262 lines
6.2 KiB
Bash
Executable File
262 lines
6.2 KiB
Bash
Executable File
#!/bin/bash -e
|
|
|
|
###################################################
|
|
RK_SCRIPTS_DIR="${RK_SCRIPTS_DIR:-$(dirname "$(realpath "$0")")}"
|
|
RK_SDK_DIR="${RK_SDK_DIR:-$RK_SCRIPTS_DIR/../../../..}"
|
|
UBOOT=$RK_SDK_DIR/u-boot
|
|
KERNEL=$RK_SDK_DIR/kernel
|
|
BUILDROOT=$RK_SDK_DIR/buildroot
|
|
RK_SIGN_TOOL=$RK_SDK_DIR/rkbin/tools/rk_sign_tool
|
|
###################################################
|
|
|
|
ROOTFS_UPDATE_ENGINEBIN_CONFIGS=" \
|
|
BR2_PACKAGE_RECOVERY \
|
|
BR2_PACKAGE_RECOVERY_UPDATEENGINEBIN"
|
|
|
|
ROOTFS_AB_FIXED_CONFIGS=" \
|
|
$ROOTFS_UPDATE_ENGINEBIN_CONFIGS \
|
|
BR2_PACKAGE_RECOVERY_BOOTCONTROL"
|
|
|
|
ROOTFS_UBI_FIXED_CONFIGS=" \
|
|
BR2_TARGET_ROOTFS_UBI_SQUASHFS"
|
|
|
|
UBOOT_FIT_FIXED_CONFIGS=" \
|
|
CONFIG_FIT_SIGNATURE \
|
|
CONFIG_SPL_FIT_SIGNATURE"
|
|
|
|
UBOOT_AVB_FIXED_CONFIGS=" \
|
|
CONFIG_ANDROID_AVB \
|
|
CONFIG_AVB_LIBAVB \
|
|
CONFIG_AVB_LIBAVB_AB \
|
|
CONFIG_AVB_LIBAVB_ATX \
|
|
CONFIG_AVB_LIBAVB_USER \
|
|
CONFIG_RK_AVB_LIBAVB_USER \
|
|
CONFIG_OPTEE_CLIENT \
|
|
CONFIG_AVB_VBMETA_PUBLIC_KEY_VALIDATE \
|
|
CONFIG_RK_AVB_LIBAVB_ENABLE_ATH_UNLOCK \
|
|
CONFIG_OPTEE_V."
|
|
|
|
# TODO: CONFIG_ROCKCHIP_PRELOADER_PUB_KEY
|
|
|
|
RAMBOOT_FIXED_CONFIG=" \
|
|
BR2_PACKAGE_TEE_USER_APP \
|
|
BR2_PACKAGE_LUKSMETA"
|
|
|
|
rk_security_check_keys()
|
|
{
|
|
if [ ! -d "$UBOOT/keys" ]; then
|
|
echo "ERROR: No root keys(u-boot/keys) found in u-boot"
|
|
echo " Create it by ./build.sh security-createkeys or move your key to it"
|
|
exit -1
|
|
fi
|
|
|
|
if echo "$1" | grep system ; then
|
|
if [ ! -f $UBOOT/keys/root_passwd ]; then
|
|
echo "ERROR: No root passwd(u-boot/keys/root_passwd) found in u-boot"
|
|
echo " echo your root key for sudo to u-boot/keys/root_passwd"
|
|
echo " some operations need supper user permission when create encrypt image"
|
|
exit -1
|
|
fi
|
|
|
|
if [ "$1" = "system-encryption" ] && \
|
|
[ ! -f $UBOOT/keys/system_enc_key ]; then
|
|
echo "ERROR: No enc key(u-boot/keys/system_enc_key) found in u-boot"
|
|
echo " Create it by ./build.sh security-createkeys or move your key to it"
|
|
exit -1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
BOOT_FIXED_CONFIGS=" \
|
|
CONFIG_BLK_DEV_DM \
|
|
CONFIG_DM_CRYPT \
|
|
CONFIG_DM_VERITY \
|
|
CONFIG_BLK_DEV_LOOP \
|
|
