FIP: S6: support device scs signing [1/1]
PD#SWPL-172854
Problem:
S6: support device scs signing
Solution:
update device scs signing tool
Verify:
S6 BL208
Change-Id: I99b92b9acf6d7791591338fcf35124a4edd2b904
Signed-off-by: Zhongfu Luo <zhongfu.luo@amlogic.com>
diff --git a/audio_id_gen.sh b/audio_id_gen.sh
index 3858d2e..38b35cf 100755
--- a/audio_id_gen.sh
+++ b/audio_id_gen.sh
@@ -13,7 +13,7 @@
$(basename $0) --version
$(basename $0) --audio-id audio_id_value \\
--soc [axg | txhd | g12a | g12b | sm1 | tl1 | tm2 | a1 | c1 |c2 | t5 | t5d | t5w |
- sc2 | t7 | s4 | t3 | s4d | p1 | a5 | c3| s5 | t5m | a4 | t3x | txhd2 | s1a | s7 s7d] \\
+ sc2 | t7 | s4 | t3 | s4d | p1 | a5 | c3| s5 | t5m | a4 | t3x | txhd2 | s1a | s7 | s7d | s6] \\
-o audio_id.efuse
EOF
exit 1
@@ -59,7 +59,7 @@
if [ ${soc} == "sc2" ] || [ ${soc} == "t7" ] || [ ${soc} == "s4" ] || [ ${soc} == "t3" ] \
|| [ ${soc} == "p1" ] || [ ${soc} == "a5" ] || [ ${soc} == "c3" ] || [ ${soc} == "s5" ] \
|| [ ${soc} == "t5m" ] || [ ${soc} == "a4" ] || [ ${soc} == "t3x" ] || [ ${soc} == "s1a" ] \
- || [ ${soc} == "s7" ] || [ ${soc} == "s7d" ]; then
+ || [ ${soc} == "s7" ] || [ ${soc} == "s7d" ] || [ ${soc} == "s6" ]; then
${EXEC_BASEDIR}/${soc}/bin/efuse-gen.sh --audio-id ${audio_id_value} -o ${output}
elif [ "$soc" == "axg" ] || [ "$soc" == "txhd" ] || [ "$soc" == "g12a" ] \
|| [ "$soc" == "sm1" ] || [ "$soc" == "g12b" ] || [ "$soc" == "tl1" ] || [ "$soc" == "tm2" ] \
diff --git a/s6/Makefile b/s6/Makefile
index df36f72..ec13321 100644
--- a/s6/Makefile
+++ b/s6/Makefile
@@ -5,7 +5,7 @@
DEVICE_SCS_KEY_TOP ?= $(CURDIR)/keys/dev-keys/s6/device/
DEVICE_ROOTRSA_INDEX ?= 0
-PROJECT ?= s905x5meng
+PROJECT ?= s905x5
SOC_FAMILY ?= s7d
CS_SIGNING_SCHEME ?= rsa-mldsa
DV_SIGNING_SCHEME ?= rsa-mldsa
diff --git a/s6/attach_sbh.sh b/s6/attach_sbh.sh
index 64a2018..f63e930 100755
--- a/s6/attach_sbh.sh
+++ b/s6/attach_sbh.sh
@@ -1,5 +1,7 @@
#!/bin/bash
+EXEC_BASEDIR=$(dirname $(readlink -f $0))
+
Usage() {
echo "Usage: $0 img_file img_file_with_header"
}
@@ -15,7 +17,7 @@
return
fi
- ./${FIP_FOLDER}${CUR_SOC}/bb1_extract_meta.sh $1 | ./${FIP_FOLDER}${CUR_SOC}/sbh_gen.sh > $2
+ ${EXEC_BASEDIR}/bb1_extract_meta.sh $1 | ${EXEC_BASEDIR}/sbh_gen.sh > $2
cat $1 >> $2
}
diff --git a/s6/bin/device-vendor-scs-signing.sh b/s6/bin/device-vendor-scs-signing.sh
index 468012c..7f9a89b 100755
--- a/s6/bin/device-vendor-scs-signing.sh
+++ b/s6/bin/device-vendor-scs-signing.sh
@@ -69,6 +69,12 @@
#dd if=/dev/zero of=${ddr_fip} bs=1024 count=256 status=none
#fi
+ #align bb1st 266k and append header
+ dd if=/dev/zero of=${bb1st}.payload bs=1024 count=266 &> /dev/null
+ dd if=${bb1st} of=${bb1st}.payload conv=notrunc &> /dev/null
+ ${BASEDIR_TOP}/attach_sbh.sh ${bb1st}.payload ${bb1st}.hdr
+ bb1st=${bb1st}.hdr
+
#cat those together with 4K upper aligned for sdcard
align_base=4096
total_size=0
@@ -86,7 +92,7 @@
sector=512
seek=0
seek_sector=0
- dateStamp=A4-${part}-`date +%y%m%d%H%M%S`
+ dateStamp=S6-${part}-`date +%y%m%d%H%M%S`
echo @AMLBOOT > ${file_info_cfg_temp}
dd if=${file_info_cfg_temp} of=${file_info_cfg} bs=1 count=8 conv=notrunc &> /dev/null
