mirror of
https://github.com/gnuton/asuswrt-merlin.ng.git
synced 2025-05-18 15:31:54 +02:00
200 lines
13 KiB
Text
200 lines
13 KiB
Text
|
|
####
|
|
#### This is makefile contains test rules (for now) that can be run AFTER a normal build to exercise
|
|
#### image assembly component commands. Later, it will take on the standard image assembly as well
|
|
####
|
|
#### This currently assembles images for GEN3 devices with puresqubi ONLY
|
|
####
|
|
makefile_name:=$(lastword $(MAKEFILE_LIST))
|
|
|
|
image: nand_pureubi
|
|
full: nand_pureubi_full
|
|
|
|
BUILD_DIR = $(shell pwd)
|
|
include $(BUILD_DIR)/make.common
|
|
|
|
# move to make.common?
|
|
BUILD_NAND_IMG_BLKSIZE_ALL := $(filter BUILD_NAND_IMG_BLKSIZE_%,$(.VARIABLES))
|
|
BUILD_NAND_IMG_BLKSIZE=$(foreach var,$(BUILD_NAND_IMG_BLKSIZE_ALL),$(if $(findstring $($(var)),y),$(subst KB,,$(subst BUILD_NAND_IMG_BLKSIZE_,,$(var)))))
|
|
|
|
|
|
ifeq ($(strip $(SECURE_BOOT_TURNKEY)),y)
|
|
#Suffix to point to CFEROM generated with TK
|
|
SFX=_TK
|
|
endif
|
|
#
|
|
#
|
|
#
|
|
#
|
|
|
|
nand_prepare:
|
|
ifneq ($(strip $(BUILD_NAND_IMG_BLKSIZE)),)
|
|
mkdir -p $(PROFILE_DIR)/imagebuild/NAND/head
|
|
mkdir -p $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
cp $(CFE_ROM_FILE) $(PROFILE_DIR)/imagebuild/NAND/head/
|
|
cp -r $(TARGET_BOOTFS)/* $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
cp $(CFE_RAM_FILE) $(PROFILE_DIR)/imagebuild/NAND/bootfs/cferam.000
|
|
ifneq ($(wildcard $(BUILD_DIR)/secureos/optee/optee.lz),)
|
|
cp -f $(BUILD_DIR)/secureos/optee/*.lz $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
cp -f $(BUILD_DIR)/secureos/optee/*.dtb $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
endif
|
|
endif
|
|
|
|
nand_pureubi: nand_prepare
|
|
# This demonstrates how to finalize an image. Here, one would insert any additional components to be included
|
|
# in the signature block for the boot filesystem
|
|
# Create the block of hashes
|
|
hostTools/imagetools/mkhashes --exclude='bootfs\/hashes.bin$$' --exclude='bootfs\/hashes.fld$$' --out=$(PROFILE_DIR)/imagebuild/NAND/bootfs/hashes.bin --item rootfs=$(PROFILE_DIR)/squashfs.img --file cferam.000 --boot $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
#
|
|
#
|
|
ifeq ($(strip $(SECURE_BOOT_ARCH)),GEN3)
|
|
#
|
|
# build UBI cferom
|
|
# start with a 1meg empty region
|
|
hostTools/imagetools/gen1meg $(PROFILE_DIR)/imagebuild/NAND/region
|
|
#
|
|
# and put a few copies of cferom in flash with nonsecure headers
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE) --nonsec --chip=$(BRCM_CHIP) --offset 71680 $(PROFILE_DIR)/imagebuild/NAND/region
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE) --nonsec --chip=$(BRCM_CHIP) --offset 196608 $(PROFILE_DIR)/imagebuild/NAND/region
|
|
#
|
|
# insert a few copies of an essentially empty nvram
|
|
hostTools/createimg.pl --replace --offsets=32768,192512 --input=$(PROFILE_DIR)/imagebuild/NAND/region --outputfile=$(PROFILE_DIR)/imagebuild/NAND/region --nvram_magic --conf ${HOSTTOOLS_DIR}/local_install/conf/${TOOLCHAIN_PREFIX}.conf
|
|
#
|
|
