RT如何生成image
上一篇文章我们介绍了RT的boot流程,今天来介绍下RT如何生成image。生成的image有如下三种类型:
- Normal image
- Signed image
- Encrypted image
生成Normal image
如果芯片secure boot不开启的话,我们只需要根据boot device的类型,给image加上对应的IVT。然后配置对应的boot device,reset后ROM就会自动boot。
给image加上IVT就是一个normal boot的image。
-
使用imgutil.exe给image加IVT
以nand为例,假设我们制作的image的vector table address为0xa000.
命令如下:
'mgutil.exe --combine base_addr=0x8000 ivt_offset=0x400 app_offset=0x2000 image_entry=0xa000 app_file=image.bin ofile=image_IVT.bin has_csf=1'
base_addr:是指生成的image运行时在内存中的起始地址
IVT offset:对nand来说固定为0x400
app_offset:指image相对于base address的偏移值为0x2000,也就是image的运行地址为0xa000,即image的vector table地址
image_entry:可以默认为image vector table address,也可以为image的PC。此处用的是image vector table address -
使用elftosb生成image
Creat bd file(unsigned_bootalbe_image.bd) add IVT for image.
options {
flags = 0x00;
startAddress = 0x20000000;
ivtOffset = 0x400;
initialLoadSize = 0x2000;
}
sources {
elfFile = extern(0);
}
section (0)
{
}
generate ivt_image by using Elftosb utility
elftosb.exe -f imx -V -c unsigned_bootalbe_image.bd -o flashloader_unsigned_20000000.bin flashloader.srec示例中采用了image vector table为0x20000000的image。
- 生成bd file,flags = 0x00表示normal boot image
startAddress为image vector table的地址 - 使用elftob生成image,-c后面的参数为bd文件,-o后跟生成的image,flashloader.srec为bd中变量extern(0)
- 生成bd file,flags = 0x00表示normal boot image
生成signed image
- 使用imgutil.exe
请参阅文末git_hub - 使用elftosb
- Creat bd file(signed_bootalbe_image.bd) add IVT for image.
options {
flags = 0x08;
startAddress = 0x20000000;
ivtOffset = 0x400;
initialLoadSize = 0x2000;
}
sources {
elfFile = extern(0);
}
constants {
SEC_CSF_HEADER = 20;
SEC_CSF_INSTALL_SRK = 21;
SEC_CSF_INSTALL_CSFK = 22;
SEC_CSF_INSTALL_NOCAK = 23;
SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
SEC_CSF_AUTHENTICATE_DATA = 26;
SEC_CSF_INSTALL_SECRET_KEY = 27;
SEC_CSF_DECRYPT_DATA = 28;
SEC_NOP = 29;
SEC_SET_MID = 30;
SEC_SET_ENGINE = 31;
SEC_INIT = 32;
SEC_UNLOCK = 33;
}
section (
SEC_CSF_HEADER;
Header_Version="4.2",
Header_HashAlgorithm="sha256",
Header_Engine="DCP",
Header_EngineConfiguration=0,
Header_CertificateFormat="X509",
Header_SignatureFormat="CMS") {
}
section (
SEC_CSF_INSTALL_SRK;
InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", //"valid file path"
InstallSRK_SourceIndex=0) {
}
section (
SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", //"valid file path"
InstallCSFK_CertificateFormat="x509") { // "x509"
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (
SEC_CSF_INSTALL_KEY;
InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem", //"valid file path"
InstallKey_VerificationIndex=0,
InstallKey_TargetIndex=2) {
}
section (
SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="DCP",
AuthenticateData_EngineConfiguration=0) {
}
section (SEC_SET_ENGINE;
SetEngine_HashAlgorithm = "sha256", // "sha1", "Sha256", "sha512"
SetEngine_Engine = "DCP", // "ANY", "SAHARA", "RTIC", "DCP", "CAAM" and "SW"
SetEngine_EngineConfiguration = "0") // "valid engine configuration values"
{
}
section (SEC_UNLOCK;
Unlock_Engine = "SNVS", // "SRTC", "CAAM", SNVS and OCOTP
Unlock_features = "ZMK WRITE" // "Refer to Table-24"
)
{
}
2.elftosb跟CST.exe,crts文件夹,keys文件夹处于同一目录
3.generate ivt_image by using Elftosb utility
elftosb.exe -f imx -V -c signed_bootalbe_image.bd -o flashloader_signed_20000000.bin flashloader.srec
生成encrypted image
这里生成的加密的文件指HAB加密文件。
加密的文件流程如下:
1. 给image加上IVT
2. CST给加了IVT的image,进行加密(签名可以同时进行)。加密后生成dek.bin,这个用于解密image
3. 调用板子中的IP对dek.bin加密生成key_blob.bin
4. 将key_blob.bin贴到2中生成的encrypted image的固定位置。2步骤中,tool会提示key_blob存储地址
- image_util
请参考文末git_hub - 使用elftosb
创建如下bd file
options {
flags = 0x0c;
startAddress = 0x400;
ivtOffset = 0x400;
initialLoadSize = 0x1000;
//DCDFilePath = "dcd.bin";
// cstFolderPath = "/Users/nxf38031/Desktop/CSTFolder";
// entryPointAddress = 0x1400;
}
sources {
elfFile = extern(0);
}
constants {
SEC_CSF_HEADER = 20;
SEC_CSF_INSTALL_SRK = 21;
SEC_CSF_INSTALL_CSFK = 22;
SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
SEC_CSF_AUTHENTICATE_DATA = 26;
SEC_CSF_INSTALL_SECRET_KEY = 27;
SEC_CSF_DECRYPT_DATA = 28;
}
section (SEC_CSF_HEADER;
Header_Version="4.3",
Header_HashAlgorithm="sha256",
Header_Engine="DCP",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
Header_SignatureFormat="CMS"
)
{
}
section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", // "valid file path"
InstallSRK_SourceIndex=0
)
{
}
section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
InstallCSFK_CertificateFormat="x509" // "x509"
)
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY;
InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0, // Accepts integer or string
InstallKey_TargetIndex=2) // Accepts integer or string
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="DCP",
AuthenticateData_EngineConfiguration=0)
{
}
section (SEC_CSF_INSTALL_SECRET_KEY;
SecretKey_Name="dek.bin",
SecretKey_Length=128,
SecretKey_VerifyIndex=0,
SecretKey_TargetIndex=0)
{
}
section (SEC_CSF_DECRYPT_DATA;
Decrypt_Engine="DCP",
Decrypt_EngineConfiguration="0", // "valid engine configuration values"
Decrypt_VerifyIndex=0,
Decrypt_MacBytes=16)
{
}
2.使用elftosb生成encrypted image
elftosb.exe -V -f imx -c ..\..\bd_file\imx10xx\imx-semcnor-nonxip-ocram-encrypted.bd -o image\IVT_non_xip_ocram_encrypted.bin ..\..\..\example_images\led_demo_evk_ram_2020a000.srec
3.使用flash loader计算2中的dek.bin,将生成的key_blob.bin烧写到2中制定的blob地址。
本文简单介绍了如何生成normal image、signed image、 encrypted image。。具体的操作步骤请查阅git_hub
elftosb生成image:
https://github.com/ComingGod/Doc/tree/master/RT/Generate_image/elftosb/win/SB_FlexSPI_Nand
image_util生成image:
https://github.com/ComingGod/Doc/tree/master/RT/Generate_image/image_util/CST/enimage/RT512_Nand_Post_silicon
