Edit online

Linux 固件加密使用说明

27 Nov 2024
Read time: 3 minute(s)

U-Boot 配置

  1. 进入 SDK 顶层目录,执行下列命令进入 U-boot 配置界面:
    make uboot-menuconfig
  2. 在 U-Boot 的配置界面中,使能 Cipher 相关的 U-Boot 驱动配置:
    Boot options  --->
    Boot images  --->
        [*]   Enable ciphering data in a FIT uImages
        [*]   Enable ciphering data in a FIT uImages within SPL

SPL / TPL  --->
    [*] Support crypto drivers

Device Drivers  --->
    Hardware crypto devices  --->
        [*] ArtInChip's crypto engine driver

    配置完成后,SPL 会在启动过程中解密 U-Boot 再加载运行,U-Boot 启动过程中会解密 Kernel 再加载运行。

DTS 配置

  1. 配置芯片级 DTS:
    crypto: crypto-engine@10020000 {
            compatible = "artinchip,aic-crypto-v1.0";
            reg = <0x0 0x10020000 0x0 0x1000>;
            interrupts-extended = <&plic0 33 IRQ_TYPE_LEVEL_HIGH>;
            clocks = <&cmu CLK_CE>;
            resets = <&rst RESET_CE>;
            clock-rate = <200000000>;
            status = "disabled";
};
  2. 在板级的board.dts 配置文件中,使能 crypto 模块。如需在 SPL 中使用 CRYPTO,需设置标记 u-boot,dm-pre-reloc
    &crypto {
   status = "okay";
   u-boot,dm-pre-reloc;
};

ITS 配置

  1. 对于需加密的固件,如 ubootdtb ,需要在 u-boot.its.dtsi 文件中添加 cipher 节点,配置加密 "key" 与 "iv" 值。
    uboot {
            description = "U-Boot";
            type = "standalone";
            os = "u-boot";
            arch = "riscv";
            compression = "none";
            load = <CONFIG_SYS_TEXT_BASE>;
            entry = <CONFIG_SYS_TEXT_BASE>;
            data = /incbin/("u-boot-nodtb.bin");
            cipher {
                algo = "aes128";
                key-name-hint = "key";
                iv-name-hint = "iv";
            };
        };
fdt-1{
            description = "DTB";
            type = "flat_dt";
            compression = "none";
            data = /incbin/("u-boot.dtb");
            cipher {
                algo = "aes128";
                key-name-hint = "key";
                iv-name-hint = "iv";
            };
        };
  2. 对于需加密的固件,如 kerneldtb ,在 kernel.its.dtsi 文件中添加 cipher 节点,配置加密 "key" 与 "iv" 值。
    kernel {
            description = "Artinchip Linux kernel";
            data = /incbin/("./Image");
            type = "kernel";
            arch = "riscv";
            compression = "none";
            os = "linux";
            load =  <0x40000000>;
            entry = <0x40000000>;
            cipher {
                algo = "aes128";
                key-name-hint = "key";
                iv-name-hint = "iv";
            };
        };

fdt-1 {
            description = "Flattened Device Tree blob";
            data = /incbin/("./u-boot.dtb");
            type = "flat_dt";
            arch = "riscv";
            load = <0x43F00000>;
            compression = "none";
            cipher {
                algo = "aes128";
                key-name-hint = "key";
                iv-name-hint = "iv";
            };
        };

密钥配置

image_cfg.json 文件中,指定加密 "key" 与 "iv" 存放的路径。

"itb": {
            "kernel.itb": {
                "its": "kernel.its",
                "dtb": "u-boot.dtb",
                "keydir": "keys/kernel",
            },
            "u-boot.itb": {
                "its": "u-boot.its",
                "dtb": "u-boot-spl.dtb",
                "keydir": "keys/u-boot",
                "bin": {
                    "src": "u-boot-spl-nodtb.bin",
                    "dst": "u-boot-spl-dtb.bin",
                },
            },
            "logo.itb": {
                "its": "logo.its"
            },
        },

编译完成后烧录固件。