ifneq ($(strip $(BUILD_SECURE_BOOT)),)
|
|
#
|
|
# now let's make signed images
|
|
#
|
|
# First, generate the auth header for CFEROM
|
|
#
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE) --field --cred=targets/keys/demo/$(SECURE_BOOT_ARCH)/ --chip=$(BRCM_CHIP) --out=$(PROFILE_DIR)/imagebuild/NAND/auth_header
|
|
#
|
|
# Get rid of the non-hash signature
|
|
rm -f $(PROFILE_DIR)/imagebuild/NAND/bootfs/vmlinux.sig
|
|
#
|
|
# now concatenate auth_header and CFEROM and sign the resulting digest > auth_sig
|
|
# this is done with local openssl commands here, but could be done elsewhere
|
|
#
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/auth_header $(CFE_ROM_FILE) \
|
|
| openssl dgst -sign targets/keys/demo/$(SECURE_BOOT_ARCH)/Krot-fld.pem -keyform pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out auth_sig
|
|
# prepend the signature to the hashes
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/bootfs/hashes.bin \
|
|
| openssl dgst -sign targets/keys/demo/$(SECURE_BOOT_ARCH)/Krot-fld.pem -keyform pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out $(PROFILE_DIR)/imagebuild/NAND/hashes.sig
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/hashes.sig $(PROFILE_DIR)/imagebuild/NAND/bootfs/hashes.bin > $(PROFILE_DIR)/imagebuild/NAND/bootfs/hashes.fld
|
|
#
|
|
#
|
|
# insert 2 copies of the signed cferom into flash images
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE) --field=auth_sig --cred=targets/keys/demo/$(SECURE_BOOT_ARCH)/ --chip=$(BRCM_CHIP) --offset 262144 $(PROFILE_DIR)/imagebuild/NAND/region
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE) --field=auth_sig --cred=targets/keys/demo/$(SECURE_BOOT_ARCH)/ --chip=$(BRCM_CHIP) --offset 524288 $(PROFILE_DIR)/imagebuild/NAND/region
|
|
endif
|
|
endif
|
|
make -f $(makefile_name) ubinize
|
|
|
|
ubinize:
|
|
# Create the pureubi "blob.bin" file with cferam, vmlinux, dtbs, etc...
|
|
hostTools/imagetools/mkfs.nada --out=$(PROFILE_DIR)/imagebuild/NAND/head/blob.bin $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
# Then create the metadata for the image
|
|
hostTools/imagetools/mkfs.nada --out=$(PROFILE_DIR)/imagebuild/NAND/head/meta.bin --extra cferam.000=998 --extra squash=1 --extra committed=0
|
|
# generate a ubi.ini file combining the rootfs, metadata, and boot volumes
|
|
hostTools/imagetools/mkubi_ini --meta=$(PROFILE_DIR)/imagebuild/NAND/head/meta.bin --boot=$(PROFILE_DIR)/imagebuild/NAND/head/blob.bin --root=$(PROFILE_DIR)/squashfs.img > ubi.ini
|
|
|
|
# Then ubinize it - 128K
|
|
hostTools/mtd-utils*/ubinize -v -o $(PROFILE_DIR)/imagebuild/NAND/my_rootfs128kb_puresqubi.img -m 2048 -p $(FLASH_NAND_BLOCK_128KB) ubi.ini
|
|
# Finally, add the image tag -- hardcoded to 128K block sie for the moment
|
|
hostTools/addvtoken --endian $(ARCH_ENDIAN) --chip $(BRCM_CHIP) --flashtype NAND128 --btrm 1 $(PROFILE_DIR)/imagebuild/NAND/my_rootfs128kb_puresqubi.img $(PROFILE_DIR)/imagebuild/NAND/custom_$(PROFILE)_puresqubi_128.w
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/region $(PROFILE_DIR)/imagebuild/NAND/my_rootfs128kb_puresqubi.img > $(PROFILE_DIR)/imagebuild/NAND/my_cferom_rootfs128kb_puresqubi.img