CONFIG_CRYPTO_USER \
|
|
CONFIG_CRYPTO_USER_API_HASH"
|
|
|
|
BOOT_FIXED_UNDER_6_1_CONFIG="
|
|
CONFIG_BLK_DEV_CRYPTOLOOP"
|
|
|
|
BOOT_OPTEE_FIXED_CONFIGS=" \
|
|
CONFIG_TEE \
|
|
CONFIG_OPTEE"
|
|
|
|
config_check()
|
|
{
|
|
# 1. config 2. match item
|
|
echo debug-$1
|
|
for i in $2
|
|
do
|
|
echo "look for $i"
|
|
result=$(cat $1 | grep "${i}=y" -w || echo "No found")
|
|
if [ "$result" = "No found" ]; then
|
|
echo -e "\e[41;1;37mSecurity: No found config ${i} in $1 \e[0m"
|
|
echo "make sure your config include this list"
|
|
echo "---------------------------------------"
|
|
echo "$2" | xargs -n1
|
|
echo "---------------------------------------"
|
|
exit -1;
|
|
fi
|
|
done
|
|
return 0
|
|
}
|
|
|
|
rk_security_match_overlay()
|
|
{
|
|
result=$(cat "$2" | grep "$3" || echo "No found")
|
|
if [ "$result" = "No found" ]; then
|
|
echo -e "\e[41;1;37mSecurity: No found BR2_ROOTFS_OVERLAY+=\"board/rockchip/common/$3/\" in $1 config\e[0m"
|
|
exit -1
|
|
fi
|
|
}
|
|
|
|
rk_security_check_system()
|
|
{
|
|
case $1 in
|
|
system-encryption|system-verity)
|
|
if [ "$RK_ROOTFS_TYPE" == "ubi" ]; then
|
|
config_check $2 "$ROOTFS_UBI_FIXED_CONFIGS"
|
|
fi
|
|
;;
|
|
base) return 0;;
|
|
*) exit -1;;
|
|
esac
|
|
}
|
|
|
|
rk_security_check_kernel_config()
|
|
{
|
|
[ ! -z "$RK_SECURITY" ] || return 0
|
|
|
|
if [ $(echo "$RK_KERNEL_VERSION_RAW < 6.1" | bc) -eq 1 ]; then
|
|
BOOT_FIXED_CONFIGS="$BOOT_FIXED_CONFIGS $BOOT_FIXED_UNDER_6_1_CONFIG"
|
|
fi
|
|
|
|
case $1 in
|
|
system-encryption) BOOT_FIXED_CONFIGS="$BOOT_FIXED_CONFIGS $BOOT_OPTEE_FIXED_CONFIGS" ;& # fallthrough
|
|
system-verity) config_check $2 "$BOOT_FIXED_CONFIGS" ;;
|
|
base) return 0;;
|
|
*) exit -1;;
|
|
esac
|
|
}
|
|
|
|
rk_security_check_kernel_dts()
|
|
{
|
|
test "$1" = "system-encryption" || return 0
|
|
|
|
if [ "${2##*.}" = "dtb" ]; then
|
|
dtsfile=$(mktemp)
|
|
dtc -q -I dtb -O dts -o $dtsfile $2
|
|
else
|
|
dtsfile=$2
|
|
fi
|
|
|
|
tmp_file=$(mktemp)
|
|
if ! grep -Pzo "\toptee \s*{(\n|\w|-|;|=|<|>|\"|_|\s|,)*};" $dtsfile 1>$tmp_file 2>/dev/null; then
|
|
echo -e "\e[41;1;37mNo found optee node in dts\e[0m"
|
|
echo "Please add: "
|
|
echo " optee: optee {"
|
|
echo " compatible = \"linaro,optee-tz\";"
|
|
echo " method = \"smc\";"
|
|
echo " status = \"okay\";"
|
|
echo " };"
|
|
echo "To kernel dts"
|
|
|
|
rm -f $tmp_file
|
|
