rk3399_android7.1关于secureboot操作说明-csdn
概念
Secure boot mechanism is for verifying firmware validity, which aims to prevent invalid firmware upgrade and booting.
The device which had programmed eFuse will enable secure boot ROM, and could not boot from the un-signed firmware. So trying to upgrade un-signed firmware or unmatched key signed firmware will fail.
Features of secure boot:
- Support secure boot ROM
- Support SHA256
- Support RSA2048
- Support eFuse hash to verify public key
使用到的工具
- MiniloaderV2.19 or the latest revision
- Uboot V2.17or the latest revision
- Efuse tool V1.35 or the latest revision
- SecureBootTool 1.79 or the latest revision
- RKBatchTool 1.8 or the latest revision(deprecated, Use FactoryTool instead)
- FactoryTool 1.39 or the latest revision
rk3399 硬件电路支持
Rockchip_RK3399_Introduction_Efuse_Operation_EN.pdf
Rockchip_Developer_Guide_Secure_Boot_Application_Note_EN.pdf
Secure Boot Sequence
MaskRom Boot to the First Loader (RKminiLoader/U-Boot)
eFuse Layout
Overall Operation Flow
Make Update.img
- 正常编译
- /mkimage.sh ota
- SecureBootTool.exe generates RSA key
- Save RSA key
- Loading RSA key
- Sign Firmware
Programming eFuse
For Rockchip AP series, there are two ways to program user secure data. One is “eFuse programming”, the other is “OTP programming”(only few chips support). Following is the introduction.
eFuse Programming
RK3126, RK3128, RK3228, RK3229, RK3288, RK3368 and RK3399 support eFuse programming, following is the general requirements:
- If products do not need eFuse data programming, we advise to connect eFuse Power Pin directly to GND. Avoiding eFuse data change caused by misoperation. (RK3126/RK3126C eFuse Power Pin is reused with SARADC function, so that it would not to be grounded.)
- If products need eFuse programming, then connect a pull down resistance to GND on eFuse Power Pin, to make sure that eFuse power pin doesn’t fluctuate in normal work condition. also to avoid eFuse data change caused by misoperation. This pull-down resistance value, please refer to each chip platform’s reference schematics, generally it’s at a range of 47Ω-10KΩ.
- There are two types of power supply for eFuse programming:
- Electronic circuit introduction:
OTP Programming
RK3328 and RK3228H support OTP programming mode, this mode is no need external power supply circuit, OTP_VCC18(PIN16) is always powered by VCC_18. you only need to run the special time sequence for OTP programming, not need the additional changes aboout hardware.
Efuse Tools
烧录efuse到板子,加载的是2生成的签名固件update_sign.img,注意是在maskrom模式下烧录efuse
FactoryTool
升级签名固件
SecureCRT
串口工具抓取日志看是否成功
设备已编程eFuse将启用安全启动rom,无法从未签名的固件启动。因此,尝试升级未签名固件或不匹配的密钥签名固件将会失败; 升级匹配的签名固件将引导成功。
