3.bin"
+
+#
+# Arguments
+#
+
+BB1ST_ARGS="${BB1ST_ARGS}"
+
+### Input: template ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-template-bb1st=${BASEDIR_TEMPLATE}/${project}/bb1st${storage_type}.bin.device.cert.segid.${DEVICE_SCS_SEGID}"
+
+### RootCert EK and NONCE
+# EK is common for all root RSA
+# NONCE is per root RSA
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-device-rootrsa=${BASEDIR_RSAKEY_ROOT}/nonce/rootrsa-${DEVICE_ROOTRSA_INDEX}-nonce.bin"
+
+### Input: Device Level-1 Cert ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-device-lvl1rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl1rsa-nonce.bin"
+
+BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-device-lvl1=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-priv.pem"
+
+### Input: Device Level-2 Cert ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-device-lvl2cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-rsa-pub.pem"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-device-lvl2cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/lvl2cert-epks.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-device-lvl2rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/device-lvl2rsa-nonce.bin"
+
+### Input: Device RootKey (generated from DVGK) ###
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-device-rootkey-2=${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-2.bin"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-aes256-device-rootkey-3=${BASEDIR_AESKEY_ROOT}/aes256-device-rootkey-bootstage-3.bin"
+
+### Features, flags and switches ###
+BB1ST_ARGS="${BB1ST_ARGS} --feature-enable-device-root-pubrsa-prot"
+BB1ST_ARGS="${BB1ST_ARGS} --feature-enable-device-lvl1-pubrsa-prot"
+BB1ST_ARGS="${BB1ST_ARGS} --feature-enable-device-lvlx-pubrsa-prot"
+
+BB1ST_ARGS="${BB1ST_ARGS} --feature-device-root-pubrsa-prot-mrk"
+
+BB1ST_ARGS="${BB1ST_ARGS} --switch-device-sign-blob=0"
+
+BB1ST_ARGS="${BB1ST_ARGS} --scs-family=s4"
+
+### Output: blobs ###
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}/bb1st${storage_type}.bin.device"
+
+echo ${TOOLS_ARGS}
+
+#
+# Main
+#
+
+${ACPU_IMAGETOOL} \
+ create-boot-blobs \
+ ${BB1ST_ARGS}
+
+# vim: set tabstop=4 expandtab shiftwidth=4:
diff --git a/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-compose-vmx-device-template.sh b/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-compose-vmx-device-template.sh
new file mode 100755
index 0000000..5468410
--- /dev/null
+++ b/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-compose-vmx-device-template.sh
@@ -0,0 +1,201 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+version=1.0
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+copy_files() {
+ src_dir=$1
+ dst_dir=$2
+ list=$3
+
+ for f in $list; do
+ d="$(dirname $f)"
+ mkdir -p ${dst_dir}/${d}
+ cp ${src_dir}/$f ${dst_dir}/${d}/.
+ done
+}
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ STBM compose VMX device template
+
+ $(basename $0)
+ --stbm-key-dir <key-dir> \\
+ --project <project-name> \\
+ --vmx-cert-path <VMX cert path> \\
+ --rootkey-index [0 | 1 | 2 | 3] \\
+ --arb-config <arb-config-file> \\
+ --out-dir <output-dir>
+EOF
+ exit 1
+}
+
+key_dir=""
+part=""
+size=""
+vmx_cert_path=""
+rootkey_index=0
+output_dir=""
+arb_config=""
+boot_blobs_arb_args=""
