Professional Documents
Culture Documents
MT7986 Secure Boot Quick Start 20220126 v1.2
MT7986 Secure Boot Quick Start 20220126 v1.2
MT7986 Secure Boot Quick Start 20220126 v1.2
Use
z.c al
tws enti
om
ng@ nfid
MT7986 Secure Boot Quick Start Guide
gyo Co
din Tek
2022/1/26
ang edia
M
z.c al
tws enti
om
Version Date Author (Optional) Description
0.1 2021-8-13 Alvin Kuo Initial draft
ng@ nfid
1.0 2021-10-28 Micheal Su Official release
1.1 2022-1-19 Micheal Su Update how to get mbedtls-mbedtls-2.24.0 source
code
gyo Co
1.2 2022-1-26 Roy Wen Modify cmd to compile FIP image
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 2
CONFIDENTIAL C
Use
Glossary
z.c al
tws enti
• ATF: Arm Trusted Firmware, include below stage:
om
– BL1: Boot Loader stage 1 (BL1) AP Trusted ROM
ng@ nfid
– BL2: Boot Loader stage 2 (BL2) Trusted Boot Firmware (ex: preloader, SPL)
– BL32: Boot Loader stage 3-1 (BL3-1) Secure Monitor
– BL33: Boot Loader stage 3-3 (BL3-3) Non-trusted Firmware (ex: Uboot)
gyo Co
• BL: Boot Loader
• COT: Chain of Trust
din Tek
• EL: Exception Level
• FIP: Firmware Image Package ang edia
• FIT: Flattened Image Tree
• ROT: Root of Trust
M
• SMC: Secure Monitor Call
• TEE: Trusted Execution Environment
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 3
CONFIDENTIAL C
Use
Secure Boot SDK Package
z.c al
tws enti
• Secure boot SDK
om
– ATF
ng@ nfid
- atf/
– Uboot-Upstream
gyo Co
- Uboot-upstream/
– OpenWRT
din Tek
- openwrt/
– Tools
- tools/mbedtls-2.24.0/
ang edia
– Document
- MT7986 Secure boot Quick Start Guide
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 4
CONFIDENTIAL C
Use
Secure Boot Introduction
z.c al
tws enti
om
Boot flow
Flash Partition ROM 1. Secure boot check BL2 image
0x000000
ng@ nfid
BL2 1. DDR calibration
0x100000 ATF BL2 2. Flash initialization
u-boot-env 3. Secure boot check FIP image
gyo Co
0x180000
Factory 1. EL3 runtime firmware (secure monitor)
0x380000 ATF BL31 2. Handle SMC call
din Tek
FIP Uboot
1.
2.
Non-Secure world Boot Loader
Flash initialization
3. Ethernet initialization
0x580000 ang edia (ATF BL33) 4. Secure boot check Linux Kernel
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 5
CONFIDENTIAL C
Use
Chain of Trust Flow
z.c al
tws enti
om
BROM secure boot
Efuse ATF trusted board boot
Boot ROM Uboot FIT signature verify
ng@ nfid
BL2 PKEY HASH
gyo Co
NON-TRUSTED
ROT PKEY
WORD PKEY
BL2 HDR BL2 PKEY
BL31 Kernel & DTB
CONT PKEY BL31 KEY CERT
BL33 Script ROOT HASH
BL2 BL33 KEY CERT
din Tek
CONT PKEY
ROT PKEY HASH FIT SIG
BL31 CONT CERT BL31 HASH
BL2 SIG
ang edia BL33 CONT CERT BL33 HASH
BL33
M
FIT PKEY
To learn more about Authentication Framework & Chain of Trust, check out below link:
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/design/auth-framework.rst
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 6
CONFIDENTIAL C
Use
Host machine setup -- toolchain
z.c al
tws enti
• Please reference below link to install toolchain
om
• https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/gcc-aarch64-linux-gnu_7.3.0-
ng@ nfid
3ubuntu2_amd64.deb.html
• After install complete, check the toolchain version below:
gyo Co
user@server:~/SecureBoot/pre-release_for_eth/Uboot-upstream$ /usr/bin/aarch64-linux-gnu-gcc --version
aarch64-linux-gnu-gcc (Ubuntu/Linaro 7.4.0-1ubuntu1~18.04.1) 7.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
din Tek
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 7
CONFIDENTIAL C
Use
Compile Environment Preparation
z.c al
tws enti
• Setup environment in current working directory
om
– ATF/Uboot-upstream
ng@ nfid
- tar -Jxvf atf.tar.xz
- tar -Jxvf Uboot-upstream.tar.xz
gyo Co
• Openwrt