test "$2" = "$dtsfile" || rm $dtsfile
|
|
exit -1
|
|
fi
|
|
|
|
status=$(cat $tmp_file | grep -a status || true)
|
|
if [ "$(echo $status | grep disabled)" ]; then
|
|
rm -f $tmp_file
|
|
test "$2" = "$dtsfile" || rm $dtsfile
|
|
echo -e "\e[41;1;37mOptee Found, but disabled!!!\e[0m"
|
|
exit -1
|
|
fi
|
|
|
|
rm -f $tmp_file
|
|
test "$2" = "$dtsfile" || rm $dtsfile
|
|
}
|
|
|
|
rk_security_check_kernel()
|
|
{
|
|
append=$1
|
|
shift
|
|
case $append in
|
|
config|dts) rk_security_check_kernel_$append $@;;
|
|
*) exit -1;;
|
|
esac
|
|
}
|
|
|
|
rk_security_check_ramboot()
|
|
{
|
|
if [ "$1" != "system-encryption" ]; then
|
|
return 0
|
|
fi
|
|
shift
|
|
|
|
if [ ! -f "$1" ]; then
|
|
echo -e "\e[41;1;37m$1 is not found\e[0m"
|
|
exit -1
|
|
fi
|
|
|
|
echo "check ramdisk config"
|
|
config_check $1 "$(echo $ROOTFS_UPDATE_ENGINEBIN_CONFIGS $RAMBOOT_FIXED_CONFIG)"
|
|
rk_security_match_overlay ramboot $1 security-ramdisk-overlay
|
|
}
|
|
|
|
rk_security_check_uboot()
|
|
{
|
|
METHOD=$1
|
|
shift
|
|
|
|
if [ "$METHOD" = "fit" ]; then
|
|
config_check $1 "$UBOOT_FIT_FIXED_CONFIGS"
|
|
else
|
|
config_check $1 "$UBOOT_AVB_FIXED_CONFIGS"
|
|
fi
|
|
}
|
|
|
|
rk_security_check_main()
|
|
{
|
|
CHECK_LIST="keys kernel system uboot ramboot"
|
|
|
|
for item in $CHECK_LIST
|
|
do
|
|
if [ "$item" = "$1" ]; then
|
|
append=$1
|
|
shift
|
|
"rk_security_check_$append" $@
|
|
fi
|
|
done
|
|
}
|
|
|
|
# -----------------------------------
|
|
# For SDK
|
|
# -----------------------------------
|
|
|
|
rk_security_check_sdk()
|
|
{
|
|
[ ! -z "$RK_SECURITY" ] || return 0
|
|
|
|
case $1 in
|
|
keys) rk_security_check_main keys $RK_SECURITY_CHECK_METHOD ;;
|
|
kernel)
|
|
case $2 in
|
|
config) rk_security_check_main $@ $RK_SECURITY_CHECK_METHOD $RK_SDK_DIR/kernel/.config ;;
|
|
dts) rk_security_check_main $@ $RK_SECURITY_CHECK_METHOD $RK_KERNEL_DTB ;;
|
|
esac
|
|
;;
|
|
system) rk_security_check_main system $RK_SECURITY_CHECK_METHOD $RK_SDK_DIR/buildroot/output/$RK_BUILDROOT_CFG/.config ;;
|
|
ramboot) rk_security_check_main ramboot $RK_SECURITY_CHECK_METHOD $RK_SDK_DIR/buildroot/output/$RK_SECURITY_INITRD_CFG/.config ;;
|
|
uboot) rk_security_check_main uboot $RK_SECUREBOOT_METHOD $RK_SDK_DIR/u-boot/.config ;;
|
|
esac
|
|
}
|
|
|
|
if [ "$RK_SESSION" ]; then
|
|
rk_security_check_sdk $@
|
|
else
|
|
rk_security_check_main $@
|
|
fi
|