FIP: C3: support fastboot device scs signing [1/1]
PD#SWPL-176310
Problem:
FIP: C3: support fastboot device scs signing
Solution:
FIP: C3: support fastboot device scs signing
Verify:
C3 AW409
Change-Id: I4a96805e7e82a4f9b2d2f25714b44bff5ac82d30
Signed-off-by: Zhongfu Luo <zhongfu.luo@amlogic.com>
diff --git a/c3/build.sh b/c3/build.sh
index 7d12e34..6dc28c3 100755
--- a/c3/build.sh
+++ b/c3/build.sh
@@ -770,10 +770,14 @@
mk_uboot ${BUILD_PATH} ${BUILD_PATH} ${postfix} .sto ${CHIPSET_VARIANT_SUFFIX}
mk_uboot ${BUILD_PATH} ${BUILD_PATH} ${postfix} .usb ${CHIPSET_VARIANT_SUFFIX}
+
+ for loop in ${!BLX_NAME[@]}; do
+ cp ${BUILD_PATH}/${BLX_BIN_NAME[$loop]} ${BUILD_PATH}/${BLX_BIN_CLEAR_NAME[$loop]}
+ done
# process loop
list_pack=
for loop in ${!BLX_NAME[@]}; do
- list_pack="$list_pack ${BUILD_PATH}/${BLX_BIN_NAME[$loop]}"
+ list_pack="$list_pack ${BUILD_PATH}/${BLX_BIN_CLEAR_NAME[$loop]}"
done
list_pack="$list_pack ${BUILD_PATH}/bl30-payload.bin ${BUILD_PATH}/bl33-payload.bin ${BUILD_PATH}/dvinit-params.bin"
if [ -f ${BUILD_PATH}/ddr-fip.bin ]; then
@@ -787,37 +791,16 @@
./${FIP_FOLDER}${CUR_SOC}/bin/download-keys.sh ${AMLOGIC_KEY_TYPE} ${CUR_SOC} device ${UBOOT_SRC_FOLDER}/${BOARD_DIR}/device-keys/
fi
- fw_arb_cfg=${UBOOT_SRC_FOLDER}/${BOARD_DIR}/fw_arb.cfg
- if [ -s "${fw_arb_cfg}" ]; then
- source ${fw_arb_cfg}
- export DEVICE_SCS_SEGID=${DEVICE_SCS_SEGID}
- export DEVICE_VENDOR_SEGID=${DEVICE_VENDOR_SEGID}
- export DEVICE_SCS_VERS=${DEVICE_SCS_VERS}
- export DEVICE_TEE_VERS=${DEVICE_TEE_VERS}
- export DEVICE_REE_VERS=${DEVICE_REE_VERS}
- fi
- export DEVICE_SCS_KEY_TOP=$(pwd)/${UBOOT_SRC_FOLDER}/${BOARD_DIR}/device-keys
- export DEVICE_INPUT_PATH=$(pwd)/${BUILD_PATH}
- export DEVICE_OUTPUT_PATH=$(pwd)/${BUILD_PATH}
- export PROJECT=${CHIPSET_NAME}
if [ "y" == "${CONFIG_DEVICE_ROOTRSA_INDEX}" ]; then
- export DEVICE_ROOTRSA_INDEX=1
+ DEVICE_ROOTRSA_INDEX=1
elif [ -n "${CONFIG_DEVICE_ROOTRSA_INDEX}" ]; then
- export DEVICE_ROOTRSA_INDEX=${CONFIG_DEVICE_ROOTRSA_INDEX}
+ DEVICE_ROOTRSA_INDEX=${CONFIG_DEVICE_ROOTRSA_INDEX}
+ else
+ DEVICE_ROOTRSA_INDEX=0
fi
- export DEVICE_VARIANT_SUFFIX=${CHIPSET_VARIANT_SUFFIX}
- export DEVICE_VARIANT_MIN_SUFFIX=${CHIPSET_VARIANT_MIN_SUFFIX}
- export DEVICE_STORAGE_SUFFIX=.sto
- make -C ./${FIP_FOLDER}${CUR_SOC} dv-boot-blobs
- export DEVICE_STORAGE_SUFFIX=.usb
- make -C ./${FIP_FOLDER}${CUR_SOC} dv-boot-blobs
-
- make -C ./${FIP_FOLDER}${CUR_SOC} dv-device-fip
- # build final bootloader
- postfix=.device.signed
- mk_uboot ${BUILD_PATH} ${BUILD_PATH} ${postfix} .sto ${CHIPSET_VARIANT_SUFFIX}
- mk_uboot ${BUILD_PATH} ${BUILD_PATH} ${postfix} .usb ${CHIPSET_VARIANT_SUFFIX}
+ ./${FIP_FOLDER}${CUR_SOC}/bin/device-vendor-scs-signing.sh --key-dir ${UBOOT_SRC_FOLDER}/${BOARD_DIR}/device-keys/ --project ${CHIPSET_NAME} \
+ --input-dir ${BUILD_PATH} --rootkey-index ${DEVICE_ROOTRSA_INDEX} --arb-config ${UBOOT_SRC_FOLDER}/${BOARD_DIR}/fw_arb.cfg --out-dir ${BUILD_PATH}
fi
return
diff --git a/c3/generate-binaries/bin/gen-boot-blobs.sh b/c3/generate-binaries/bin/gen-boot-blobs.sh
index 12e20da..ba3aeed 100755