+device_fip_arb_args=""
+device_soc=""
+storage_type=".sto"
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --stbm-key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --device-soc)
+ device_soc="${argv[$i]}"
+ ;;
+ --storage-type)
+ storage_type="${argv[$i]}"
+ ;;
+ --vmx-cert-path)
+ vmx_cert_path="${argv[$i]}"
+ check_dir "${vmx_cert_path}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value "$rootkey_index" 0 3
+ ;;
+ --arb-config)
+ arb_config="${argv[$i]}"
+ ;;
+ --out-dir)
+ output_dir="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir $key_dir"
+trace " project $part"
+trace " vmx_cert_path $vmx_cert_path"
+trace " rootkey-index $rootkey_index"
+trace " arb-config $arb_config"
+trace " out-dir $output_dir"
+
+if [ -z "$key_dir" ]; then
+ usage
+fi
+
+if [ -z "$part" ]; then
+ usage
+fi
+
+if [ -z "$vmx_cert_path" ]; then
+ usage
+fi
+
+if [ -z "$rootkey_index" ]; then
+ usage
+fi
+
+if [ -z "$output_dir" ]; then
+ usage
+fi
+
+if [ -s "${arb_config}" ]; then
+ source ${arb_config}
+ boot_blobs_arb_args="--device-scs-segid ${DEVICE_SCS_SEGID} --device-vendor-segid ${DEVICE_VENDOR_SEGID} --device-scs-vers ${DEVICE_SCS_VERS} --device-tee-vers ${DEVICE_TEE_VERS}"
+ device_fip_arb_args="--device-vendor-segid ${DEVICE_VENDOR_SEGID} --device-tee-vers ${DEVICE_TEE_VERS} --device-ree-vers ${DEVICE_REE_VERS}"
+fi
+
+# Create output directories
+OUTPUT_BASEDIR="${output_dir}"
+
+OUTDIR_TEMPLATE_BB1ST="${OUTPUT_BASEDIR}/boot-blobs/template/${part}/rootrsa-${rootkey_index}"
+mkdir -p "${OUTDIR_TEMPLATE_BB1ST}"
+
+# Generate templates
+${EXEC_BASEDIR}/bin/update-vmx-device-template-bb1st.sh --rootkey-index "$rootkey_index" --key-dir "$key_dir" --project "$part" --device-soc "$device_soc" --storage-type "$storage_type" --vmx-cert-path "${vmx_cert_path}" --output-dir "${OUTDIR_TEMPLATE_BB1ST}" ${boot_blobs_arb_args}
+
+mv "${OUTDIR_TEMPLATE_BB1ST}/bb1st${storage_type}.bin.device" \
+ "${OUTDIR_TEMPLATE_BB1ST}/bb1st.bin" \
+
+OUTDIR_TEMPLATE_DEVICE_FIP_HEADER="${OUTPUT_BASEDIR}/fip/template/${part}/rootrsa-${rootkey_index}"
+mkdir -p "${OUTDIR_TEMPLATE_DEVICE_FIP_HEADER}"
+cp ${vmx_cert_path}/${part}/device-fip-header*.bin ${OUTDIR_TEMPLATE_DEVICE_FIP_HEADER}/device-fip-header.bin
+
+# Copy other files
+#LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/template/${part}/rootrsa-${rootkey_index}/device-fip-header.bin"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} boot-blobs/rsa/${part}/rootrsa-${rootkey_index}/key/level-2-rsa-priv.pem"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} boot-blobs/rsa/${part}/rootrsa-${rootkey_index}/key/level-1-rsa-priv.pem"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} boot-blobs/rsa/${part}/rootrsa-${rootkey_index}/key/level-2-rsa-pub.pem"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/rsa/${part}/rootrsa-${rootkey_index}/key/bl30-level-3-rsa-priv.pem"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/rsa/${part}/rootrsa-${rootkey_index}/key/bl40-level-3-rsa-priv.pem"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/rsa/${part}/rootrsa-${rootkey_index}/key/bl31-level-3-rsa-priv.pem"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/rsa/${part}/rootrsa-${rootkey_index}/key/bl32-level-3-rsa-priv.pem"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/rsa/${part}/rootrsa-${rootkey_index}/key/bl33-level-3-rsa-priv.pem"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/aes/${part}/protkey/genkey-prot-bl30.bin"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/aes/${part}/protkey/genkey-prot-krnl.bin"