diff --git a/s6/bin/device.license.bin b/s6/bin/device.license.bin
deleted file mode 100755
index bbc3717..0000000
--- a/s6/bin/device.license.bin
+++ /dev/null
Binary files differ
diff --git a/s6/bin/efuse-gen.sh b/s6/bin/efuse-gen.sh
index baa104b..158e3f0 100755
--- a/s6/bin/efuse-gen.sh
+++ b/s6/bin/efuse-gen.sh
@@ -105,7 +105,6 @@
# Verify args
if [ -z "$output" ]; then echo Error: Missing output file option -o; exit 1; fi
- check_opt_file input 1024 "$input"
check_opt_file dvgk 16 "$dvgk"
check_opt_file dvuk 16 "$dvuk"
check_opt_file device_roothash 32 "$device_roothash"
@@ -131,6 +130,8 @@
keyinfo="$(xxd -p -c 32 $device_roothash)"
echo "efuse_obj set HASH_NORMAL_DEVICE_ROOTCERT $keyinfo" >> $patt_text
echo "efuse_obj lock HASH_NORMAL_DEVICE_ROOTCERT" >> $patt_text
+ echo "efuse_obj set HASH_DFU_DEVICE_ROOTCERT $keyinfo" >> $patt_text
+ echo "efuse_obj lock HASH_DFU_DEVICE_ROOTCERT" >> $patt_text
fi
if [ "$enable_device_vendor_scs" == "true" ]; then
diff --git a/s6/chip_acs.bin b/s6/chip_acs.bin
deleted file mode 100755
index 753af8f..0000000
--- a/s6/chip_acs.bin
+++ /dev/null
Binary files differ
diff --git a/s6/generate-binaries/bin/gen-device-fip.sh b/s6/generate-binaries/bin/gen-device-fip.sh
index 68e6c04..c37ed05 100755
--- a/s6/generate-binaries/bin/gen-device-fip.sh
+++ b/s6/generate-binaries/bin/gen-device-fip.sh
@@ -109,6 +109,7 @@
### Features, flags and switches ###
EXEC_ARGS="${EXEC_ARGS} --header-layout=mini"
+EXEC_ARGS="${EXEC_ARGS} --size-payload-bl30=90112"
# arb info
EXEC_ARGS="${EXEC_ARGS} --val-device-vendor-segid=${DEVICE_VENDOR_SEGID}"
diff --git a/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh b/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh
index 6690ed9..325c48c 100755
--- a/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh
+++ b/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh
@@ -52,6 +52,8 @@
project=""
rootkey_index=0
output_dir=""
+ml_dsa_algo_name="mldsa"
+ml_dsa_version=""
parse_main() {
local i=0
@@ -91,6 +93,9 @@
--sig-scheme)
sig_scheme="${argv[$i]}"
;;
+ --ml-dsa-version)
+ ml_dsa_version="${argv[$i]}"
+ ;;
--template-layout)
template_layout="${argv[$i]}"
;;
@@ -237,6 +242,23 @@
EXPORT_FILES+="${BASEDIR_BOOTBLOBS_TEMPLATE_ROOT}/bb1st.bin "
EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin "
+if [[ "${sig_scheme}" =~ "mldsa" ]]; then
+
+ if [ "${ml_dsa_version}" != "final" ]; then
+ ml_dsa_algo_name=${ml_dsa_algo_name}-${ml_dsa_version}
+ fi
+EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-${ml_dsa_algo_name}-pub.pem "
+
+EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-${ml_dsa_algo_name}-priv.pem "
+EXPORT_FILES+="${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-2-${ml_dsa_algo_name}-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl30-level-3-${ml_dsa_algo_name}-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl31-level-3-${ml_dsa_algo_name}-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl32-level-3-${ml_dsa_algo_name}-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl33-level-3-${ml_dsa_algo_name}-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/bl40-level-3-${ml_dsa_algo_name}-priv.pem "