--- a/c3/generate-binaries/bin/gen-boot-blobs.sh
+++ b/c3/generate-binaries/bin/gen-boot-blobs.sh
@@ -67,9 +67,9 @@
### Input: blobs ###
BB1ST_ARGS="${BB1ST_ARGS} --infile-dvinit-params=${BASEDIR_CHIPSET_TEMPLATE}/dvinit-params.bin"
-BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bl2e=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl2e${DEVICE_STORAGE_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${input_postfix}"
-BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bl2x=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl2x${DEVICE_VARIANT_SUFFIX}.bin${input_postfix}"
-BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bb1st-ref=${BASEDIR_CHIPSET_TEMPLATE}/bb1st${DEVICE_STORAGE_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${input_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bl2e=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl2e${DEVICE_STORAGE_SUFFIX}.bin${input_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bl2x=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl2x.bin${input_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --infile-blob-bb1st-ref=${BASEDIR_CHIPSET_TEMPLATE}/bb1st${DEVICE_STORAGE_SUFFIX}.bin${input_postfix}"
### Input: Device Level-1/2 Private RSA keys
BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-device-lvl1=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/level-1-rsa-priv.pem"
@@ -90,9 +90,9 @@
BB1ST_ARGS="${BB1ST_ARGS} --val-device-tee-vers=${DEVICE_TEE_VERS}"
### Output: blobs ###
-BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}/bb1st${DEVICE_STORAGE_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${output_postfix}"
-BB1ST_ARGS="${BB1ST_ARGS} --outfile-blob-bl2e=${BASEDIR_OUTPUT_BLOB}/blob-bl2e${DEVICE_STORAGE_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${output_postfix}"
-BB1ST_ARGS="${BB1ST_ARGS} --outfile-blob-bl2x=${BASEDIR_OUTPUT_BLOB}/blob-bl2x${DEVICE_VARIANT_SUFFIX}.bin${output_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-bb1st=${BASEDIR_OUTPUT_BLOB}/bb1st${DEVICE_STORAGE_SUFFIX}.bin${output_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-blob-bl2e=${BASEDIR_OUTPUT_BLOB}/blob-bl2e${DEVICE_STORAGE_SUFFIX}.bin${output_postfix}"
+BB1ST_ARGS="${BB1ST_ARGS} --outfile-blob-bl2x=${BASEDIR_OUTPUT_BLOB}/blob-bl2x.bin${output_postfix}"
echo ${TOOLS_ARGS}
diff --git a/c3/generate-binaries/bin/gen-device-fip.sh b/c3/generate-binaries/bin/gen-device-fip.sh
index 4ff6daf..1062835 100755
--- a/c3/generate-binaries/bin/gen-device-fip.sh
+++ b/c3/generate-binaries/bin/gen-device-fip.sh
@@ -8,15 +8,6 @@
#
EXEC_BASEDIR=$(dirname $(readlink -f $0))
-
-if [ "" != "${CHIPSET_VARIANT_MIN_SUFFIX}" ] && [ ".fastboot" == "${DEVICE_VARIANT_SUFFIX}" ]; then
- ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-oversea
-elif [ "" == "${CHIPSET_VARIANT_MIN_SUFFIX}" ] && [ ".fastboot" == "${DEVICE_VARIANT_SUFFIX}" ]; then
- ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot
-else
- ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool
-fi
-
BASEDIR_TOP=$(readlink -f ${EXEC_BASEDIR}/..)
