ZHCABI4 January 2022 TDA4VM , TDA4VM-Q1
SBL(次级引导加载程序)由 MCU R5F ROM 加载并由 DMSC 验证。MCU R5F 运行此代码并为其他内核启动引导流程。使用以下命令为 HS 器件编译已签名的 SBL。
# cd ~/ti-processor-sdk-rtos-j721e-evm-07_01_00_11/pdk_jacinto_07_01_00_45/packages/ti/build
# make -j BOARD=j721e_evm CORE=mcu1_0 BUILD_PROFILE=release sbl_mmcsd_img_hs
#ls ${PSDKRA_PATH}/pdk/packages/ti/boot/sbl/binary/j721e_evm_hs/mmcsd/bin/sbl_mmcsd_img_mcu1_0_release.tiimage
默认 makefile 仅对 SBL 签名,但不会对其加密,应用以下补丁并重新编译 SBL_HS 以获取签名并对 SBL 映像加密。
diff --git a/packages/ti/build/makerules/common.mk b/packages/ti/build/makerules/common.mk
index f56e069..e9ec0d9 100644
--- a/packages/ti/build/makerules/common.mk
+++ b/packages/ti/build/makerules/common.mk
@@ -635,7 +635,7 @@ else ifeq ($(SOC),$(filter $(SOC), am65xx am64x j721e j7200))
$(CHMOD) a+x $(SBL_CERT_GEN)
endif
- $(SBL_CERT_GEN) -b $(SBL_BIN_PATH) -o $(SBL_TIIMAGE_PATH) -c R5 -l $(SBL_RUN_ADDRESS) -k $($(APP_NAME)_SBL_CERT_KEY) -d DEBUG -j DBG_FULL_ENABLE -m $(SBL_MCU_STARTUP_MODE)
+ $(SBL_CERT_GEN) -b $(SBL_BIN_PATH) -o $(SBL_TIIMAGE_PATH) -c R5 -l $(SBL_RUN_ADDRESS) -k $($(APP_NAME)_SBL_CERT_KEY) -y ENCRYPT -e $(SBL_ENCRYPT_KEY_HS) -d DEBUG -j DBG_FULL_ENABLE -m $(SBL_MCU_STARTUP_MODE)
diff --git a/packages/ti/build/makerules/platform.mk b/packages/ti/build/makerules/platform.mk
index cc6b905..381f1dd 100644
--- a/packages/ti/build/makerules/platform.mk
+++ b/packages/ti/build/makerules/platform.mk
@@ -200,7 +200,7 @@ endif
export SBL_CERT_KEY=$(ROOTDIR)/ti/build/makerules/rom_degenerateKey.pem
-
+export SBL_ENCRYPT_KEY_HS=~/TIDummyKey/smek.txt
上一个 makefile 和编译命令 将首先生成 GP SBL 二进制,然后使用 TI 虚拟密钥对其签名和 加密。此外,在编译 SBL_HS 期间,它还会 对板配置、安全配置、RM(资源管理)和 PM(电源管理)签名, 然后将其集成到 SBL 中。最后,可由 HS-SE-TIDK 器件 对 SBL 进行验证和解密。
在开始对二进制加密之前, SDK8.0 和之前的 SDK 版本中存在已知错误。首先应用以下补丁, 然后为二进制加密。
diff --git a/packages/ti/build/makerules/x509CertificateGen.sh b/packages/ti/build/makerules/x509CertificateGen.sh
index 20fe23b..4c906e5 100755
--- a/packages/ti/build/makerules/x509CertificateGen.sh
+++ b/packages/ti/build/makerules/x509CertificateGen.sh
@@ -116,7 +116,7 @@ image_encrypt() {
truncate -s %16 enc_tmp.bin
xxd -r -p $ENC_RS enc_rs.bin
cat enc_tmp.bin enc_rs.bin > enc_bin_rs.bin
- ENC_BIN=$CERT_SIGN"-ENC-"$BIN
+ ENC_BIN=$BIN"-ENC-"$CERT_SIGN
echo "$ENC_BIN"
if [ "$IMG_ENC" == "ENCRYPT" ];then