+EXPORT_FILES+="${BASEDIR_FIP_RSAKEY_ROOT}/key/krnl-level-3-${ml_dsa_algo_name}-priv.pem "
+fi
+
for f in $EXPORT_FILES
do
check_file $f
diff --git a/s6/generate-device-keys/bin/gen_scs_root_hash.sh b/s6/generate-device-keys/bin/gen_scs_root_hash.sh
index 2f15541..486dc3a 100755
--- a/s6/generate-device-keys/bin/gen_scs_root_hash.sh
+++ b/s6/generate-device-keys/bin/gen_scs_root_hash.sh
@@ -539,7 +539,9 @@
fi
# Protkey output
- mkdir -p ${BASEDIR_OUTPUT_PROTKEY}
+ if [ ${trust_chain^^} == "CHIPSET" ]; then
+ mkdir -p ${BASEDIR_OUTPUT_PROTKEY}
+ fi
# FIP output
mkdir -p ${BASEDIR_FIP_OUTPUT_BLOB}
@@ -650,6 +652,7 @@
fi
COMMON_CREATE_DEVICE_FIP_ARGS+=" --header-layout=${FIP_HEADER_LAYOUT}"
+COMMON_CREATE_DEVICE_FIP_ARGS+=" --size-payload-bl30=90112"
### Input: payloads ###
#BB1ST_ARGS="${BB1ST_ARGS} --infile-bl2-payload=${BASEDIR_PAYLOAD}/bl2-payload.bin"
diff --git a/s6/generate-device-keys/export_signing_keys_and_sign_template.sh b/s6/generate-device-keys/export_signing_keys_and_sign_template.sh
index 0a7fb23..9a74f69 100755
--- a/s6/generate-device-keys/export_signing_keys_and_sign_template.sh
+++ b/s6/generate-device-keys/export_signing_keys_and_sign_template.sh
@@ -155,10 +155,14 @@
#${EXEC_BASEDIR}/bin/gen_device_aes_protkey.sh --rootkey-index "$rootkey_index" --key-dir "$key_dir" --project "$part" --template-dir "${template_dir}" ${device_fip_arb_args}
#${EXEC_BASEDIR}/bin/gen_device_root_hash.sh --rootkey-index "$rootkey_index" --key-dir "$key_dir" --project "$part" --device-soc "$device_soc" --template-dir "${template_dir}" ${boot_blobs_arb_args}
-for i in {0..3}; do
- ${EXEC_BASEDIR}/bin/gen_scs_root_hash.sh --rootkey-index $rootkey_index --key-dir "$key_dir" --trust-chain device-vendor --project "$part" --device-soc "$device_soc" --template-dir "$template_dir" --sig-scheme $sig_scheme --ml-dsa-version draft1 --scs-family $scs_family --template-layout $template_layout --fip-header-layout mini ${boot_blobs_arb_args} --ops create-boot-blobs
- ${EXEC_BASEDIR}/bin/gen_scs_root_hash.sh --rootkey-index $rootkey_index --key-dir "$key_dir" --trust-chain device-vendor --project "$part" --device-soc "$device_soc" --template-dir "$template_dir" --sig-scheme $sig_scheme --ml-dsa-version draft1 --scs-family $scs_family --template-layout $template_layout --fip-header-layout mini ${device_fip_arb_args} --ops create-device-fip
-done
-${EXEC_BASEDIR}/bin/export_dv_scs_signing_keys.sh --key-dir "$key_dir" --out-dir "$output_dir" --rootkey-index "$rootkey_index" --project "$part" --sig-scheme $sig_scheme --template-layout $template_layout
+${EXEC_BASEDIR}/bin/gen_scs_root_hash.sh --rootkey-index $rootkey_index --key-dir "$key_dir" --trust-chain device-vendor --project "$part" --device-soc "$device_soc" --template-dir "$template_dir" --sig-scheme $sig_scheme --ml-dsa-version draft1 --scs-family $scs_family --template-layout $template_layout --fip-header-layout mini ${boot_blobs_arb_args} --ops create-boot-blobs
+${EXEC_BASEDIR}/bin/gen_scs_root_hash.sh --rootkey-index $rootkey_index --key-dir "$key_dir" --trust-chain device-vendor --project "$part" --device-soc "$device_soc" --template-dir "$template_dir" --sig-scheme $sig_scheme --ml-dsa-version draft1 --scs-family $scs_family --template-layout $template_layout --fip-header-layout mini ${device_fip_arb_args} --ops create-device-fip