|
|
hostTools/addvtoken --endian $(ARCH_ENDIAN) --chip $(BRCM_CHIP) --flashtype NAND128 --btrm 1 $(PROFILE_DIR)/imagebuild/NAND/my_cferom_rootfs128kb_puresqubi.img $(PROFILE_DIR)/imagebuild/NAND/custom_$(PROFILE)_cferom_puresqubi_128.w
|
|
|
|
|
|
# Then ubinize it - 256K
|
|
hostTools/mtd-utils*/ubinize -v -o $(PROFILE_DIR)/imagebuild/NAND/my_rootfs256kb_puresqubi.img -m 4096 -p $(FLASH_NAND_BLOCK_256KB) ubi.ini
|
|
# Finally, add the image tag -- hardcoded to 256K block size for the moment
|
|
hostTools/addvtoken --endian $(ARCH_ENDIAN) --chip $(BRCM_CHIP) --flashtype NAND256 --btrm 1 $(PROFILE_DIR)/imagebuild/NAND/my_rootfs256kb_puresqubi.img $(PROFILE_DIR)/imagebuild/NAND/custom_$(PROFILE)_puresqubi_256.w
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/region $(PROFILE_DIR)/imagebuild/NAND/my_rootfs256kb_puresqubi.img > $(PROFILE_DIR)/imagebuild/NAND/my_cferom_rootfs256kb_puresqubi.img
|
|
hostTools/addvtoken --endian $(ARCH_ENDIAN) --chip $(BRCM_CHIP) --flashtype NAND256 --btrm 1 $(PROFILE_DIR)/imagebuild/NAND/my_cferom_rootfs256kb_puresqubi.img $(PROFILE_DIR)/imagebuild/NAND/custom_$(PROFILE)_cferom_puresqubi_256.w
|
|
|
|
# Then ubinize it - 512K
|
|
hostTools/mtd-utils*/ubinize -v -o $(PROFILE_DIR)/imagebuild/NAND/my_rootfs512kb_puresqubi.img -m 4096 -p $(FLASH_NAND_BLOCK_512KB) ubi.ini
|
|
# Finally, add the image tag -- hardcoded to 512K block size for the moment
|
|
hostTools/addvtoken --endian $(ARCH_ENDIAN) --chip $(BRCM_CHIP) --flashtype NAND512 --btrm 1 $(PROFILE_DIR)/imagebuild/NAND/my_rootfs512kb_puresqubi.img $(PROFILE_DIR)/imagebuild/NAND/custom_$(PROFILE)_puresqubi_512.w
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/region $(PROFILE_DIR)/imagebuild/NAND/my_rootfs512kb_puresqubi.img > $(PROFILE_DIR)/imagebuild/NAND/my_cferom_rootfs512kb_puresqubi.img
|
|
hostTools/addvtoken --endian $(ARCH_ENDIAN) --chip $(BRCM_CHIP) --flashtype NAND512 --btrm 1 $(PROFILE_DIR)/imagebuild/NAND/my_cferom_rootfs512kb_puresqubi.img $(PROFILE_DIR)/imagebuild/NAND/custom_$(PROFILE)_cferom_puresqubi_512.w
|
|
|
|
|
|
# insert keystore if configured
|
|
ifeq ($(strip $(SECURE_BOOT_TURNKEY)),y)
|
|
sotp_tk_update:
|
|
cp $(CFE_ROM_FILE$(SFX)) $(PROFILE_DIR)/imagebuild/NAND/head/
|
|
hostTools/SecureBootUtils/build_tk.pl --tk_req $(SECURE_BOOT_TK_MODE_REQ) --sec_arch $(SECURE_BOOT_ARCH) --mid $(SECURE_BOOT_TK_MID) --abort_timeout $(SECURE_BOOT_TK_ABORT_TIMEOUT) --byteorder $(ARCH_ENDIAN) --chip $(BRCM_CHIP) --cred_dir $(SECURE_BOOT_KEY_DIR) --wdir $(PROFILE_DIR)/imagebuild/NAND/ --image $(PROFILE_DIR)/imagebuild/NAND/region --out $(PROFILE_DIR)/imagebuild/NAND/region --keystore_offs_kb $(SECURE_BOOT_TK_KS_OFFS) --boot_part_size_kb 1024
|
|
else
|
|
sotp_tk_update:
|
|
endif
|
|
|
|
nand_pureubi_full: nand_prepare
|
|
# This demonstrates how to finalize an image which contains unsecure, mfg secure and fld secure cferom/cferam binaries.
|
|
cd $(PROFILE_DIR)/imagebuild/NAND/bootfs && cp -f cferam.000 secram.000; cp -vf cferam.000 secmfg.000
|
|
cd $(PROFILE_DIR)/..
