RT如何生成image

目录

• 生成Normal image
• 生成signed image
• 生成encrypted image

上一篇文章我们介绍了RT的boot流程，今天来介绍下RT如何生成image。生成的image有如下三种类型：

• Normal image
• Signed image
• Encrypted image

生成Normal image

如果芯片secure boot不开启的话，我们只需要根据boot device的类型，给image加上对应的IVT。然后配置对应的boot device，reset后ROM就会自动boot。
给image加上IVT就是一个normal boot的image。

1. 使用imgutil.exe给image加IVT
   以nand为例，假设我们制作的image的vector table address为0xa000.
   命令如下：
   'mgutil.exe --combine base_addr=0x8000 ivt_offset=0x400 app_offset=0x2000 image_entry=0xa000 app_file=image.bin ofile=image_IVT.bin has_csf=1'
   base_addr：是指生成的image运行时在内存中的起始地址
   IVT offset：对nand来说固定为0x400
   app_offset：指image相对于base address的偏移值为0x2000，也就是image的运行地址为0xa000，即image的vector table地址
   image_entry：可以默认为image vector table address，也可以为image的PC。此处用的是image vector table address

2. 使用elftosb生成image

   Creat bd file(unsigned_bootalbe_image.bd) add IVT for image.
   options {
   flags = 0x00;
   startAddress = 0x20000000;
   ivtOffset = 0x400;
   initialLoadSize = 0x2000;
   }
   sources {
   elfFile = extern(0);
   }
   section (0)
   {
   }
   generate ivt_image by using Elftosb utility
   elftosb.exe -f imx -V -c unsigned_bootalbe_image.bd -o flashloader_unsigned_20000000.bin flashloader.srec

   示例中采用了image vector table为0x20000000的image。

   1. 生成bd file，flags = 0x00表示normal boot image
      startAddress为image vector table的地址
   2. 使用elftob生成image，-c后面的参数为bd文件，-o后跟生成的image，flashloader.srec为bd中变量extern(0)

生成signed image

1. 使用imgutil.exe
   请参阅文末git_hub
2. 使用elftosb

1. Creat bd file(signed_bootalbe_image.bd) add IVT for image.
   options {
   flags = 0x08;
   startAddress = 0x20000000;
   ivtOffset = 0x400;
   initialLoadSize = 0x2000;
   }
   sources {
   elfFile = extern(0);
   }
   constants {
   SEC_CSF_HEADER = 20;
   SEC_CSF_INSTALL_SRK = 21;
   SEC_CSF_INSTALL_CSFK = 22;
   SEC_CSF_INSTALL_NOCAK = 23;
   SEC_CSF_AUTHENTICATE_CSF = 24;
   SEC_CSF_INSTALL_KEY = 25;
   SEC_CSF_AUTHENTICATE_DATA = 26;
   SEC_CSF_INSTALL_SECRET_KEY = 27;
   SEC_CSF_DECRYPT_DATA = 28;
   SEC_NOP = 29;
   SEC_SET_MID = 30;
   SEC_SET_ENGINE = 31;
   SEC_INIT = 32;
   SEC_UNLOCK = 33;
   }
   section (
   SEC_CSF_HEADER;
   Header_Version="4.2",
   Header_HashAlgorithm="sha256",
   Header_Engine="DCP",
   Header_EngineConfiguration=0,
   Header_CertificateFormat="X509",
   Header_SignatureFormat="CMS") {
   }
   section (
   SEC_CSF_INSTALL_SRK;
   InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", //"valid file path"
   InstallSRK_SourceIndex=0) {
   }
   section (
   SEC_CSF_INSTALL_CSFK;
   InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", //"valid file path"
   InstallCSFK_CertificateFormat="x509") { // "x509"
   }
   section (SEC_CSF_AUTHENTICATE_CSF)
   {
   }
   section (
   SEC_CSF_INSTALL_KEY;
   InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem", //"valid file path"
   InstallKey_VerificationIndex=0,
   InstallKey_TargetIndex=2) {
   }
   section (
   SEC_CSF_AUTHENTICATE_DATA;
   AuthenticateData_VerificationIndex=2,
   AuthenticateData_Engine="DCP",
   AuthenticateData_EngineConfiguration=0) {
   }
   section (SEC_SET_ENGINE;
   SetEngine_HashAlgorithm = "sha256", // "sha1", "Sha256", "sha512"
   SetEngine_Engine = "DCP", // "ANY", "SAHARA", "RTIC", "DCP", "CAAM" and "SW"
   SetEngine_EngineConfiguration = "0") // "valid engine configuration values"
   {
   }
   section (SEC_UNLOCK;
   Unlock_Engine = "SNVS", // "SRTC", "CAAM", SNVS and OCOTP
   Unlock_features = "ZMK WRITE" // "Refer to Table-24"
   )
   {
   }
   2.elftosb跟CST.exe,crts文件夹，keys文件夹处于同一目录
   3.generate ivt_image by using Elftosb utility
   elftosb.exe -f imx -V -c signed_bootalbe_image.bd -o flashloader_signed_20000000.bin flashloader.srec