+
+# Link to be compatible with old script
+rm -rf $key_dir/fip/aes/${part}/protkey
+cp "$key_dir/fip/aes/${part}/trustchain-${rootkey_index}/protkey" \
+ "$key_dir/fip/aes/${part}/protkey" -r
+
+${EXEC_BASEDIR}/bin/export_dv_scs_signing_keys.sh --key-dir "$key_dir" --out-dir "$output_dir" --rootkey-index "$rootkey_index" --project "$part" --sig-scheme $sig_scheme --ml-dsa-version draft1 --template-layout $template_layout
diff --git a/s6/generate-device-keys/gen_all_device_key.sh b/s6/generate-device-keys/gen_all_device_key.sh
index 1b4b628..4b9e615 100755
--- a/s6/generate-device-keys/gen_all_device_key.sh
+++ b/s6/generate-device-keys/gen_all_device_key.sh
@@ -204,13 +204,11 @@
${EXEC_BASEDIR}/bin/derive_device_aes_rootkey.sh --key-dir "$key_dir" --mrk-bin "$key_dir"/root/dvgk/"$part"/dvgk.bin --mrk-name DVGK --project "$part"
-for i in {0..3}; do
- ${EXEC_BASEDIR}/bin/gen_scs_root_hash.sh --rootkey-index $i --key-dir "$key_dir" --trust-chain device-vendor --project "$part" --device-soc "$device_soc" --template-dir "$template_dir" --sig-scheme $sig_scheme --ml-dsa-version draft1 --scs-family $scs_family --template-layout $template_layout --fip-header-layout mini --ops create-boot-blobs
- ${EXEC_BASEDIR}/bin/gen_scs_root_hash.sh --rootkey-index $i --key-dir "$key_dir" --trust-chain device-vendor --project "$part" --device-soc "$device_soc" --template-dir "$template_dir" --sig-scheme $sig_scheme --ml-dsa-version draft1 --scs-family $scs_family --template-layout $template_layout --fip-header-layout mini --ops create-device-fip
-done
+${EXEC_BASEDIR}/bin/gen_scs_root_hash.sh --rootkey-index $rootkey_index --key-dir "$key_dir" --trust-chain device-vendor --project "$part" --device-soc "$device_soc" --template-dir "$template_dir" --sig-scheme $sig_scheme --ml-dsa-version draft1 --scs-family $scs_family --template-layout $template_layout --fip-header-layout mini --ops create-boot-blobs
+${EXEC_BASEDIR}/bin/gen_scs_root_hash.sh --rootkey-index $rootkey_index --key-dir "$key_dir" --trust-chain device-vendor --project "$part" --device-soc "$device_soc" --template-dir "$template_dir" --sig-scheme $sig_scheme --ml-dsa-version draft1 --scs-family $scs_family --template-layout $template_layout --fip-header-layout mini --ops create-device-fip
# Link to be compatible with old script
-ln -r -s -v "$key_dir/fip/aes/${part}/trustchain-${rootkey_index}/protkey" \
- "$key_dir/fip/aes/${part}/protkey"
+cp "$key_dir/fip/aes/${part}/trustchain-${rootkey_index}/protkey" \
+ "$key_dir/fip/aes/${part}/protkey" -r
-${EXEC_BASEDIR}/bin/export_dv_scs_signing_keys.sh --key-dir "$key_dir" --out-dir "$output_dir" --rootkey-index "$rootkey_index" --project "$part" --sig-scheme $sig_scheme --template-layout $template_layout
+${EXEC_BASEDIR}/bin/export_dv_scs_signing_keys.sh --key-dir "$key_dir" --out-dir "$output_dir" --rootkey-index "$rootkey_index" --project "$part" --sig-scheme $sig_scheme --ml-dsa-version draft1 --template-layout $template_layout