#
@@ -73,7 +64,7 @@
EXEC_ARGS="${EXEC_ARGS}"
### Input: template ###
-EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin"
+#EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin"
### Input: payload ###
EXEC_ARGS="${EXEC_ARGS} --infile-bl30-payload=${BASEDIR_PAYLOAD}/bl30-payload.bin"
@@ -81,6 +72,7 @@
### Input: Device Level-3 private RSA keys and EPKs ###
+
# Device Vendor binaries
EXEC_ARGS="${EXEC_ARGS} --infile-signkey-bl30-device-lvl3=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl30-level-3-rsa-priv.pem"
EXEC_ARGS="${EXEC_ARGS} --infile-aes256-bl30-payload=${BASEDIR_FIP_AESKEY_ROOT}/genkey-prot-bl30.bin"
@@ -94,9 +86,9 @@
EXEC_ARGS="${EXEC_ARGS} --infile-signkey-bl32-device-lvl3=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl32-level-3-rsa-priv.pem"
### Input: chipset blobs ###
-EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl40=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl40${DEVICE_VARIANT_SUFFIX}.bin${input_postfix}"
-EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl31=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl31${DEVICE_VARIANT_SUFFIX}.bin${input_postfix}"
-EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl32=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl32${DEVICE_VARIANT_MIN_SUFFIX}${DEVICE_VARIANT_SUFFIX}.bin${input_postfix}"
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl40=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl40.bin${input_postfix}"
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl31=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl31.bin${input_postfix}"
+EXEC_ARGS="${EXEC_ARGS} --infile-blob-bl32=${BASEDIR_CHIPSET_TEMPLATE}/blob-bl32.bin${input_postfix}"
### Features, flags and switches ###
@@ -108,8 +100,45 @@
### Output: Device FIP ###
EXEC_ARGS="${EXEC_ARGS} --outfile-device-fip=${BASEDIR_OUTPUT}/device-fip.bin${output_postfix}"
+### compact Device FIP Header
+EXEC_ARGS="${EXEC_ARGS} --header-layout=compact"
+
#echo ${EXEC_ARGS}
+BL32_SIZE=`stat -c %s ${BASEDIR_CHIPSET_TEMPLATE}/blob-bl32.bin${input_postfix}`
+BL33_SIZE=`stat -c %s ${BASEDIR_PAYLOAD}/bl33-payload.bin`
+
+if [ "${BL32_SIZE}" == "528384" ]; then
+ if [ "${BL33_SIZE}" = "389120" ]; then
+ ## +64k
+ ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-ext-1
+ EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin.fastboot-ext-1"
+ elif [ "${BL33_SIZE}" = "454656" ]; then
+ ## +128k
+ ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-ext-2
+ EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin.fastboot-ext-2"
+ elif [ "${BL33_SIZE}" = "323584" ]; then
+ ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-ext
+ EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin.fastboot-ext"
+ else
+ ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool
+ EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin"
+ fi
+else
+ if [ "${BL33_SIZE}" = "389120" ]; then
+ ## +64k
+ ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-1
+ EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin.fastboot-1"
+ elif [ "${BL33_SIZE}" = "454656" ]; then
+ ## +128k
+ ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-2
+ EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin.fastboot-2"
+ else
+ ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot
