1*4882a593Smuzhiyun#!/bin/bash 2*4882a593Smuzhiyun 3*4882a593Smuzhiyunset -e 4*4882a593Smuzhiyun 5*4882a593SmuzhiyunKEYS=avb_keys 6*4882a593SmuzhiyunPRODUCT_ID=0123456789ABCDE 7*4882a593SmuzhiyunSCRIPTS=scripts 8*4882a593SmuzhiyunOUT=out 9*4882a593Smuzhiyun 10*4882a593Smuzhiyunusage() 11*4882a593Smuzhiyun{ 12*4882a593Smuzhiyun echo "$0 [ -n/f/s/d/l/u/h or --su_pswd]" 13*4882a593Smuzhiyun echo " n < Product id > #16 bytes" 14*4882a593Smuzhiyun echo " Generate new AVB keys" 15*4882a593Smuzhiyun echo " f < /path/to/secureboot/private/key >" 16*4882a593Smuzhiyun echo " Config efuse device" 17*4882a593Smuzhiyun echo " Must generated keys [-n] firstly" 18*4882a593Smuzhiyun echo " s Sign file" 19*4882a593Smuzhiyun echo " [ -b < /path/to/boot.img > ]: Sign boot.img" 20*4882a593Smuzhiyun echo " [ -r < /path/to/recovery.img > ]: Sign recovery.img" 21*4882a593Smuzhiyun echo " d Download permanent_attributes.bin to OTP or RPMB" 22*4882a593Smuzhiyun echo " l Lock device" 23*4882a593Smuzhiyun echo " u Unlock device" 24*4882a593Smuzhiyun echo " h Show this context" 25*4882a593Smuzhiyun echo " --su_pswd Set super user password for fastboot" 26*4882a593Smuzhiyun} 27*4882a593Smuzhiyun 28*4882a593SmuzhiyunGenerate_keys() 29*4882a593Smuzhiyun{ 30*4882a593Smuzhiyun # generate config file 31*4882a593Smuzhiyun touch $KEYS/temp.bin 32*4882a593Smuzhiyun echo -n $PRODUCT_ID > $KEYS/product_id.bin 33*4882a593Smuzhiyun # generate test keys 34*4882a593Smuzhiyun openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out $KEYS/testkey_prk.pem 35*4882a593Smuzhiyun openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out $KEYS/testkey_psk.pem 36*4882a593Smuzhiyun openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out $KEYS/testkey_pik.pem 37*4882a593Smuzhiyun openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out $KEYS/testkey_puk.pem 38*4882a593Smuzhiyun 39*4882a593Smuzhiyun # generate certificate.bin and metadata 40*4882a593Smuzhiyun python $SCRIPTS/avbtool make_atx_certificate --output=avb_keys/pik_certificate.bin --subject=avb_keys/temp.bin --subject_key=avb_keys/testkey_pik.pem --subject_is_intermediate_authority --subject_key_version 42 --authority_key=avb_keys/testkey_prk.pem 41*4882a593Smuzhiyun python $SCRIPTS/avbtool make_atx_certificate --output=avb_keys/psk_certificate.bin --subject=avb_keys/product_id.bin --subject_key=avb_keys/testkey_psk.pem --subject_key_version 42 --authority_key=avb_keys/testkey_pik.pem 42*4882a593Smuzhiyun python $SCRIPTS/avbtool make_atx_certificate --output=avb_keys/puk_certificate.bin --subject=avb_keys/product_id.bin --subject_key=avb_keys/testkey_puk.pem --usage=com.google.android.things.vboot.unlock --subject_key_version 42 --authority_key=avb_keys/testkey_pik.pem 43*4882a593Smuzhiyun python $SCRIPTS/avbtool make_atx_metadata --output=avb_keys/metadata.bin --intermediate_key_certificate=avb_keys/pik_certificate.bin --product_key_certificate=avb_keys/psk_certificate.bin 44*4882a593Smuzhiyun 45*4882a593Smuzhiyun # Generate permanent_attributes.bin 46*4882a593Smuzhiyun python $SCRIPTS/avbtool make_atx_permanent_attributes --output=avb_keys/permanent_attributes.bin --product_id=avb_keys/product_id.bin --root_authority_key=avb_keys/testkey_prk.pem 47*4882a593Smuzhiyun echo "Generate AVB Keys Done!!!" 48*4882a593Smuzhiyun} 49*4882a593Smuzhiyun 