+LIST_OTHER_FILES="${LIST_OTHER_FILES} fip/aes/${part}/protkey/genkey-prot-bl33.bin"
+
+copy_files ${key_dir} ${OUTPUT_BASEDIR} \
+ "${LIST_OTHER_FILES}"
+
+# vim: set filetype=sh tabstop=4 expandtab shiftwidth=4:
diff --git a/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-export-templates.sh b/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-export-templates.sh
new file mode 100755
index 0000000..8c86ea0
--- /dev/null
+++ b/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-export-templates.sh
@@ -0,0 +1,150 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+version=1.0
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Generate all Amlogic SC2 chipset Device Vendor Secure Chipset Startup (SCS) keys
+
+ $(basename $0)
+ --stbm-key-dir stbm-key-dir> \\
+ --project <project-name> \\
+ --template-dir <template-dir> \\
+ --rootkey-index [0 | 1 | 2 | 3] \\
+ --arb-config <arb-config-file> \\
+ --out-vmx-dir <output-vmx-dir>
+EOF
+ exit 1
+}
+
+stbm_key_dir=""
+part=""
+template_dir=""
+rootkey_index=0
+output_dir=""
+arb_config=""
+device_soc=""
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --stbm-key-dir)
+ stbm_key_dir="${argv[$i]}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --device-soc)
+ device_soc="${argv[$i]}"
+ ;;
+ --template-dir)
+ template_dir="${argv[$i]}"
+ check_dir "${template_dir}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value "$rootkey_index" 0 3
+ ;;
+ --arb-config)
+ arb_config="${argv[$i]}"
+ ;;
+ --out-vmx-dir)
+ out_vmx_dir="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir $stbm_key_dir"
+trace " project $part"
+trace " template_dir $template_dir"
+trace " rootkey-index $rootkey_index"
+trace " arb-config $arb_config"
+trace " out-dir $out_vmx_dir"
+
+if [ -z "$stbm_key_dir" ]; then
+ usage
+fi
+
+if [ -z "$template_dir" ]; then
+ usage
+fi
+
+if [ -z "$rootkey_index" ]; then
+ usage
+fi
+
+if [ ! -f "$arb_config" ]; then
+ usage
+fi
+
+if [ -z "$out_vmx_dir" ]; then
+ usage
+fi
+
+${BASEDIR_TOP}/export_signing_keys_and_sign_template.sh \
+ --template-dir "$template_dir" \
+ --project "$part" \
+ --device-soc "$device_soc" \
+ --arb-config "$arb_config" \
+ --out-dir "${stbm_key_dir}/outdir" \
+ --key-dir "${stbm_key_dir}/keydir"
+
+${EXEC_BASEDIR}/bin/stbm-prepare-sign-request.sh "${stbm_key_dir}" "${out_vmx_dir}" "$part"
diff --git a/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-gen-device-key.sh b/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-gen-device-key.sh
new file mode 100755
index 0000000..62c0c05
--- /dev/null
+++ b/s6/generate-device-keys/stbm-vmx-gen-device-keys/stbm-gen-device-key.sh
@@ -0,0 +1,175 @@
+#!/bin/bash -e
+
+# Copyright (c) 2020 Amlogic, Inc. All rights reserved.
+#
+# This source code is subject to the terms and conditions defined in the
+# file 'LICENSE' which is part of this source code package.
+
+#set -x
+version=1.0
+
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
+
+trace ()
+{
+ echo ">>> $@" > /dev/null
+ #echo ">>> $@"
+}
+
+check_dir() {
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+}
+