+ EXEC_ARGS="${EXEC_ARGS} --infile-template-device-fip-header=${BASEDIR_DEVICE_TEMPLATE}/device-fip-header.bin.fastboot"
+ fi
+fi
+
#
# Main
#
diff --git a/c3/generate-device-keys/bin/export_dv_scs_signing_keys.sh b/c3/generate-device-keys/bin/export_dv_scs_signing_keys.sh
index ca3e23f..087295c 100755
--- a/c3/generate-device-keys/bin/export_dv_scs_signing_keys.sh
+++ b/c3/generate-device-keys/bin/export_dv_scs_signing_keys.sh
@@ -228,6 +228,12 @@
EXPORT_FILES+="${BASEDIR_BOOTBLOBS_TEMPLATE_ROOT}/bb1st.bin "
EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin "
+EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin.fastboot "
+EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin.fastboot-1 "
+EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin.fastboot-2 "
+EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin.fastboot-ext "
+EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin.fastboot-ext-1 "
+EXPORT_FILES+="${BASEDIR_FIP_TEMPLATE_ROOT}/device-fip-header.bin.fastboot-ext-2 "
for f in $EXPORT_FILES
do
diff --git a/c3/generate-device-keys/bin/gen_device_aes_protkey.sh b/c3/generate-device-keys/bin/gen_device_aes_protkey.sh
index 929bde5..c008c1f 100755
--- a/c3/generate-device-keys/bin/gen_device_aes_protkey.sh
+++ b/c3/generate-device-keys/bin/gen_device_aes_protkey.sh
@@ -269,12 +269,54 @@
BB1ST_ARGS="${BB1ST_ARGS} --outfile-protkey-bl33=${BASEDIR_OUTPUT_PROTKEY}/genkey-prot-bl33.bin"
BB1ST_ARGS="${BB1ST_ARGS} --outfile-protkey-krnl=${BASEDIR_OUTPUT_PROTKEY}/genkey-prot-krnl.bin"
+### compact Device FIP Header
+BB1ST_ARGS="${BB1ST_ARGS} --header-layout=compact"
+
echo ${TOOLS_ARGS}
#
# Main
#
+
+
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${BB1ST_ARGS}
+mv ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin.fastboot
+
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-1
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${BB1ST_ARGS}
+mv ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin.fastboot-1
+
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-2
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${BB1ST_ARGS}
+mv ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin.fastboot-2
+
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-ext
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${BB1ST_ARGS}
+mv ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin.fastboot-ext
+
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-ext-1
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${BB1ST_ARGS}
+mv ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin.fastboot-ext-1
+
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool-fastboot-ext-2
+${ACPU_IMAGETOOL} \
+ create-device-fip \
+ ${BB1ST_ARGS}
+mv ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin ${BASEDIR_OUTPUT_BLOB}/device-fip-header.bin.fastboot-ext-2
+
+ACPU_IMAGETOOL=${EXEC_BASEDIR}/../../binary-tool/acpu-imagetool
${ACPU_IMAGETOOL} \
create-device-fip \
${BB1ST_ARGS}
diff --git a/c3/generate-device-keys/bin/gen_device_root_cert.sh b/c3/generate-device-keys/bin/gen_device_root_cert.sh
index 1e1b5a8..b8b3dcd 100755
--- a/c3/generate-device-keys/bin/gen_device_root_cert.sh
+++ b/c3/generate-device-keys/bin/gen_device_root_cert.sh
@@ -38,6 +38,27 @@
done
}
+rsa_copy() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local src_key=$4
+
+ echo "Copy $chain_num RSA key ..."
