Merge "common: build linux security dm-v ramboot"
This commit is contained in:
Caesar Wang
Gerrit Code Review
@ -111,10 +111,15 @@ function prebuild_uboot()
|
||||
UBOOT_COMPILE_COMMANDS="$(echo $UBOOT_COMPILE_COMMANDS)"
|
||||
fi
|
||||
|
||||
if [ "$RK_SECURITY_OTP_DEBUG" != "true" ]; then
|
||||
UBOOT_COMPILE_COMMANDS="$UBOOT_COMPILE_COMMANDS --burn-key-hash"
|
||||
fi
|
||||
|
||||
if [ "$RK_RAMDISK_SECURITY_BOOTUP" = "true" ];then
|
||||
UBOOT_COMPILE_COMMANDS=" \
|
||||
--boot_img $TOP_DIR/u-boot/boot.img \
|
||||
--burn-key-hash $UBOOT_COMPILE_COMMANDS \
|
||||
--recovery_img $TOP_DIR/u-boot/recovery.img \
|
||||
$UBOOT_COMPILE_COMMANDS \
|
||||
${RK_ROLLBACK_INDEX_BOOT:+--rollback-index-boot $RK_ROLLBACK_INDEX_BOOT} \
|
||||
${RK_ROLLBACK_INDEX_UBOOT:+--rollback-index-uboot $RK_ROLLBACK_INDEX_UBOOT} "
|
||||
UBOOT_COMPILE_COMMANDS="$(echo $UBOOT_COMPILE_COMMANDS)"
|
||||
@ -241,6 +246,9 @@ function usage()
|
||||
echo "app/<pkg> -build packages in the dir of app/*"
|
||||
echo "external/<pkg> -build packages in the dir of external/*"
|
||||
echo ""
|
||||
echo "security-rootfs -build rootfs and some relevant images with security paramter"
|
||||
echo "security-boot -build boot with security paramter"
|
||||
echo ""
|
||||
echo "Default option is 'allsave'."
|
||||
}
|
||||
|
||||
@ -461,7 +469,12 @@ function build_uboot(){
|
||||
else
|
||||
build_kernel
|
||||
fi
|
||||
|
||||
if [ -n "$RK_CFG_RECOVERY" ]; then
|
||||
build_recovery
|
||||
fi
|
||||
cp -f $TOP_DIR/rockdev/boot.img $TOP_DIR/u-boot/boot.img
|
||||
cp -f $TOP_DIR/rockdev/recovery.img $TOP_DIR/u-boot/recovery.img || true
|
||||
fi
|
||||
|
||||
cd u-boot
|
||||
@ -494,6 +507,7 @@ function build_uboot(){
|
||||
|
||||
if [ "$RK_RAMDISK_SECURITY_BOOTUP" = "true" ];then
|
||||
ln -rsf $TOP_DIR/u-boot/boot.img $TOP_DIR/rockdev/
|
||||
ln -rsf $TOP_DIR/u-boot/recovery.img $TOP_DIR/rockdev/ || true
|
||||
fi
|
||||
|
||||
finish_build
|
||||
@ -756,6 +770,9 @@ function build_recovery(){
|
||||
/usr/bin/time -f "you take %E to build recovery" \
|
||||
$COMMON_DIR/mk-ramdisk.sh recovery.img $RK_CFG_RECOVERY
|
||||
|
||||
ln -rsf buildroot/output/$RK_CFG_RECOVERY/images/recovery.img \
|
||||
rockdev/recovery.img
|
||||
|
||||
finish_build
|
||||
}
|
||||
|
||||
@ -1046,6 +1063,27 @@ for option in ${OPTIONS}; do
|
||||
multi-npu_boot) build_multi-npu_boot ;;
|
||||
info) build_info ;;
|
||||
app/*|external/*) build_pkg $option ;;
|
||||
security-rootfs)
|
||||
if [ "$RK_RAMDISK_SECURITY_BOOTUP" != "true" ]; then
|
||||
echo "No security paramter found in .BoardConfig.mk"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
build_rootfs
|
||||
build_ramboot
|
||||
build_uboot
|
||||
echo "please update rootfs.img / boot.img / uboot.img"
|
||||
;;
|
||||
security-boot)
|
||||
if [ "$RK_RAMDISK_SECURITY_BOOTUP" != "true" ]; then
|
||||
echo "No security paramter found in .BoardConfig.mk"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
build_kernel
|
||||
build_ramboot
|
||||
build_uboot
|
||||
;;
|
||||
*) usage ;;
|
||||
esac
|
||||
done
|
||||
|
||||
70
common/mk-dm.sh
Executable file
70
common/mk-dm.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -ex
|
||||
|
||||
MODE=$1
|
||||
INPUT=`readlink -f $2`
|
||||
|
||||
OUTPUT=`dirname $INPUT`
|
||||
COMMON_DIR=$(cd `dirname $0`; pwd)
|
||||
if [ -h $0 ]
|
||||
then
|
||||
CMD=$(readlink $0)
|
||||
COMMON_DIR=$(dirname $CMD)
|
||||
fi
|
||||
cd $COMMON_DIR
|
||||
cd ../../..
