Skip to content

qualcomm-linux/qcom-sec-tools-wrapper

qcom-sec-tools-wrapper

Qualcomm sectools wrapper scripts to support key generation, signing images, blowing fuses and generating capsules for production devices.

Requirements

Preparation

  • Download and extract all required packages:
$ mkdir qcom-secure && cd qcom-secure
$ export WORKDIR=${PWD}

# sectools
$ wget https://softwarecenter.qualcomm.com/api/download/software/tools/Qualcomm_Security_Tools/All/1.45.0/1.45.zip
$ unzip 1.45.zip -d sectoolsv2_1.45
$ chmod +x sectoolsv2_1.45/Linux/sectools

# qcom-sec-tools-wrapper
$ git clone --recurse-submodules git@github.com:qualcomm-linux/qcom-sec-tools-wrapper.git
  • Download the image files, boot binaries and hardware security profile to the working directory:

Hardware boot binaries Hardware Security Profile* - tbd

  • Set the environment:
$ export SECTOOL=${WORKDIR}/sectoolsv2_1.45/Linux/sectools
$ export SECTOOL_SCRIPTS=${WORKDIR}/qcom-sec-tools-wrapper
$ export SEC_PROFILE=${WORKDIR}/<hardware>_security_profile.xml

Usage

Generating Keys

Run the genkeys.sh script in the working directory, providing the Firmware Management Protocol (FMP) key password. This generates the OEM-KEYS folder with the new certs.

$ ${SECTOOL_SCRIPTS}/genkeys.sh \
    --fmp-key-password <fmp-key-password>

$ export KEYS_PATH=${WORKDIR}/OEM-KEYS/
$ export FMP_PATH=${WORKDIR}/OEM-KEYS/demoCA

TIP: A Dockerfile is available to allow running genkeys.sh without installing OpenSSL locally:

$ docker build -t genkeys:latest .
$ docker run --rm -it -v $(pwd)/OEM-KEYS:/src/OEM-KEYS genkeys:latest

Signing Images

Run the signimages.sh script in the working directory, providing the --uefi-keys-path to a folder containing DB.key and DB.crt used for signing. It recursively looks into --out-dir (default to ${PWD}) for .mbn/.elf files to sign.

$ ${SECTOOL_SCRIPTS}/signimages.sh \
    --keys-path ${KEYS_PATH} \
    --sectoolv2 ${SECTOOL} \
    --security-profile ${SEC_PROFILE} \
    --uefi-keys-path ${WORKDIR}/lmp-manifest/conf/keys/uefi/ \
    --out-dir ${WORKDIR}/<image-files>

TODO avoid lmp mentions

Securing the Hardware

Run the secure.sh script in the working directory. This generates a signed sec.elf image used to blow the fuses and secure the hardware.

WARNING: Blowing fuses is an irreversible step and can only be performed once. Only signed images can boot after securing the hardware, so it is not recommended to blow the fuses on development devices. Proceed with caution.

$ sudo ${SECTOOL_SCRIPTS}/secure.sh \
    --keys-path ${KEYS_PATH} \
    --fmp-path ${FMP_PATH} \
    --sectoolv2 ${SECTOOL} \
    --security-profile ${SEC_PROFILE} \
    --create-sec-elf --fuse-oem-hw-id 0x<HWID> --fuse-oem-product-id 0x<PID> \
    --uefi-keys-path ${WORKDIR}/lmp-manifest/conf/keys/uefi/

TODO get links for hwid and pid

Provide the sec.elf to the program file:

$ sed -i '/secdata/s/filename=""/filename="sec.elf"/g' rawprogram4.xml 

TODO steps to boot

Generating Capsule

TODO gencapsule.sh

License

This project is licensed under The Clear BSD License. See LICENSE for the full text.

About

Shell tooling around Qualcomm's secure boot flow - generate OEM keys, sign images, provision fuses, and build UEFI update capsules.

Resources

License

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors