40 lines
1.6 KiB
Plaintext
40 lines
1.6 KiB
Plaintext
|
1 To generate a key-pair:
|
|||
|
|
Execute the command:
|
|||
|
|
openssl genrsa -out rsa_priv.pem 2048
|
|||
|
|
|
|||
|
|
Upon the successful execution, openssl generates the key file named
|
|||
|
|
rsa_priv.pem file.
|
|||
|
|
2 Use rsa_sign.sh signing the image file
|
|||
|
|
./rsa_sign.sh u-boot-spl-header.bin rsa_priv.pem 0x100 0x4610
|
|||
|
|
0x100 is the image header length
|
|||
|
|
0x4610 is the offset of the signatrue and rsa public key
|
|||
|
|
3 Write the aes key and iv to the config file
|
|||
|
|
|
|||
|
|
4 Use aes_encode.sh encoding the image file
|
|||
|
|
./aes_encode.sh u-boot-spl-header.bin aes.cfg 0x100 0x4720
|
|||
|
|
0x100 is the image header length
|
|||
|
|
0x4720 is the length of the image data to be encoded
|
|||
|
|
|
|||
|
|
|
|||
|
|
例子:
|
|||
|
|
1 进行RSA加签(rsa_priv.perm已生成)
|
|||
|
|
./rsa_sign.sh u-boot-spl-header.img rsa_priv.pem 0x100
|
|||
|
|
2 配置aes.cfg文件中的KEY和IV
|
|||
|
|
KEY=13246BE7E1008B951110009325241312
|
|||
|
|
IV=262738393a3b4c4d4e4f000000000000
|
|||
|
|
3 进行AES CBC对称加密
|
|||
|
|
./aes_encode.sh u-boot-spl-header.img aes.cfg 0x100
|
|||
|
|
4 往EFUSE中写公钥的哈希值
|
|||
|
|
./nvmem-test write efuse0 0 16 hex:0514c6c1e96f57621685529aebc7808d
|
|||
|
|
./nvmem-test write efuse0 48 4 hex:dfe75c2b
|
|||
|
|
./nvmem-test write efuse1 48 12 hex:7a0d27c51991404701654a78
|
|||
|
|
5 向EFUSE ENTRY16开始写入128bit的AES的私钥,并LOCK AES私钥,AES私钥写入时,需要四字节大端模式
|
|||
|
|
./nvmem-test write efuse0 16 16 hex:E76B2413958B00E19300101112132425
|
|||
|
|
./nvmem-test write efuse0 60 4 hex:00000032
|
|||
|
|
6 使能安全启动
|
|||
|
|
./nvmem-test write efuse0 52 4 hex:04000000
|
|||
|
|
|
|||
|
|
其中nvmem-teset为写efuse的应用程序;
|
|||
|
|
使用签过名的u-boot-pdl-header.img u-boot-sdl.bin和u-boot-sdl-header.img u-boot.bin下载到flash对应分区,启动;
|
|||
|
|
|