|
||||
TOP_DIR=$(pwd)
|
||||
|
||||
BOARD_CONFIG=$TOP_DIR/device/rockchip/.BoardConfig.mk
|
||||
source $BOARD_CONFIG
|
||||
|
||||
TEMPDIR=${OUTPUT}/tempfile
|
||||
ROOTFS=${OUTPUT}/dmv.img
|
||||
ROOT_HASH=${TEMPDIR}/root.hash
|
||||
ROOT_HASH_OFFSET=${TEMPDIR}/root.offset
|
||||
INIT_FILE=${TOP_DIR}/buildroot/board/rockchip/common/security-ramdisk-overlay/init
|
||||
PARTITION_CMD=`cat $TOP_DIR/device/rockchip/${RK_TARGET_PRODUCT}/${RK_PARAMETER} | grep CMDLINE`
|
||||
|
||||
if [ -z "`echo ${PARTITION_CMD} | grep \(rootfs\)`" ]; then
|
||||
echo -e "\033[41;1m ERROR: no rootfs in parameter \033[0m"
|
||||
exit -1
|
||||
fi
|
||||
|
||||
PARTITION_NUM=`echo ${PARTITION_CMD} | sed "s/\(rootfs\).*/,/g" | grep -o , | wc -l`
|
||||
ROOTFS_INFO=`ls -l ${INPUT}`
|
||||
|
||||
PACK=TRUE
|
||||
if [ -e ${OUTPUT}/rootfs.info ]; then
|
||||
if [ "`cat ${OUTPUT}/rootfs.info`" = "`ls -l ${INPUT}`" ]; then
|
||||
PACK=FALSE
|
||||
else
|
||||
echo "`ls -l $INPUT`" > ${OUTPUT}/rootfs.info
|
||||
fi
|
||||
else
|
||||
echo "`ls -l $INPUT`" > ${OUTPUT}/rootfs.info
|
||||
fi
|
||||
|
||||
if [ "$PACK" = "TRUE" ]; then
|
||||
test -d ${TEMPDIR} || mkdir -p ${TEMPDIR}
|
||||
cp ${INPUT} ${ROOTFS}
|
||||
ROOTFS_SIZE=`ls ${ROOTFS} -l | awk '{printf $5}'`
|
||||
HASH_OFFSET=$[(ROOTFS_SIZE / 1024 / 1024 + 2) * 1024 * 1024]
|
||||
tempfile=`mktemp /tmp/temp.XXXXXX`
|
||||
veritysetup --hash-offset=${HASH_OFFSET} format ${ROOTFS} ${ROOTFS} > ${tempfile}
|
||||
cat ${tempfile} | grep "Root hash" | awk '{printf $3}' > ${ROOT_HASH}
|
||||
|
||||
cp ${tempfile} ${TEMPDIR}/tempfile
|
||||
rm ${tempfile}
|
||||
echo ${HASH_OFFSET} > ${ROOT_HASH_OFFSET}
|
||||
fi
|
||||
|
||||
cp ${TOP_DIR}/buildroot/board/rockchip/common/security-ramdisk-overlay/init.in ${INIT_FILE}
|
||||
TMP_HASH=`cat ${ROOT_HASH}`
|
||||
TMP_OFFSET=`cat ${ROOT_HASH_OFFSET}`
|
||||
sed -i "s/OFFSET=/OFFSET=${TMP_OFFSET}/" ${INIT_FILE}
|
||||
sed -i "s/HASH=/HASH=${TMP_HASH}/" ${INIT_FILE}
|
||||
sed -i "s/BLOCK=/BLOCK=${PARTITION_NUM}/" ${INIT_FILE}
|
||||
|
||||
# sed -i "/exec \/sbin/i\#/usr/sbin/veritysetup --hash-offset=${TMP_OFFSET} create vroot /dev/mmcblk0p3 ${TMP_HASH}" ${INIT_FILE}
|