50*4882a593Smuzhiyunsigned_image() 51*4882a593Smuzhiyun{ 52*4882a593Smuzhiyun IMAGE=$1 53*4882a593Smuzhiyun echo "Sign ${IMAGE}" 54*4882a593Smuzhiyun SIZE=`ls $OUT/${IMAGE}.img -l | awk '{printf $5}'` 55*4882a593Smuzhiyun echo "image size is ${SIZE}" 56*4882a593Smuzhiyun # At least 68K greater than origin file 57*4882a593Smuzhiyun # Source code (scripts/avbtool) 58*4882a593Smuzhiyun # reserve some memory for (footer + vbmeta struct) 59*4882a593Smuzhiyun # - MAX_VBMETA_SIZE = 64 * 1024 60*4882a593Smuzhiyun # - MAX_FOOTER_SIZE = 4096 61*4882a593Smuzhiyun SIZE=$[(SIZE / 4096 + 18) * 4096] 62*4882a593Smuzhiyun echo "set size to ${SIZE}" 63*4882a593Smuzhiyun python $SCRIPTS/avbtool add_hash_footer --image $OUT/${IMAGE}.img --partition_size ${SIZE} --partition_name ${IMAGE} --key avb_keys/testkey_psk.pem --algorithm SHA512_RSA4096 64*4882a593Smuzhiyun echo "Sign $IMAGE Done" 65*4882a593Smuzhiyun} 66*4882a593Smuzhiyun 67*4882a593SmuzhiyunSign_file() 68*4882a593Smuzhiyun{ 69*4882a593Smuzhiyun while [ $# -gt 1 ] 70*4882a593Smuzhiyun do 71*4882a593Smuzhiyun FILE=$2 72*4882a593Smuzhiyun case $1 in 73*4882a593Smuzhiyun -b) 74*4882a593Smuzhiyun cp $2 $OUT/boot.img 75*4882a593Smuzhiyun signed_image boot 76*4882a593Smuzhiyun VBMETA_CMD="${VBMETA_CMD} --include_descriptors_from_image $OUT/boot.img" 77*4882a593Smuzhiyun ;; 78*4882a593Smuzhiyun -r) 79*4882a593Smuzhiyun cp $2 $OUT/recovery.img 80*4882a593Smuzhiyun signed_image recovery 81*4882a593Smuzhiyun VBMETA_CMD="${VBMETA_CMD} --include_descriptors_from_image $OUT/recovery.img" 82*4882a593Smuzhiyun ;; 83*4882a593Smuzhiyun *) 84*4882a593Smuzhiyun echo "unknown file type" 85*4882a593Smuzhiyun exit -1 86*4882a593Smuzhiyun ;; 87*4882a593Smuzhiyun esac 88*4882a593Smuzhiyun shift 2 89*4882a593Smuzhiyun done 90*4882a593Smuzhiyun 91*4882a593Smuzhiyun echo "Generate vbmeta.img" 92*4882a593Smuzhiyun python $SCRIPTS/avbtool make_vbmeta_image --public_key_metadata $KEYS/metadata.bin ${VBMETA_CMD} --algorithm SHA256_RSA4096 --rollback_index 0 --key $KEYS/testkey_psk.pem --output $OUT/vbmeta.img 93*4882a593Smuzhiyun echo "Genrate vbmeta.img Done" 94*4882a593Smuzhiyun} 95*4882a593Smuzhiyun 96*4882a593SmuzhiyunExpect_cmd_fastboot() 97*4882a593Smuzhiyun{ 98*4882a593Smuzhiyun test -z ${SU_PSWD} && exit -1 99*4882a593Smuzhiyun 100*4882a593Smuzhiyun/usr/bin/expect << EOF 101*4882a593Smuzhiyun set timeout 2 102*4882a593Smuzhiyun spawn sudo ./${SCRIPTS}/fastboot $1 103*4882a593Smuzhiyun expect { 104*4882a593Smuzhiyun "* password for *" {send "${SU_PSWD}\r"; exp_continue;} 105*4882a593Smuzhiyun "OKAY *" {send "fastboot succeed\r"} 106*4882a593Smuzhiyun "rebooting...*" {send "fastboot succeed\r"} 107*4882a593Smuzhiyun default {send_error "expect_timeout 2\n"; exit 1} 108*4882a593Smuzhiyun } 109*4882a593Smuzhiyun expect eof 110*4882a593SmuzhiyunEOF 111*4882a593Smuzhiyun} 112*4882a593Smuzhiyun 113*4882a593SmuzhiyunMake_unlock() 114*4882a593Smuzhiyun{ 115*4882a593Smuzhiyun python $SCRIPTS/avb-challenge-verify.py raw_unlock_challenge.bin $KEYS/product_id.bin # Generate unlock_challenge.bin 116*4882a593Smuzhiyun python $SCRIPTS/avbtool make_atx_unlock_credential --output=unlock_credential.bin --intermediate_key_certificate=$KEYS/pik_certificate.bin --unlock_key_certificate=$KEYS/puk_certificate.bin --challenge=unlock_challenge.bin --unlock_key=$KEYS/testkey_puk.pem 