|
|
ifeq ($(strip $(SECURE_BOOT_ARCH)),GEN3)
|
|
# Get rid of the non-hash signature
|
|
rm -f $(PROFILE_DIR)/imagebuild/NAND/bootfs/vmlinux.sig
|
|
# Create 3 blocks of hashes : non-secure, mfg secure and fld secure
|
|
hostTools/imagetools/mkhashes --exclude='bootfs\/hashes.bin$$' --exclude='bootfs\/hashes.fld$$' --exclude='bootfs\/hashes.mfg$$' --out=$(PROFILE_DIR)/imagebuild/NAND/bootfs/hashes.bin --item rootfs=$(PROFILE_DIR)/squashfs.img --file cferam.000 --boot $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
hostTools/imagetools/mkhashes --exclude='bootfs\/hashes.bin$$' --exclude='bootfs\/hashes.fld$$' --exclude='bootfs\/hashes.mfg$$' --out=$(PROFILE_DIR)/imagebuild/NAND/hashes.fld.bin --item rootfs=$(PROFILE_DIR)/squashfs.img --file secram.000 --boot $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
hostTools/imagetools/mkhashes --exclude='bootfs\/hashes.bin$$' --exclude='bootfs\/hashes.fld$$' --exclude='bootfs\/hashes.mfg$$' --out=$(PROFILE_DIR)/imagebuild/NAND/hashes.mfg.bin --item rootfs=$(PROFILE_DIR)/squashfs.img --file secmfg.000 --boot $(PROFILE_DIR)/imagebuild/NAND/bootfs
|
|
#
|
|
# build UBI cferom
|
|
# start with a 1meg empty region
|
|
hostTools/imagetools/gen1meg $(PROFILE_DIR)/imagebuild/NAND/region
|
|
#
|
|
# insert a copy of cferom in flash with nonsecure header
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE$(SFX)) --nonsec --chip=$(BRCM_CHIP) --offset 71680 $(PROFILE_DIR)/imagebuild/NAND/region
|
|
#
|
|
# insert a few copies of an essentially empty nvram
|
|
hostTools/createimg.pl --replace --offsets=32768,192512 --input=$(PROFILE_DIR)/imagebuild/NAND/region --outputfile=$(PROFILE_DIR)/imagebuild/NAND/region --nvram_magic --nvramdefsfile ${HOSTTOOLS_DIR}/nvram_defaults.h --conf ${HOSTTOOLS_DIR}/local_install/conf/${TOOLCHAIN_PREFIX}.conf
|
|
#
|
|
ifneq ($(strip $(BUILD_SECURE_BOOT)),)
|
|
# Generate the auth header for CFEROM
|
|
#
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE$(SFX)) --field --cred=targets/keys/demo/$(SECURE_BOOT_ARCH)/ --chip=$(BRCM_CHIP) --out=$(PROFILE_DIR)/imagebuild/NAND/auth_header
|
|
#
|
|
#
|
|
# now concatenate auth_header and CFEROM and sign the resulting digest > auth_sig
|
|
# this is done with local openssl commands here, but could be done elsewhere
|
|
#
|
|
#FLD
|
|
#sign header
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/auth_header $(CFE_ROM_FILE$(SFX)) \
|
|
| openssl dgst -sign targets/keys/demo/$(SECURE_BOOT_ARCH)/Krot-fld.pem -keyform pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out auth_sig
|
|
# sign hashes; prepend the signature to the hashes
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/hashes.fld.bin \
|
|
| openssl dgst -sign targets/keys/demo/$(SECURE_BOOT_ARCH)/Krot-fld.pem -keyform pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out $(PROFILE_DIR)/imagebuild/NAND/hashes.sig
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/hashes.sig $(PROFILE_DIR)/imagebuild/NAND/hashes.fld.bin > $(PROFILE_DIR)/imagebuild/NAND/bootfs/hashes.fld
|
|
|
|
# MFG
|
|
# sign header
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/auth_header $(CFE_ROM_FILE$(SFX)) \
|
|
| openssl dgst -sign targets/keys/demo/$(SECURE_BOOT_ARCH)/Krsa-mfg.pem -keyform pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out auth_sig_mfg
|
|
# sign hash bin; prepend a signature to it
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/hashes.mfg.bin \
|
|
| openssl dgst -sign targets/keys/demo/$(SECURE_BOOT_ARCH)/Krsa-mfg.pem -keyform pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out $(PROFILE_DIR)/imagebuild/NAND/hashes.sig
|
|
cat $(PROFILE_DIR)/imagebuild/NAND/hashes.sig $(PROFILE_DIR)/imagebuild/NAND/hashes.mfg.bin > $(PROFILE_DIR)/imagebuild/NAND/bootfs/hashes.mfg
|
|
|
|
#
|
|
#
|
|
# insert 2 copies of the signed cferom into flash images, MFG and FLD respectively
|
|
# we allocate 192K max for each image
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE$(SFX)) --field=auth_sig_mfg --cred=targets/keys/demo/$(SECURE_BOOT_ARCH)/ --chip=$(BRCM_CHIP) --offset 196608 $(PROFILE_DIR)/imagebuild/NAND/region
|
|
# insert copy of the FLD signed image cferom into flash images
|
|
hostTools/imagetools/insertboot --arch $(SECURE_BOOT_ARCH) --cfe $(CFE_ROM_FILE$(SFX)) --field=auth_sig --cred=targets/keys/demo/$(SECURE_BOOT_ARCH)/ --chip=$(BRCM_CHIP) --offset 393216 $(PROFILE_DIR)/imagebuild/NAND/region
|
|
endif
|
|
endif
|
|
make -f $(makefile_name) sotp_tk_update
|
|
make -f $(makefile_name) ubinize
|
|
|
|
clean:
|
|
rm -rf $(PROFILE_DIR)/imagebuild
|
|
|
|
shell:
|
|
@echo "You are in a shell that includes the Makefile environment. "exit" to return to normal"
|
|
bash
|
|
|
|
.PHONY: nand_pureubi nand_pureubi_full nand_prepare full ubinize clean sotp_tk_update
|