From 90509a487d4ae20c3611d7ccddf9f937e551be68 Mon Sep 17 00:00:00 2001 From: Firefly Date: Thu, 14 Jan 2016 10:09:45 +0800 Subject: [PATCH] [system/core] secure boot: add SHA256 support for boot,recovery image Signed-off-by: Firefly --- system/core/mkbootimg/Android.mk | 1 - system/core/mkbootimg/bootimg.h | 4 ++++ system/core/mkbootimg/mkbootimg.c | 21 +++++++++++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/system/core/mkbootimg/Android.mk b/system/core/mkbootimg/Android.mk index b27eb0d2e1..ca6fb66d44 100644 --- a/system/core/mkbootimg/Android.mk +++ b/system/core/mkbootimg/Android.mk @@ -13,7 +13,6 @@ LOCAL_CFLAGS := -DTARGET_ROCKCHIP_RECOVERY=true else LOCAL_CFLAGS := -DTARGET_ROCKCHIP_RECOVERY=false endif - include $(BUILD_HOST_EXECUTABLE) $(call dist-for-goals,dist_files,$(LOCAL_BUILT_MODULE)) diff --git a/system/core/mkbootimg/bootimg.h b/system/core/mkbootimg/bootimg.h index 9171d85a7b..0309a81a69 100644 --- a/system/core/mkbootimg/bootimg.h +++ b/system/core/mkbootimg/bootimg.h @@ -49,6 +49,10 @@ struct boot_img_hdr unsigned id[8]; /* timestamp / checksum / sha1 / etc */ + unsigned unused2[3]; /* future expansion: should be 0 */ + unsigned sha_ext_flag; /* sha 256 or sha 512*/ + unsigned sha_ext[16]; /* sha 256 or sha 512*/ + /* Supplemental command line data; kept here to maintain * binary compatibility with older versions of mkbootimg */ unsigned char extra_cmdline[BOOT_EXTRA_ARGS_SIZE]; diff --git a/system/core/mkbootimg/mkbootimg.c b/system/core/mkbootimg/mkbootimg.c index 6491367f5a..079439645f 100644 --- a/system/core/mkbootimg/mkbootimg.c +++ b/system/core/mkbootimg/mkbootimg.c @@ -23,6 +23,7 @@ #include #include "mincrypt/sha.h" +#include "mincrypt/sha256.h" #include "bootimg.h" static void *load_file(const char *fn, unsigned *_sz) @@ -112,6 +113,7 @@ int main(int argc, char **argv) #endif int fd; SHA_CTX ctx; + SHA256_CTX ctx256; const uint8_t* sha; unsigned base = 0x10000000; unsigned kernel_offset = 0x00008000; @@ -264,6 +266,25 @@ int main(int argc, char **argv) memcpy(hdr.id, sha, SHA_DIGEST_SIZE > sizeof(hdr.id) ? sizeof(hdr.id) : SHA_DIGEST_SIZE); + hdr.sha_ext_flag = 256; + SHA256_init(&ctx256); + SHA256_update(&ctx256, kernel_data, hdr.kernel_size); + SHA256_update(&ctx256, &hdr.kernel_size, sizeof(hdr.kernel_size)); + SHA256_update(&ctx256, ramdisk_data, hdr.ramdisk_size); + SHA256_update(&ctx256, &hdr.ramdisk_size, sizeof(hdr.ramdisk_size)); + SHA256_update(&ctx256, second_data, hdr.second_size); + SHA256_update(&ctx256, &hdr.second_size, sizeof(hdr.second_size)); +#if TARGET_ROCKCHIP_RECOVERY == true + SHA256_update(&ctx256, &hdr.tags_addr, sizeof(hdr.tags_addr)); + SHA256_update(&ctx256, &hdr.page_size, sizeof(hdr.page_size)); + SHA256_update(&ctx256, &hdr.unused, sizeof(hdr.unused)); + SHA256_update(&ctx256, &hdr.name, sizeof(hdr.name)); + SHA256_update(&ctx256, &hdr.cmdline, sizeof(hdr.cmdline)); +#endif + sha = SHA256_final(&ctx256); + memcpy(hdr.sha_ext, sha, + SHA256_DIGEST_SIZE > sizeof(hdr.sha_ext) ? sizeof(hdr.sha_ext) : SHA256_DIGEST_SIZE); + fd = open(bootimg, O_CREAT | O_TRUNC | O_WRONLY, 0644); if(fd < 0) { fprintf(stderr,"error: could not create '%s'\n", bootimg);