– git clone --branch openwrt-21.02 https://git.openwrt.org/openwrt/openwrt.git
din Tek
– tar -Jxvf mtk-wifi-mt7986.tar.xz
– cp -rf mtk-wifi-mt7986/* openwrt/ ang edia
– cd openwrt/
– echo "src-git mtk_openwrt_feed https://git01.mediatek.com/openwrt/feeds/mtk-openwrt-
feeds" >> feeds.conf.default
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 8
CONFIDENTIAL C
Use
Compile Environment Preparation
z.c al
tws enti
• mbedtls-2.24.0
om
– Get mbedtls-2.24.0 from https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
(Note: get newest version by git clone https://github.com/ARMmbed/mbedtls.git )
ng@ nfid
– cd ./../
– mkdir tools
gyo Co
– cd tools
– tar -xvf mbedtls-2.24.0.tar.gz
• sign key (reference “Host Machine Generate Keys” page)
din Tek
– cd ./../
– mkdir keys ang edia
– cd keys
– openssl genrsa -out bl2_private_key.pem 2048
– openssl genrsa -out fip_private_key.pem 2048
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 9
CONFIDENTIAL C
Use
Compile Environment Preparation
z.c al
tws enti
• The working directory should include below folders after setup environment
om
ng@ nfid
gyo Co
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 10
CONFIDENTIAL C
Use
Host Machine Generate Keys
z.c al
tws enti
•
om
There are 3 keys for secure boot
– BROM_KEY was used by BROM to verify BL2 image.
ng@ nfid
– ROT_KEY was used by BL2 to verify FIP Image
– FIT_KEY was used by Uboot to verify FIT Image
gyo Co
• How to generate keys (using openssl)
- mkdir keys BROM_KEY ROT_KEY FIP
- cd keys BROM BL2
din Tek
FIT_KEY
– BROM_KEY (private)
Uboot Kernel
- openssl genrsa -out bl2_private_key.pem 2048
ang edia
– ROT_KEY (private)
- openssl genrsa -out fip_private_key.pem 2048
– FIT_KEY (private and public)
M
- openssl genrsa -F4 -out fit_key.key 2048
- openssl req -batch -new -x509 -key fit_key.key -out fit_key.crt
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 11
CONFIDENTIAL C
Use
How to Compile
z.c al
tws enti
• Compile Uboot-upstream
om
– cd Uboot-upstream/
– export CROSS_COMPILE=/usr/bin/aarch64-linux-gnu-
ng@ nfid
– make mt7986_spim_nand_sb_rfb_defconfig
– make V=s FIT_KEY=./../keys/fit_key.crt
gyo Co
– # u-boot.bin will be created under Uboot-upstream folder.
• Compile FIP image
din Tek
– cd atf
– make distclean
– export CROSS_COMPILE=/usr/bin/aarch64-linux-gnu-
ang edia
– make PLAT=mt7986 BL33=../Uboot-upstream/u-boot.bin BOOT_DEVICE=spim-nand NAND_TYPE=spim:2k+64 NMBM=1
DRAM_USE_DDR4=0 MBEDTLS_DIR=../tools/mbedtls-2.24.0/ TRUSTED_BOARD_BOOT=1 GENERATE_COT=1
ROT_KEY=../keys/fip_private_key.pem BROM_SIGN_KEY=../keys/bl2_private_key.pem all fip
– # The BL2 image is located in atf/build/mt7986/release/bl2.img
M
– # The hash of BROM_KEY is located in atf/build/mt7986/release/bl2.img.signkeyhash
– # The FIP image is located in atf/build/mt7986/release/fip.bin
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 12
CONFIDENTIAL C
Use
How to Compile
z.c al
tws enti
• Compile OpenWRT
om
– ./autobuild/mt7986-AX6000-sb/lede-branch-build-sanity.sh
ng@ nfid
– # The openwrt image is located in openwrt/bin/targets/mediatek/mt7986/openwrt-mediatek-
mt7986-mt7986a-ax6000-spim-nand-rfb-sb-squashfs-sysupgrade.bin
gyo Co
Note: when compile openwrt, it will try to find FIT_KEY at
din Tek
“../keys/fit_key.key”, if “../keys/fit_key.key” did not exist,
then openwrt-mediatek-mt7986-mt7986a-ax6000-spim-
ang edia nand-rfb-sb-squashfs-sysupgrade.bin will not be created.
You can check related path on
openwrt/target/linux/mediatek/image/mt7986.mk
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 13
CONFIDENTIAL C
Use
How to Compile
z.c al
tws enti
▪
om
You will have below files after all compile done.