+
+ for f in $files
+ do
+ local kpriv="$path/$f-priv.pem"
+ local kpub="$path/$f-pub.pem"
+ local src_kpriv="$path/$src_key-priv.pem"
+ local src_kpub="$path/$src_key-pub.pem"
+ cp $src_kpriv $kpriv
+ cp $src_kpub $kpub
+ echo $kpriv
+ echo $kpub
+ done
+}
+
ek_gen() {
local chain_num=$1
local path=$2
@@ -54,6 +75,22 @@
done
}
+ek_copy() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local src_file=$4
+
+ echo "Copy $chain_num EKs ..."
+
+ for f in $files
+ do
+ local file="$path/$f"
+ cp "$path/$src_file" $file
+ echo $file
+ done
+}
+
nonce_gen() {
local chain_num=$1
local path=$2
@@ -70,6 +107,22 @@
done
}
+nonce_copy() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local src_file=$4
+
+ echo "Copy $chain_num NONCE ..."
+
+ for f in $files
+ do
+ local file="$path/$f"
+ cp "$path/$src_file" $file
+ echo $file
+ done
+}
+
usage() {
cat << EOF
Usage: $(basename $0) --help | --version
@@ -227,8 +280,12 @@
mkdir -p $fip_rsa_path/nonce
echo "Generate ${stage^^} chain #$i certificate"
- rsa_gen $i "$fip_rsa_path/key" "bl30-level-3-rsa bl31-level-3-rsa bl32-level-3-rsa bl33-level-3-rsa bl40-level-3-rsa krnl-level-3-rsa" $size
- ek_gen $i "$fip_rsa_path/epk" "bl30-lvl3cert-epks.bin bl31-lvl3cert-epks.bin bl32-lvl3cert-epks.bin bl33-lvl3cert-epks.bin bl40-lvl3cert-epks.bin krnl-lvl3cert-epks.bin"
- nonce_gen $i "$fip_rsa_path/nonce" "bl30-dvlvl3cert-nonce.bin bl31-dvlvl3cert-nonce.bin bl32-dvlvl3cert-nonce.bin bl33-dvlvl3cert-nonce.bin bl40-dvlvl3cert-nonce.bin krnl-dvlvl3cert-nonce.bin"
+ rsa_gen $i "$fip_rsa_path/key" "bl30-level-3-rsa krnl-level-3-rsa" $size
+ ek_gen $i "$fip_rsa_path/epk" "bl30-lvl3cert-epks.bin krnl-lvl3cert-epks.bin"
+ nonce_gen $i "$fip_rsa_path/nonce" "bl30-dvlvl3cert-nonce.bin krnl-dvlvl3cert-nonce.bin"
+
+ rsa_copy $i "$fip_rsa_path/key" "bl31-level-3-rsa bl32-level-3-rsa bl33-level-3-rsa bl40-level-3-rsa" "bl30-level-3-rsa"
+ ek_copy $i "$fip_rsa_path/epk" "bl31-lvl3cert-epks.bin bl32-lvl3cert-epks.bin bl33-lvl3cert-epks.bin bl40-lvl3cert-epks.bin" "bl30-lvl3cert-epks.bin"
+ nonce_copy $i "$fip_rsa_path/nonce" "bl31-dvlvl3cert-nonce.bin bl32-dvlvl3cert-nonce.bin bl33-dvlvl3cert-nonce.bin bl40-dvlvl3cert-nonce.bin" "bl30-dvlvl3cert-nonce.bin"
done
fi
diff --git a/c3/generate-device-keys/convert-dv-keys-compact.sh b/c3/generate-device-keys/convert-dv-keys-compact.sh
new file mode 100755
index 0000000..dec2d5a
--- /dev/null
+++ b/c3/generate-device-keys/convert-dv-keys-compact.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+#set -x
+set -o pipefail
+set -o errexit
+set -o errtrace
+trap "{ echo Error: Line $LINENO \"$BASH_COMMAND\" returned $? ; exit 1; }" ERR
+
+rsa_copy() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local src_key=$4
+
+ echo "Copy $chain_num RSA key ..."
