1#!/bin/bash -e 2 3BOOT_FIXED_CONFIGS=" \ 4 CONFIG_BLK_DEV_DM \ 5 CONFIG_DM_CRYPT \ 6 CONFIG_BLK_DEV_CRYPTOLOOP \ 7 CONFIG_DM_VERITY" 8 9BOOT_OPTEE_FIXED_CONFIGS=" \ 10 CONFIG_TEE \ 11 CONFIG_OPTEE" 12 13UBOOT_FIXED_CONFIGS=" \ 14 CONFIG_FIT_SIGNATURE \ 15 CONFIG_SPL_FIT_SIGNATURE" 16 17UBOOT_AB_FIXED_CONFIGS=" \ 18 CONFIG_ANDROID_AB" 19 20ROOTFS_UPDATE_ENGINEBIN_CONFIGS=" \ 21 BR2_PACKAGE_RECOVERY \ 22 BR2_PACKAGE_RECOVERY_UPDATEENGINEBIN" 23 24ROOTFS_AB_FIXED_CONFIGS=" \ 25 $ROOTFS_UPDATE_ENGINEBIN_CONFIGS \ 26 BR2_PACKAGE_RECOVERY_BOOTCONTROL" 27 28defconfig_check() 29{ 30 # 1. defconfig 2. fixed config 31 echo debug-$1 32 for i in $2 33 do 34 echo "look for $i" 35 result=$(cat $1 | grep "${i}=y" -w || echo "No found") 36 if [ "$result" = "No found" ]; then 37 echo -e "\e[41;1;37mSecurity: No found config ${i} in $1 \e[0m" 38 echo "make sure your config include this list" 39 echo "---------------------------------------" 40 echo "$2" 41 echo "---------------------------------------" 42 return 1; 43 fi 44 done 45 return 0 46} 47 48find_string_in_config() 49{ 50 result=$(cat "$2" | grep "$1" || echo "No found") 51 if [ "$result" = "No found" ]; then 52 echo "Security: No found string $1 in $2" 53 return 1; 54 fi 55 return 0; 56} 57 58security_check() 59{ 60 [ "$RK_SECURITY" ] || return 0 61 62 if [ ! -d u-boot/keys ]; then 63 echo "ERROR: No root keys(u-boot/keys) found in u-boot" 64 echo " Create it by ./build.sh createkeys or move your key to it" 65 return 1 66 fi 67 68 if [ "$RK_SECURITY_CHECK_METHOD" = "DM-E" ]; then 69 if [ ! -f u-boot/keys/root_passwd ]; then 70 echo "ERROR: No root passwd(u-boot/keys/root_passwd) found in u-boot" 71 echo " echo your root key for sudo to u-boot/keys/root_passwd" 72 echo " some operations need supper user permission when create encrypt image" 73 return 1 74 fi 75 76 if [ ! -f u-boot/keys/system_enc_key ]; then 77 echo "ERROR: No enc key(u-boot/keys/system_enc_key) found in u-boot" 78 echo " Create it by ./build.sh createkeys or move your key to it" 79 return 1 80 fi 81 82 BOOT_FIXED_CONFIGS="$BOOT_FIXED_CONFIGS $BOOT_OPTEE_FIXED_CONFIGS" 83 fi 84 85 echo "check kernel defconfig" 86 defconfig_check \ 87 kernel/arch/$RK_KERNEL_ARCH/configs/$RK_KERNEL_CFG \ 88 "$BOOT_FIXED_CONFIGS" 89 90 if [ -n "$RK_AB_UPDATE" ]; then 91 UBOOT_FIXED_CONFIGS="$UBOOT_FIXED_CONFIGS \ 92 $UBOOT_AB_FIXED_CONFIGS" 93 94 defconfig_check \ 95 buildroot/configs/${RK_BUILDROOT_CFG}_defconfig \ 96 "$ROOTFS_AB_FIXED_CONFIGS" 97 fi 98 echo "check uboot defconfig" 99 defconfig_check u-boot/configs/${RK_UBOOT_CFG}_defconfig \ 100 "$UBOOT_FIXED_CONFIGS" 101 102 if [ "$RK_SECURITY_CHECK_METHOD" = "DM-E" ]; then 103 echo "check ramdisk defconfig" 104 defconfig_check \ 105 buildroot/configs/${RK_SECURITY_INITRD_CFG}_defconfig \ 106 "$ROOTFS_UPDATE_ENGINEBIN_CONFIGS" 107 fi 108 109 echo "check rootfs defconfig" 110 find_string_in_config "security-system-overlay" \ 111 "buildroot/configs/${RK_BUILDROOT_CFG}_defconfig" 112 113 echo "Security: finish