– # The BL2 in atf/build/mt7986/release/bl2.img
ng@ nfid
– # The hash of BROM_KEY in atf/build/mt7986/release/bl2.img.signkeyhash
– # The FIP in atf/build/mt7986/release/fip.bin
gyo Co
– # The Firmware (Linux & File System) in openwrt/bin/targets/mediatek/mt7986/openwrt-mediatek-
mt7986-mt7986a-ax6000-spim-nand-rfb-sb-squashfs-sysupgrade.bin
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 14
CONFIDENTIAL C
Use
Upgrade Image from Uboot Menu
z.c al
tws enti
• Upgrade BL2 via U-boot menu
om
ng@ nfid
gyo Co
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 15
CONFIDENTIAL C
Use
Upgrade Image from Uboot Menu
z.c al
tws enti
• Upgrade FIP via U-boot menu
om
ng@ nfid
gyo Co
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 16
CONFIDENTIAL C
Use
Upgrade Image from Uboot Menu
z.c al
tws enti
• Upgrade FW via U-boot menu
om
ng@ nfid
gyo Co
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 17
CONFIDENTIAL C
Use
How to Write Efuse
z.c al
tws enti
• Build efuse tool in OpenWRT
om
– make menuconfig --> MTK Properties --> Applications
ng@ nfid
gyo Co
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 18
CONFIDENTIAL C
Use
How to Write Efuse
z.c al
tws enti
• You should find mtk-efuse-tool at rootfs. (usr/sbin/mtk-efuse-tool)
om
• Put hash of BROM_KEY - bl2.img.signkeyhash in rootfs.
ng@ nfid
• Below are some example to write hash of BROM_KEY and enable secure boot
– Note: Make sure hash of BROM_KEY is correct before enable secure boot
gyo Co
din Tek
#2. Lock key hash index 0
#1. Write hash of BROM_KEY into key hash index 0 and ang edia
read it back to check its content if correct
#3. Enable secure boot
M
Tips:
1. You can also disable JTAG by efuse, enter “mtk-efuse-tool” without any
parameter will show the help.
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 19
CONFIDENTIAL C
Use
Application Note for eFuse Tool
z.c al
tws enti
• mtk-efuse-nl-drv
om
– driver for receiving netlink commands and issue corresponding SMC to BL31 for
ng@ nfid
R/W eFuse
• mtk-efuse-nl-tool
gyo Co
– tool for interacting with user and issue netlink commands to mtk-efuse-nl-drv
– eg : write key hash, lock key hash, enable secure boot, disable JTAG
din Tek
• For using Secure Boot customer, you will write key hash and enable secure boot
in production line, so you need to build mtk-efuse-nl-drv + mtk-efuse-nl-tool in your
ang edia
production FW.
• ***DO NOT build efuse tool and driver into your normal FW which you will release to end
user, because the eFuse tool is very powerful. The eFuse tool is only for testing and
M
producing !
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 20
CONFIDENTIAL C
Use
Enable Secure Boot Check
z.c al
tws enti
• If BL2 and FIP is signed properly, Uboot menu will show up
om
• If BL2 is signed with wrong key ; If BL2 is not signed
ng@ nfid
gyo Co
din Tek
ang edia
M
V0:100C, INVALID_SIG_TYPE
V0:706D, KEY_MISMATCH
00:1017, BL_VERIFY_FAILED
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 21
CONFIDENTIAL C
Use
Enable Secure Boot Check
z.c al
tws enti
• If FW is signed properly, Linux can boot
om
ng@ nfid
gyo Co
din Tek
• If using an FW with wrong key or not signed, Linux will boot fail
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 22
CONFIDENTIAL C
Use
Secure Boot MP Notice – (1)
z.c al
tws enti
• Disable JTAG and BROM CMD to avoid hacker using ICE or Flashtool to break COT
om
– mtk-efuse-tool db
ng@ nfid
– mtk-efuse-tool dj
[Original] [Disable BROM CMD] [Disable BROM CMD & JTAG]
gyo Co
F0: 102B 0000 F0: 102B 0000 F0: 102B 0000
FA: 1040 0000 FA: 1040 0000 FA: 1040 0000
FA: 1040 0000 [0200] FA: 1040 0000 [0200] FA: 1040 0000 [0200]
din Tek
F9: 0000 0000 F9: 0000 0000 F9: 0000 0000
V0: 0000 0000 [0001] V0: 0000 0000 [0001] V0: 0000 0000 [0001]
00: 0000 0000 00: 0007 8000 00: 0007 8000
BP: 2400 0041 [0000] 01: 0000 0000 01: 0000 0000
G0: 1190 0000 BP: 2400 0001 [0000] BP: 2400 0209 [0000]
EC: 0000 0000 [1000]
ang edia G0: 1190 0000 G0: 1190 0000
T0: 0000 09F7 [010F] EC: 0000 0000 [1000] EC: 0000 0000 [1000]
Jump to BL T0: 0000 0C59 [010F] T0: 0000 01EF [010F]
Jump to BL Jump to BL
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 23
CONFIDENTIAL C
Use
Secure Boot MP Notice – (1)
z.c al
tws enti
• Disable CMD and Ctrl+C in U-Boot to avoid hacker using uboot cmd to break COT
om
you can do it by your self, or enable bootsecure
ng@ nfid
bootsecure will directly run bootcmd, disable Ctrl+C and console. If any thing wrong, the board will hang.