+check_value() {
+ local val=$1
+ local begin=$2
+ local end=$3
+
+ if [ $val -lt $begin ] || [ $val -gt $end ]; then
+ echo "Error: Value $val is not in range [$begin, $end]"
+ exit 1
+ fi
+}
+
+usage() {
+ cat << EOF
+Usage: $(basename $0) --help | --version
+
+ Generate all Amlogic SC2 chipset Device Vendor Secure Chipset Startup (SCS) keys
+
+ $(basename $0)
+ --stbm-key-dir stbm-key-dir> \\
+ {--rsa-size [2048 | 4096]} \\
+ --project <project-name> \\
+ --template-dir <template-dir> \\
+ --rootkey-index [0 | 1 | 2 | 3] \\
+ --arb-config <arb-config-file> \\
+ --out-vmx-dir <output-vmx-dir>
+EOF
+ exit 1
+}
+
+stbm_key_dir=""
+part=""
+size=""
+template_dir=""
+rootkey_index=0
+output_dir=""
+arb_config=""
+device_soc=""
+
+parse_main() {
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
+
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --stbm-key-dir)
+ stbm_key_dir="${argv[$i]}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ --device-soc)
+ device_soc="${argv[$i]}"
+ ;;
+ --rsa-size)
+ size="${argv[$i]}"
+ ;;
+ --template-dir)
+ template_dir="${argv[$i]}"
+ check_dir "${template_dir}"
+ ;;
+ --rootkey-index)
+ rootkey_index="${argv[$i]}"
+ check_value "$rootkey_index" 0 3
+ ;;
+ --arb-config)
+ arb_config="${argv[$i]}"
+ ;;
+ --out-vmx-dir)
+ out_vmx_dir="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
+}
+
+parse_main "$@"
+
+trace " key-dir $stbm_key_dir"
+trace " project $part"
+trace " rsa-size $size"
+trace " template_dir $template_dir"
+trace " rootkey-index $rootkey_index"
+trace " arb-config $arb_config"
+trace " out-dir $out_vmx_dir"
+
+if [ -z "$stbm_key_dir" ]; then
+ usage
+fi
+
+if [ -z "$size" ]; then
+ size=4096
+ echo "default rsa size 4096"
+fi
+
+if [ -z "$template_dir" ]; then
+ usage
+fi
+
+if [ -z "$rootkey_index" ]; then
+ usage
+fi
+
+if [ ! -f "$arb_config" ]; then
+ usage
+fi
+
+if [ -z "$out_vmx_dir" ]; then
+ usage
+fi
+
+if [ "$size" -ne 2048 ] && [ "$size" -ne 4096 ]; then
+ echo "Error: Invalid RSA key size $size"
+ usage
+fi
+
+
+${BASEDIR_TOP}/gen_all_device_key.sh \
+ --template-dir "$template_dir" \
+ --project "$part" \
+ --device-soc "$device_soc" \
+ --rsa-size "$size" \
+ --out-dir "${stbm_key_dir}/outdir" \
+ --key-dir "${stbm_key_dir}/keydir"
+
+${BASEDIR_TOP}/export_signing_keys_and_sign_template.sh \
+ --template-dir "$template_dir" \
+ --project "$part" \
+ --device-soc "$device_soc" \
+ --arb-config "$arb_config" \
+ --out-dir "${stbm_key_dir}/outdir" \
+ --key-dir "${stbm_key_dir}/keydir"
+
+${EXEC_BASEDIR}/bin/stbm-prepare-sign-request.sh "${stbm_key_dir}" "${out_vmx_dir}" "$part"
\ No newline at end of file
diff --git a/s6/variable_soc.sh b/s6/variable_soc.sh
new file mode 100755
index 0000000..6e5cb32
--- /dev/null
+++ b/s6/variable_soc.sh
@@ -0,0 +1,181 @@
+#!/bin/bash
+
+# static
+declare BLX_BIN_SUB_CHIP="${CONFIG_CHIPSET_NAME}"
+
+if [ -n "${SCRIPT_ARG_CHIPSET_VARIANT}" ]; then
+ declare CHIPSET_VARIANT_SUFFIX=".${SCRIPT_ARG_CHIPSET_VARIANT}"
+elif [ -n "${CONFIG_CHIPSET_VARIANT}" ]; then
+ declare CHIPSET_VARIANT_SUFFIX=".${CONFIG_CHIPSET_VARIANT}"
+else
+ declare CHIPSET_VARIANT_SUFFIX=""
+fi
+declare -a BLX_NAME=("bl2" \
+ "bl2" \
+ "bl2e" \
+ "bl2e" \
+ "bl2x" \
+ "bl31" \
+ "bl32" \
+ "bl40" \
+ "bl30")
+
+declare -a BLX_SRC_FOLDER=("bl2/core" \
+ "bl2/core" \
+ "bl2/ree" \