+
+ for f in $files
+ do
+ local kpriv="$path/$f-priv.pem"
+ local kpub="$path/$f-pub.pem"
+ local src_kpriv="$path/$src_key-priv.pem"
+ local src_kpub="$path/$src_key-pub.pem"
+ cp $src_kpriv $kpriv
+ cp $src_kpub $kpub
+ echo $kpriv
+ echo $kpub
+ done
+}
+
+ek_copy() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local src_file=$4
+
+ echo "Copy $chain_num EKs ..."
+
+ for f in $files
+ do
+ local file="$path/$f"
+ cp "$path/$src_file" $file
+ echo $file
+ done
+}
+
+nonce_copy() {
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local src_file=$4
+
+ echo "Copy $chain_num NONCE ..."
+
+ for f in $files
+ do
+ local file="$path/$f"
+ cp "$path/$src_file" $file
+ echo $file
+ done
+}
+
+kd="${1:-}"
+if [ -z "$kd" ] || [ ! -d "$kd" ]; then
+ echo "Usage: $0 dv_scs_keys"
+ echo "Convert dv_scs_keys key directory to compact version."
+ exit 1
+fi
+
+if [ ! -d "$kd/boot-blobs" ] &&
+ [ ! -d "$kd/fip" ] &&
+ [ ! -d "$kd/root" ]; then
+ echo "Error: Unable to find boot-blobs, fip or root directories"
+ exit 1
+fi
+
+if [ -d "$kd/fip/rsa" ]; then
+ for part in "$kd"/fip/rsa/*; do
+ part="${part%/}"
+ for i in 0 1 2 3
+ do
+ fip_rsa_path=$part/rootrsa-${i}
+
+ rsa_copy $i "$fip_rsa_path/key" "bl31-level-3-rsa bl32-level-3-rsa bl33-level-3-rsa bl40-level-3-rsa" "bl30-level-3-rsa"
+ ek_copy $i "$fip_rsa_path/epk" "bl31-lvl3cert-epks.bin bl32-lvl3cert-epks.bin bl33-lvl3cert-epks.bin bl40-lvl3cert-epks.bin" "bl30-lvl3cert-epks.bin"
+ nonce_copy $i "$fip_rsa_path/nonce" "bl31-dvlvl3cert-nonce.bin bl32-dvlvl3cert-nonce.bin bl33-dvlvl3cert-nonce.bin bl40-dvlvl3cert-nonce.bin" "bl30-dvlvl3cert-nonce.bin"
+ done
+ done
+fi
+
+
+
+
diff --git a/c3/variable_soc.sh b/c3/variable_soc.sh
index 3cb9f87..463f537 100755
--- a/c3/variable_soc.sh
+++ b/c3/variable_soc.sh
@@ -88,6 +88,15 @@
"blob-bl40${CHIPSET_VARIANT_SUFFIX}.bin.signed")
fi
+declare -a BLX_BIN_CLEAR_NAME=("bb1st.sto.bin.signed" \
+ "bb1st.usb.bin.signed" \
+ "blob-bl2e.sto.bin.signed" \
+ "blob-bl2e.usb.bin.signed" \
+ "blob-bl2x.bin.signed" \
+ "blob-bl31.bin.signed" \
+ "blob-bl32.bin.signed" \
+ "blob-bl40.bin.signed")
+
## c3 old aw402s
if [ "" != "${CHIPSET_VARIANT_MIN_SUFFIX}" ] && [ "${CONFIG_TEE_TYPE}" == "" ] && [ "fastboot" == "${CONFIG_CHIPSET_VARIANT}" ]; then
declare -a BLX_BIN_SIZE=("169984" \