@ configs/mt7986_spim_nand_sb_rfb_defconfig
+ CONFIG_AUTOBOOT_MENU_SHOW is not set
gyo Co
@ arch/arm/dts/mt7986a-rfb.dts
/ {
+ config {
din Tek
+ bootcmd = "mtkboardboot";
+ bootsecure = <1>;
+ };
};
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 24
CONFIDENTIAL C
Use
Secure Boot MP Notice – (2)
z.c al
tws enti
• Don’t build-in mtk-eFuse-nl-tool and mtk-efuse-nl-drv in your MP FW, or hacker may use
om
this powerful tool to attack the device
ng@ nfid
• U-boot env was disabled default, DO NOT ENABLE it or fit signature verifying may bypass via
setup verify=0
gyo Co
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 25
CONFIDENTIAL C
Use
Appendix - Secure Boot Sign/Verify Flow (1)
z.c al
tws enti
om
halt
ne Efuse Verifying Signing
ng@ nfid
value
Equal? Bootloader
SHA-256
gyo Co
SBC PUBK
eq Hash
cont. SBC pub key Header
boot
din Tek
SHA-256 SHA-256
eq Hash Hash
ang edia PRELOADER
Equal?
RSA-2048 BODY
ne Sig’
M
Signature SBC
halt
RSA-2048 priv key
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. 26
CONFIDENTIAL C
Use
Appendix - Secure Boot Sign/Verify Flow (2)
z.c al
tws enti
om
Running IMAGE
of pervious stage
ng@ nfid
(verified)
Verifying Signing
Verified boot
gyo Co
PUBK
din Tek
boot
SHA-256 ang edia IMAGE SHA-256
eq Hash Hash
BODY
Equal?
RSA-2048
M
ne Sig’ Verified
boot
halt Signature
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved. RSA-2048 priv key
27
Use
z.c al
tws enti
om
ng@ nfid
gyo Co
din Tek
MediaTek Proprietary and Confidential
© 2021 MediaTek Inc. All rights reserved. The term “MediaTek” refers to MediaTek Inc. and/or its affiliates.
ang edia
This document has been prepared solely for informational purposes. The content herein is made available to a restricted number of clients or partners, for internal
use, pursuant to a license agreement or any other applicable agreement and subject to this notice. THIS DOCUMENT AND ANY ORAL INFORMATION PROVIDED BY
MEDIATEK IN CONNECTION WITH THIS DOCUMENT (COLLECTIVELY THIS “DOCUMENT”), IF ANY, ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND,
WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. MEDIATEK DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS OR GUARANTEE REGARDING THE
M
USE OR THE RESULT OF THE USE OF THIS DOCUMENT IN TERMS OF CORRECTNESS, ACCURACY, TIMELINESS, RELIABILITY, OR OTHERWISE. MEDIATEK SPECIFICALLY
DISCLAIMS ALL WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTIES ARISING OUT OF
COURSE OF PERFORMANCE, COURSE OF DEALING OR USAGE OF TRADE. This Document must be held in strict confidence and may not be communicated,
reproduced, distributed or disclosed to any third party or to any other person, or being referred to publicly, in whole or in part at any time except with MediaTek’s
prior written consent, which MediaTek reserves the right to deny for any reason. You agree to indemnify MediaTek for any loss or damages suffered by MediaTek
for your unauthorized use or disclosure of this Document, in whole or in part. If you are not the intended recipient of this document, please delete and destroy all
copies immediately.
CONFIDENTIAL C
Use
z.c al
tws enti
om
ng@ nfid
gyo Co
din Tek
ang edia
M
MediaTek Proprietary and Confidential. © 2021 MediaTek Inc. All rights reserved.