+ "bl2/ree" \
+ "bl2/tee" \
+ "bl31/bl31_2.7/src" \
+ "bl32/bl32_3.18/src" \
+ "NULL" \
+ "bl30/src_ao" \
+ "bl33")
+
+declare -a BLX_BIN_FOLDER=("bl2/bin" \
+ "bl2/bin" \
+ "bl2/bin" \
+ "bl2/bin" \
+ "bl2/bin" \
+ "bl31/bl31_2.7/bin" \
+ "bl32/bl32_3.18/bin"\
+ "bl40/bin" \
+ "bl30/bin_ao")
+
+if [ "y" == "${CONFIG_BUILD_UNSIGN}" ]; then
+declare -a BLX_BIN_NAME=("bl2.bin.sto" \
+ "bl2.bin.usb" \
+ "bl2e.bin.sto" \
+ "bl2e.bin.usb" \
+ "bl2x.bin" \
+ "bl31.bin" \
+ "bl32.bin" \
+ "bl40.bin" \
+ "NULL")
+
+else
+declare -a BLX_BIN_NAME=("bb1st.sto${CHIPSET_VARIANT_SUFFIX}.bin.signed" \
+ "bb1st.usb${CHIPSET_VARIANT_SUFFIX}.bin.signed" \
+ "blob-bl2e.sto${CHIPSET_VARIANT_SUFFIX}.bin.signed" \
+ "blob-bl2e.usb${CHIPSET_VARIANT_SUFFIX}.bin.signed" \
+ "blob-bl2x.bin.signed" \
+ "blob-bl31.bin.signed" \
+ "blob-bl32.bin.signed" \
+ "blob-bl40.bin.signed" \
+ "bl30.bin")
+fi
+
+
+declare -a BLX_BIN_SIZE=("206848" \
+ "206848" \
+ "74864" \
+ "74864" \
+ "66672" \
+ "266240" \
+ "528384" \
+ "102400" \
+ "NULL")
+
+declare BL30_BIN_SIZE="65536"
+declare BL33_BIN_SIZE="1572864"
+declare DEV_ACS_BIN_SIZE="8192"
+declare -a BLX_RAWBIN_NAME=("bl2.bin.sto" \
+ "bl2.bin.usb" \
+ "bl2e.bin.sto" \
+ "bl2e.bin.usb" \
+ "bl2x.bin" \
+ "bl31.bin" \
+ "bl32.bin" \
+ "bl40.bin" \
+ "NULL")
+
+declare -a BLX_IMG_NAME=("NULL" \
+ "NULL" \
+ "NULL" \
+ "NULL" \
+ "NULL" \
+ "NULL" \
+ "NULL" \
+ "NULL")
+
+declare -a BLX_NEEDFUL=("true" \
+ "true" \
+ "true" \
+ "true" \
+ "true" \
+ "ture" \
+ "true" \
+ "true")
+
+declare -a BLX_SRC_GIT=("bootloader/amlogic-advanced-bootloader/core" \
+ "bootloader/amlogic-advanced-bootloader/core" \
+ "bootloader/amlogic-advanced-bootloader/ree" \
+ "bootloader/amlogic-advanced-bootloader/ree" \
+ "bootloader/amlogic-advanced-bootloader/tee" \
+ "ARM-software/arm-trusted-firmware" \
+ "OP-TEE/optee_os" \
+ "firmware/aocpu" \
+ "uboot")
+
+declare -a BLX_BIN_GIT=("firmware/bin/bl2" \
+ "firmware/bin/bl2" \
+ "firmware/bin/bl2" \
+ "firmware/bin/bl2" \
+ "firmware/bin/bl2" \
+ "firmware/bin/bl31"\
+ "firmware/bin/bl32"\
+ "firmware/bin/b40")
+
+# blx priority. null: default, source: src code, others: bin path
+declare -a BIN_PATH=("null" \
+ "null" \
+ "null" \
+ "null" \
+ "null" \
+ "null" \
+ "null" \
+ "null" \
+ "source")
+
+# variables
+declare -a CUR_REV # current version of each blx
+declare -a BLX_READY=("false", \
+ "false", \
+ "false", \
+ "false", \
+ "false", \
+ "false", \
+ "false", \
+ "false", \
+ "false") # blx build/get flag
+
+# package variables
+declare BL33_COMPRESS_FLAG=""
+declare BL3X_SUFFIX="bin"
+declare V3_PROCESS_FLAG=""
+declare FIP_ARGS=""
+declare AML_BL2_NAME=""
+declare AML_KEY_BLOB_NAME=""
+declare FIP_BL32_PROCESS=""
+declare BOOT_SIG_FLAG=""
+declare EFUSE_GEN_FLAG=""
+declare DDRFW_TYPE=""
+
+BUILD_PATH=${FIP_BUILD_FOLDER}
+BUILD_PAYLOAD=${FIP_BUILD_FOLDER}/payload
+CHIPSET_TEMPLATES_PATH="soc/templates"
+CONFIG_DDR_FW=0
+DDR_FW_NAME="aml_ddr.fw"
+
+CONFIG_NEED_BL32=y
+ADVANCED_BOOTLOADER=1
+
+declare CONFIG_RTOS_SDK_ENABLE=1
+declare CONFIG_SOC_NAME="s7d"
+
+if [ "${BL30_SELECT}" == "s7d_pxp" ]; then
+ declare CONFIG_BOARD_PACKAGE_NAME="s7d_skt"
+#elif [ "${BL30_SELECT}" == "a4_ba409" ]; then
+# declare CONFIG_BOARD_PACKAGE_NAME="ba409_a113l2"
+else
+ declare CONFIG_BOARD_PACKAGE_NAME="s7d_skt"
+fi