From aaafb2b0a0c2482730db3a367f24d24353f093f4 Mon Sep 17 00:00:00 2001
From: Weiwen Chen <cww@rock-chips.com>
Date: Thu, 25 Mar 2021 14:46:16 +0800
Subject: [PATCH] common: support build ramdisk security firmware

Signed-off-by: Weiwen Chen <cww@rock-chips.com>
Change-Id: I641a364263a61ded19b6c9603a4048cdba8205c5
---
 common/mk-fitimage.sh |  7 +++++++
 common/mk-ramdisk.sh  | 28 ++++++++++++++++++++++++++++
 common/mkfirmware.sh  | 11 +++++++++++
 3 files changed, 46 insertions(+)

diff --git a/common/mk-fitimage.sh b/common/mk-fitimage.sh
index 0478973..1bea464 100755
--- a/common/mk-fitimage.sh
+++ b/common/mk-fitimage.sh
@@ -93,6 +93,13 @@ do
 		continue
 	fi
 
+	if [ "$RK_RAMDISK_SECURITY_BOOTUP" = "true" ];then
+		if echo $line | grep -wq "uboot-ignore"; then
+			echo "Enable Security boot, Skip uboot-ignore ..."
+			continue
+		fi
+	fi
+
 	echo "$line" >> $target_its_file
 done < $src_its_file
 
diff --git a/common/mk-ramdisk.sh b/common/mk-ramdisk.sh
index 59c6b29..4ac7e6e 100755
--- a/common/mk-ramdisk.sh
+++ b/common/mk-ramdisk.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+set -e
 COMMON_DIR=$(cd `dirname $0`; pwd)
 if [ -h $0 ]
 then
@@ -79,6 +80,33 @@ fi
 
 echo -n "pack $RAMDISK_IMG..."
 if [ -f "$TOP_DIR/device/rockchip/$RK_TARGET_PRODUCT/$RK_RECOVERY_FIT_ITS" ];then
+	if [ "$RK_RAMDISK_SECURITY_BOOTUP" = "true" ];then
+		echo "[$0] Build ramdisk with sha256 digest"
+		ROOTFS_IMAGE_DIGEST=$(dirname $ROOTFS_IMAGE)/ramdisk.gz.digest
+
+		openssl dgst -sha256 -binary -out $ROOTFS_IMAGE_DIGEST $ROOTFS_IMAGE || exit 1
+		rootfs_image_digest_size=$(du -b $ROOTFS_IMAGE |sed -r -e 's/[[:space:]]+.*$//')
+
+		if [ "$RK_ARCH" == "arm" ]; then
+			kernel_dts_file="kernel/arch/arm/boot/dts/$RK_KERNEL_DTS.dts"
+		else
+			kernel_dts_file="kernel/arch/arm64/boot/dts/rockchip/$RK_KERNEL_DTS.dts"
+		fi
+
+		cp $kernel_dts_file ${kernel_dts_file}.backup
+cat << EOF >> ${kernel_dts_file}
+&ramdisk_c {
+	size = <$rootfs_image_digest_size>;
+	hash {
+		algo = "sha256";
+		value = /incbin/("$ROOTFS_IMAGE_DIGEST");
+	};
+};
+EOF
+		./build.sh kernel
+		mv ${kernel_dts_file}.backup $kernel_dts_file
+	fi
+
 	$COMMON_DIR/mk-fitimage.sh $TARGET_IMAGE $TOP_DIR/device/rockchip/$RK_TARGET_PRODUCT/$RK_RECOVERY_FIT_ITS $ROOTFS_IMAGE $KERNEL_IMAGE
 else
 	$TOP_DIR/kernel/scripts/mkbootimg --kernel $KERNEL_IMAGE --ramdisk $ROOTFS_IMAGE --second $KERNEL_DTB -o $TARGET_IMAGE
diff --git a/common/mkfirmware.sh b/common/mkfirmware.sh
index 5a56d6f..f41bdfe 100755
--- a/common/mkfirmware.sh
+++ b/common/mkfirmware.sh
@@ -332,6 +332,17 @@ then
 	fi
 fi
 
+if [ "$RK_RAMDISK_SECURITY_BOOTUP" = "true" ];then
+	if [ -f $TOP_DIR/u-boot/boot.img ]
+	then
+	        echo -n "Enable ramdisk security bootup, create boot.img..."
+	        ln -rsf $TOP_DIR/u-boot/boot.img $ROCKDEV/boot.img
+	        echo "done."
+	else
+		echo "warning: $TOP_DIR/u-boot/boot.img  not found!"
+	fi
+fi
+
 check_partition_size
 
 echo -e "\e[36m Image: image in rockdev is ready \e[0m"