||||
sed -i "s/# exec busybox switch_root/exec busybox switch_root/" ${INIT_FILE}
|
||||
@ -1,6 +1,48 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
rk_ramdisk_security_bootup_normal()
|
||||
{
|
||||
echo "[$0] Build ramdisk with sha256 digest"
|
||||
ROOTFS_IMAGE_DIGEST=$(dirname $ROOTFS_IMAGE)/ramdisk.gz.digest
|
||||
|
||||
openssl dgst -sha256 -binary -out $ROOTFS_IMAGE_DIGEST $ROOTFS_IMAGE || exit 1
|
||||
rootfs_image_digest_size=$(du -b $ROOTFS_IMAGE |sed -r -e 's/[[:space:]]+.*$//')
|
||||
|
||||
if [ "$RK_ARCH" == "arm" ]; then
|
||||
kernel_dts_file="kernel/arch/arm/boot/dts/$RK_KERNEL_DTS.dts"
|
||||
else
|
||||
kernel_dts_file="kernel/arch/arm64/boot/dts/rockchip/$RK_KERNEL_DTS.dts"
|
||||
fi
|
||||
|
||||
cp $kernel_dts_file ${kernel_dts_file}.backup
|
||||
cat << EOF >> ${kernel_dts_file}
|
||||
&ramdisk_c {
|
||||
size = <$rootfs_image_digest_size>;
|
||||
hash {
|
||||
algo = "sha256";
|
||||
value = /incbin/("$ROOTFS_IMAGE_DIGEST");
|
||||
};
|
||||
};
|
||||
EOF
|
||||
./build.sh kernel
|
||||
mv ${kernel_dts_file}.backup $kernel_dts_file
|
||||
}
|
||||
|
||||
rk_ramdisk_build_init()
|
||||
{
|
||||
echo "Try to build init for $1"
|
||||
|
||||
SYSTEM_IMAGE=$TOP_DIR/buildroot/output/$RK_CFG_BUILDROOT/images/rootfs.squashfs
|
||||
if [ ! -e "$SYSTEM_IMAGE" ]; then
|
||||
echo "ERROR: Please build system first"
|
||||
exit -1
|
||||
fi
|
||||
|
||||
$COMMON_DIR/mk-dm.sh dm-v $SYSTEM_IMAGE
|
||||
}
|
||||
|
||||
COMMON_DIR=$(cd `dirname $0`; pwd)
|
||||
if [ -h $0 ]
|
||||
then
|
||||
@ -56,6 +98,17 @@ fi
|
||||
|
||||
eval ROOTFS_IMAGE=\$${RAMDISK_TYPE}_IMG
|
||||
|
||||
if [ "$RK_RAMDISK_SECURITY_BOOTUP" = "true" ];then
|
||||
case "$RK_SYSTEM_CHECK_METHOD" in
|
||||
"DM-V")
|
||||
rk_ramdisk_build_init "DM-V"
|
||||
;;
|
||||
# TODO: add DM-S for system encrypt
|
||||
*)
|
||||
echo "do nothing ($RK_SYSTEM_CHECK_METHOD)"
|
||||
esac
|
||||
fi
|
||||
|
||||
# build ramdisk
|
||||
echo "====Start build $RAMDISK_CFG===="
|
||||
$TOP_DIR/buildroot/utils/brmake
|
||||
@ -81,30 +134,9 @@ fi
|
||||
echo -n "pack $RAMDISK_IMG..."