check" 114} 115 116build_security_keys() 117{ 118 if [ -d u-boot/keys ]; then 119 echo "ERROR: u-boot/keys already exists" 120 return 1 121 fi 122 123 mkdir -p u-boot/keys 124 cd u-boot/keys 125 "$SDK_DIR/rkbin/tools/rk_sign_tool" kk --bits 2048 --out ./ 126 127 ln -rsf private_key.pem dev.key 128 ln -rsf public_key.pem dev.pubkey 129 130 cd "$SDK_DIR" 131 132 openssl req -batch -new -x509 -key u-boot/keys/dev.key \ 133 -out u-boot/keys/dev.crt 134 135 openssl rand -out u-boot/keys/system_enc_key -hex 32 136} 137 138build_security_ramboot() 139{ 140 check_config RK_SECURITY_INITRD_CFG || return 0 141 142 echo "==========================================" 143 echo " Start building security ramboot(buildroot)" 144 echo "==========================================" 145 146 DST_DIR="$RK_OUTDIR/security-ramboot" 147 148 if [ ! -r "$RK_FIRMWARE_DIR/rootfs.img" ]; then 149 echo "Rootfs is not ready, building it for security..." 150 "$SCRIPTS_DIR/mk-rootfs.sh" 151 fi 152 153 # Prepare misc and initrd overlay with rootfs.img 154 "$SCRIPTS_DIR/mk-dm.sh" $RK_SECURITY_CHECK_METHOD \ 155 "$RK_FIRMWARE_DIR/rootfs.img" 156 157 /usr/bin/time -f "you take %E to build security initrd(buildroot)" \ 158 "$SCRIPTS_DIR/mk-buildroot.sh" $RK_SECURITY_INITRD_CFG \ 159 "$DST_DIR" 160 161 /usr/bin/time -f "you take %E to pack security ramboot image" \ 162 "$SCRIPTS_DIR/mk-ramdisk.sh" \ 163 "$DST_DIR/rootfs.$RK_SECURITY_INITRD_TYPE" \ 164 "$DST_DIR/ramboot.img" "$RK_SECURITY_FIT_ITS" 165 166 ln -rsf "$DST_DIR/ramboot.img" "$RK_FIRMWARE_DIR/boot.img" 167 168 finish_build $@ 169} 170 171# Hooks 172 173usage_hook() 174{ 175 echo -e "security_check \tcheck contidions for security boot" 176 echo -e "createkeys \tbuild security boot keys" 177 echo -e "security_ramboot \tbuild security ramboot" 178 echo -e "security_uboot \tbuild uboot with security" 179 echo -e "security_boot \tbuild boot with security" 180 echo -e "security_recovery \tbuild recovery with security" 181 echo -e "security_rootfs \tbuild rootfs with security" 182} 183 184BUILD_CMDS="security_check createkeys security_ramboot security_uboot \ 185 security_boot security_recovery security_rootfs" 186build_hook() 187{ 188 check_config RK_SECURITY || return 0 189 190 case "${1:-security_ramboot}" in 191 security_check) security_check ;; 192 createkeys) build_security_keys ;; 193 security_ramboot) build_security_ramboot ;; 194 security_uboot) "$SCRIPTS_DIR"/mk-loader.sh uboot ;; 195 security_boot) 196 "$SCRIPTS_DIR"/mk-kernel.sh 197 build_security_ramboot 198 "$SCRIPTS_DIR"/mk-loader.sh uboot boot 199 ;; 200 security_recovery) 201 check_config RK_RECOVERY_CFG || return 0 202 "$SCRIPTS_DIR"/mk-recovery.sh 203 "$SCRIPTS_DIR"/mk-loader.sh uboot recovery 204 ;; 205 security_rootfs) 206 "$SCRIPTS_DIR"/mk-rootfs.sh 207 build_security_ramboot 208 "$SCRIPTS_DIR"/mk-loader.sh uboot boot 209 ;; 210 *) usage ;; 211 esac 212} 213 214source "${BUILD_HELPER:-$(dirname "$(realpath "$0")")/../build-hooks/build-helper}" 215 216build_hook $@ 217