117*4882a593Smuzhiyun} 118*4882a593Smuzhiyun 119*4882a593Smuzhiyunload_su_pswd() 120*4882a593Smuzhiyun{ 121*4882a593Smuzhiyun if [ ! -e $SCRIPTS/.su_pswd ]; then 122*4882a593Smuzhiyun echo "Please set super user password with --su_pswd first" 123*4882a593Smuzhiyun exit 124*4882a593Smuzhiyun fi 125*4882a593Smuzhiyun 126*4882a593Smuzhiyun SU_PSWD=$(cat $SCRIPTS/.su_pswd) 127*4882a593Smuzhiyun} 128*4882a593Smuzhiyun 129*4882a593Smuzhiyuncase $1 in 130*4882a593Smuzhiyun -n) 131*4882a593Smuzhiyun if [ ${#2} != 16 ]; then 132*4882a593Smuzhiyun echo "please input 16 bytes product_id behind -n !" 133*4882a593Smuzhiyun exit 134*4882a593Smuzhiyun fi 135*4882a593Smuzhiyun PRODUCT_ID=$2 136*4882a593Smuzhiyun test -d $KEYS && rm $KEYS -rf 137*4882a593Smuzhiyun mkdir $KEYS 138*4882a593Smuzhiyun Generate_keys 139*4882a593Smuzhiyun ;; 140*4882a593Smuzhiyun -f) 141*4882a593Smuzhiyun if [ $# -lt 2 ]; then 142*4882a593Smuzhiyun usage 143*4882a593Smuzhiyun exit -1 144*4882a593Smuzhiyun fi 145*4882a593Smuzhiyun 146*4882a593Smuzhiyun openssl dgst -sha256 -out $KEYS/permanent_attributes_cer.bin -sign $2 $KEYS/permanent_attributes.bin 147*4882a593Smuzhiyun 148*4882a593Smuzhiyun test -e .setting || touch .setting 149*4882a593Smuzhiyun sed -i "/type=/d" .setting 150*4882a593Smuzhiyun echo "type=efuse" >> .setting 151*4882a593Smuzhiyun ;; 152*4882a593Smuzhiyun -s) 153*4882a593Smuzhiyun if [ $# -lt 3 ]; then 154*4882a593Smuzhiyun usage 155*4882a593Smuzhiyun exit 156*4882a593Smuzhiyun fi 157*4882a593Smuzhiyun 158*4882a593Smuzhiyun shift 1 159*4882a593Smuzhiyun test -d $OUT || mkdir $OUT 160*4882a593Smuzhiyun Sign_file $@ 161*4882a593Smuzhiyun ;; 162*4882a593Smuzhiyun --su_pswd) 163*4882a593Smuzhiyun if [ $# -lt 2 ]; then 164*4882a593Smuzhiyun usage 165*4882a593Smuzhiyun fi 166*4882a593Smuzhiyun echo -n "$2" > $SCRIPTS/.su_pswd 167*4882a593Smuzhiyun ;; 168*4882a593Smuzhiyun -d) 169*4882a593Smuzhiyun load_su_pswd 170*4882a593Smuzhiyun test -e .setting && source .setting || echo "no .setting" 171*4882a593Smuzhiyun Expect_cmd_fastboot "stage ${KEYS}/permanent_attributes.bin" 172*4882a593Smuzhiyun Expect_cmd_fastboot "oem fuse at-perm-attr" 173*4882a593Smuzhiyun if [ "$type" = "efuse" ]; then 174*4882a593Smuzhiyun Expect_cmd_fastboot "stage ${KEYS}/permanent_attributes_cer.bin" 175*4882a593Smuzhiyun Expect_cmd_fastboot "oem fuse at-rsa-perm-attr" 176*4882a593Smuzhiyun fi 177*4882a593Smuzhiyun ;; 178*4882a593Smuzhiyun -l) 179*4882a593Smuzhiyun load_su_pswd 180*4882a593Smuzhiyun Expect_cmd_fastboot "oem at-lock-vboot" 181*4882a593Smuzhiyun Expect_cmd_fastboot "reboot" 182*4882a593Smuzhiyun ;; 183*4882a593Smuzhiyun -u) 184*4882a593Smuzhiyun load_su_pswd 185*4882a593Smuzhiyun Expect_cmd_fastboot "oem at-get-vboot-unlock-challenge" 186*4882a593Smuzhiyun Expect_cmd_fastboot "get_staged raw_unlock_challenge.bin" 187*4882a593Smuzhiyun Make_unlock 188*4882a593Smuzhiyun Expect_cmd_fastboot "stage unlock_credential.bin" 189*4882a593Smuzhiyun Expect_cmd_fastboot "oem at-unlock-vboot" 190*4882a593Smuzhiyun rm raw_unlock_challenge.bin -f 191*4882a593Smuzhiyun rm unlock_challenge.bin -f 192*4882a593Smuzhiyun rm unlock_credential.bin -f 193*4882a593Smuzhiyun Expect_cmd_fastboot "reboot" 194*4882a593Smuzhiyun ;; 195*4882a593Smuzhiyun *) 196*4882a593Smuzhiyun usage 197*4882a593Smuzhiyun ;; 198*4882a593Smuzhiyunesac 199