|
||||
if [ -f "$TOP_DIR/device/rockchip/$RK_TARGET_PRODUCT/$RK_RECOVERY_FIT_ITS" ];then
|
||||
if [ "$RK_RAMDISK_SECURITY_BOOTUP" = "true" ];then
|
||||
echo "[$0] Build ramdisk with sha256 digest"
|
||||
ROOTFS_IMAGE_DIGEST=$(dirname $ROOTFS_IMAGE)/ramdisk.gz.digest
|
||||
|
||||
openssl dgst -sha256 -binary -out $ROOTFS_IMAGE_DIGEST $ROOTFS_IMAGE || exit 1
|
||||
rootfs_image_digest_size=$(du -b $ROOTFS_IMAGE |sed -r -e 's/[[:space:]]+.*$//')
|
||||
|
||||
if [ "$RK_ARCH" == "arm" ]; then
|
||||
kernel_dts_file="kernel/arch/arm/boot/dts/$RK_KERNEL_DTS.dts"
|
||||
else
|
||||
kernel_dts_file="kernel/arch/arm64/boot/dts/rockchip/$RK_KERNEL_DTS.dts"
|
||||
if [ -z "$RK_SYSTEM_CHECK_METHOD" ]; then
|
||||
rk_ramdisk_security_bootup_normal $0
|
||||
fi
|
||||
|
||||
cp $kernel_dts_file ${kernel_dts_file}.backup
|
||||
cat << EOF >> ${kernel_dts_file}
|
||||
&ramdisk_c {
|
||||
size = <$rootfs_image_digest_size>;
|
||||
hash {
|
||||
algo = "sha256";
|
||||
value = /incbin/("$ROOTFS_IMAGE_DIGEST");
|
||||
};
|
||||
};
|
||||
EOF
|
||||
./build.sh kernel
|
||||
mv ${kernel_dts_file}.backup $kernel_dts_file
|
||||
fi
|
||||
|
||||
$COMMON_DIR/mk-fitimage.sh $TARGET_IMAGE $TOP_DIR/device/rockchip/$RK_TARGET_PRODUCT/$RK_RECOVERY_FIT_ITS $ROOTFS_IMAGE $KERNEL_IMAGE
|
||||
|
||||
@ -340,6 +340,16 @@ if [ "$RK_RAMDISK_SECURITY_BOOTUP" = "true" ];then
|
||||
then
|
||||
echo -n "Enable ramdisk security bootup, create boot.img..."
|
||||
ln -rsf $TOP_DIR/u-boot/boot.img $ROCKDEV/boot.img
|
||||
if [ -e ${ROCKDEV}/recovery.img ]; then
|
||||
echo "Enable ramdisk security bootup, create recovery.img..."
|
||||
ln -rsf $TOP_DIR/u-boot/recovery.img $ROCKDEV/recovery.img
|
||||
fi
|
||||
|
||||
if [ -e $TOP_DIR/buildroot/output/$RK_CFG_BUILDROOT/images/dmv.img ]; then
|
||||
echo "Enable ramdisk security bootup, create rootfs.img..."
|
||||
ln -rsf $TOP_DIR/buildroot/output/$RK_CFG_BUILDROOT/images/dmv.img $ROCKDEV/rootfs.img
|
||||
fi
|
||||
|
||||
echo "done."
|
||||
else
|
||||
echo "warning: $TOP_DIR/u-boot/boot.img not found!"
|
||||
|
||||
Reference in New Issue
Block a user