Due to the limited efuse space, the keybox Secure Storage function is supported on Tina, which is enabled by default. The following describes how to customize the keybox to burn and read
1 firmware configuration
To burn the Keybox, the premise is the security firmware. The introduction of the security firmware is in the document.
1.1 Keybox_list
Uboot will select keys to be loaded into the secure OS according to the environment variable keybox_list. The keybox_list environment variable is configured in the env file, and each key is separated by a comma.
As follows: Add custom key name
--- a/device/config/chips/h618/configs/default/env.cfg
+++ b/device/config/chips/h618/configs/default/env.cfg
@@ -13,7 +13,7 @@ mac=
wifi_mac=
bt_mac=
specialstr=
-keybox_list=hdcpkey,widevine
+keybox_list=hdcpkey,widevine,xie
#set kernel cmdline if boot.img or recovery.img has no cmdline we will use this
setargs_nand=setenv bootargs earlyprintk=${earlyprintk} initcall_debug=${initcall_debug} console=${console} loglevel=${loglevel} root=${nand_root} init=${init} partitions=${partitions} cma=${cma} snum=${snum} mac_addr=${mac} wifi_mac=${wifi_mac} bt_mac=${bt_mac} selinux=${selinux} specialstr=${specialstr} gpt=1
setargs_mmc=setenv bootargs earlyprintk=${earlyprintk} initcall_debug=${initcall_debug} console=${console} loglevel=${loglevel} root=${mmc_root} rootwait init=${init} partitions=${partitions} cma=${cma} snum=${snum} mac_addr=${mac} wifi_mac=${wifi_mac} bt_mac=${bt_mac} selinux=${selinux} specialstr=${specialstr} gpt=1
1.2 Read Keybox Configuration
Read the API provided by Allwinner used by Keybox, and there is already a demo of these API calls stored under Tina. Keybox reading needs to go through TA/CA.
CA: belongs to the Linux-side application, like other applications, the compilation is relatively simple, only need to rely on the library provided by optee-client to compile.
TA: belongs to the security application, and the compilation needs to use TA dev-kit.
Example of opte-helloworld used to confirm whether the TA/CA environment is normal
Check if the modification was successful.
$ git diff target/allwinner/h618-p2/defconfig
diff --git a/target/allwinner/h618-p2/defconfig b/target/allwinner/h618-p2/defconfig
index c6c47b5f4..d3b2737eb 100755
--- a/target/allwinner/h618-p2/defconfig
+++ b/target/allwinner/h618-p2/defconfig
@@ -4232,10 +4232,10 @@ CONFIG_PACKAGE_wpa_supplicant_rtl=y
#
# CONFIG_PACKAGE_optee-aes-hmac is not set
# CONFIG_PACKAGE_optee-base64 is not set
-# CONFIG_PACKAGE_optee-client is not set
-# CONFIG_PACKAGE_optee-efuse-read is not set
-# CONFIG_PACKAGE_optee-helloworld is not set
-# CONFIG_PACKAGE_optee-os-dev-kit is not set
+CONFIG_PACKAGE_optee-client=y
+CONFIG_PACKAGE_optee-efuse-read=y
+CONFIG_PACKAGE_optee-helloworld=y
+CONFIG_PACKAGE_optee-os-dev-kit=y
# CONFIG_PACKAGE_optee-rotpk is not set
# CONFIG_PACKAGE_optee-secure-storage is not set
# CONFIG_PACKAGE_optee-test is not set
Add platform version compliant dev_kit
$ cd package/security/optee-os-dev-kit/dev_kit/
$ cp -rp arm-plat-sun50iw1p1 arm-plat-sun50iw9p1
For opte-efuse-read to read the keybox and print normally, it is necessary to modify the original demo accordingly and increase the buffer area read by the keybox for printing. The following are the modifications made during testing, for reference:
--- a/package/security/optee-efuse-read/src/ta/efuse_read_demo_ta.c
+++ b/package/security/optee-efuse-read/src/ta/efuse_read_demo_ta.c
@@ -96,13 +96,16 @@ TEE_Result TA_InvokeCommandEntryPoint(void *pSessionContext,
memcpy(keyname,"testkey",sizeof("testkey"));
keyname[49]=0;
}
- i = utee_sunxi_keybox((const char*)keyname, rdbuf, 16);
+ printf("keyname: %s \n",keyname);
+ i = utee_sunxi_keybox((const char*)keyname, rdbuf, 128);
if (i != TEE_SUCCESS) {
printf("read key:%s from keybox failed with:%d\n",keyname,i);
return i;
} else {
- i = utee_sunxi_read_efuse("oem_secure", &rd_len,
- rdbuf + 16);
+ printf("keybox:\n");
+ dump(rdbuf, 128);
+ i = utee_sunxi_read_efuse("widevine", &rd_len,
+ rdbuf + 128);
if (i == TEE_SUCCESS) {
printf("read result:\n");
dump(rdbuf, rd_len + 16);
dump(); The hexadecimal printing function that comes with the demo
write_len: The length of the burned data in bytes.
wr_buf: The length of the data to be burned must be greater than or equal to write_len.
Return value:
0: success
Other: failure
1.3 Compile security firmware
Configuring burn_key properties
Set the burn_key attribute value to 1, the device will receive the information transmitted by DragonSN through usb and perform the corresponding burning work. This attribute is in the file longan/device/config/chips/h618/configs/p2/sys_config .fex, under the item [target], as shown in the figure. If not explicitly configured, press burn_key = 0 to process.
The method of burning the keybox is the same as that of rotpk. It is burned through the PC-side tool dragonSN. The dragonSN tool communicates with the device through USB and controls the device to burn the specified keybox information. The specific burning steps are as follows:
Open dragonSN.
Mouse selection configuration key
Select OK(确定)
Right mouse button list can choose to delete unwanted configurations
Add configuration
The detailed configuration of key is as follows: key name is the name you Keybox_list add
OK Add
After the addition is completed, return to the main interface of the burning tool
Select the key file you want to burn
Select the configuration after confirming the selected file, burn before erasing, and shut down after programming. Do not choose automatic burning in the non-production stage to avoid burning mistakes.
After the board is powered on, the interface is as follows:
Click to write
Burning
Programming is complete
Remember to close the tool after finishing, so as not to identify it again after restarting the board.