生成encrypted image

这里生成的加密的文件指HAB加密文件。
加密的文件流程如下：
1. 给image加上IVT
2. CST给加了IVT的image，进行加密(签名可以同时进行)。加密后生成dek.bin，这个用于解密image
3. 调用板子中的IP对dek.bin加密生成key_blob.bin
4. 将key_blob.bin贴到2中生成的encrypted image的固定位置。2步骤中，tool会提示key_blob存储地址

1. image_util
   请参考文末git_hub
2. 使用elftosb

创建如下bd file
options {
flags = 0x0c;
startAddress = 0x400;
ivtOffset = 0x400;
initialLoadSize = 0x1000;
//DCDFilePath = "dcd.bin";
// cstFolderPath = "/Users/nxf38031/Desktop/CSTFolder";
// entryPointAddress = 0x1400;
}
sources {
elfFile = extern(0);
}
constants {
SEC_CSF_HEADER = 20;
SEC_CSF_INSTALL_SRK = 21;
SEC_CSF_INSTALL_CSFK = 22;
SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
SEC_CSF_AUTHENTICATE_DATA = 26;
SEC_CSF_INSTALL_SECRET_KEY = 27;
SEC_CSF_DECRYPT_DATA = 28;
}
section (SEC_CSF_HEADER;
Header_Version="4.3",
Header_HashAlgorithm="sha256",
Header_Engine="DCP",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
Header_SignatureFormat="CMS"
)
{
}
section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", // "valid file path"
InstallSRK_SourceIndex=0
)
{
}
section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
InstallCSFK_CertificateFormat="x509" // "x509"
)
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY;
InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0, // Accepts integer or string
InstallKey_TargetIndex=2) // Accepts integer or string
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="DCP",
AuthenticateData_EngineConfiguration=0)
{
}
section (SEC_CSF_INSTALL_SECRET_KEY;
SecretKey_Name="dek.bin",
SecretKey_Length=128,
SecretKey_VerifyIndex=0,
SecretKey_TargetIndex=0)
{
}
section (SEC_CSF_DECRYPT_DATA;
Decrypt_Engine="DCP",
Decrypt_EngineConfiguration="0", // "valid engine configuration values"
Decrypt_VerifyIndex=0,
Decrypt_MacBytes=16)
{
}
2.使用elftosb生成encrypted image
elftosb.exe -V -f imx -c ....d_fileimx10xximx-semcnor-nonxip-ocram-encrypted.bd -o imageIVT_non_xip_ocram_encrypted.bin ......example_imagesled_demo_evk_ram_2020a000.srec
3.使用flash loader计算2中的dek.bin，将生成的key_blob.bin烧写到2中制定的blob地址。

---

本文简单介绍了如何生成normal image、signed image、 encrypted image。。具体的操作步骤请查阅git_hub
elftosb生成image：
https://github.com/ComingGod/Doc/tree/master/RT/Generate_image/elftosb/win/SB_FlexSPI_Nand
image_util生成image：
https://github.com/ComingGod/Doc/tree/master/RT/Generate_image/image_util/CST/enimage/RT512_Nand_Post_silicon