-
Notifications
You must be signed in to change notification settings - Fork 303
[RFC] qcom-firmware-sign: build-time secure-boot signing of Qualcomm firmware #2598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Igor Opaniuk (igoropaniuk)
wants to merge
10
commits into
qualcomm-linux:master
Choose a base branch
from
igoropaniuk:feat/secure-boot-signing
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
5086824
security-profiles-native: package Qualcomm Security Profile XMLs
igoropaniuk f032556
sectools-native: package Qualcomm Security Tools v2 binary
igoropaniuk 446e1ec
qcom-firmware-sign: bbclass for sectools-driven firmware signing
igoropaniuk a998372
ci: add ECDSA test-keys kas overlay and test fixtures
igoropaniuk 8c7a2de
ci: add secure-boot kas overlay to enable firmware signing
igoropaniuk 6265560
firmware-qcom-boot-common: wire in qcom-firmware-sign
igoropaniuk bb6079a
firmware-qcom: wire in qcom-firmware-sign
igoropaniuk 52c0458
qdl: drop stale v2.1 recipe
igoropaniuk efca6cc
qdl-native: package linux-msm/qdl v2.7 build-host tool
igoropaniuk a1ee798
image_types_qcom_vip: add qcomflash-vip image type
igoropaniuk File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| # | ||
| # Copyright (c) 2026 Qualcomm Innovation Center, Inc. All rights reserved. | ||
| # SPDX-License-Identifier: BSD-3-Clause-Clear | ||
| # | ||
| # qcomflash-vip image type: produce a VIP (Validated Image Programming) | ||
| # digest table for a signed qcomflash build, wrap it as an MBN and sign | ||
| # it with the OEM secure-boot keys. The resulting `.qcomflash-vip.tar` | ||
| # bundle deploys the signed VIP table next to the qcomflash artifacts | ||
| # and is intended to be flashed alongside it via qdl --vip-table-path | ||
| # (see qcom-sec-tools/secure.sh "make sign-build" for the reference | ||
| # pipeline this class is derived from). | ||
| # | ||
| # Usage: | ||
| # IMAGE_FSTYPES += "qcomflash-vip" | ||
| # | ||
| # Requires the qcom-firmware-sign signing machinery to be active | ||
| # (QCOM_FIRMWARE_SIGN_ENABLE = "1"); without it the VIP step is a | ||
| # no-op because there is nothing to bind the digests to. | ||
|
|
||
| inherit image_types_qcom qcom-firmware-sign | ||
|
|
||
| IMAGE_TYPES += "qcomflash-vip" | ||
| IMAGE_TYPEDEP:qcomflash-vip += "qcomflash" | ||
| IMAGE_CMD:qcomflash-vip = "create_qcomflash_vip_pkg" | ||
|
|
||
| # Tooling staged into the native sysroot by the secure-boot recipes. | ||
| QCOM_VIP_QDL ?= "${STAGING_BINDIR_NATIVE}/qdl" | ||
| QCOM_VIP_SECTOOLS ?= "${QCOM_FIRMWARE_SIGN_SECTOOLS}" | ||
|
|
||
| QCOM_VIP_FIREHOSE ?= "prog_firehose_ddr.elf" | ||
|
|
||
| # MBN container version used to wrap the digest table | ||
| QCOM_VIP_MBN_VERSION ?= "6" | ||
|
|
||
| QCOMFLASH_VIP_DIR = "${IMGDEPLOYDIR}/${IMAGE_NAME}.qcomflash-vip" | ||
|
|
||
| do_image_qcomflash_vip[dirs] = "${QCOMFLASH_VIP_DIR}" | ||
| do_image_qcomflash_vip[cleandirs] = "${QCOMFLASH_VIP_DIR}" | ||
| do_image_qcomflash_vip[depends] += "qdl-native:do_populate_sysroot \ | ||
| sectools-native:do_populate_sysroot \ | ||
| security-profiles-native:do_populate_sysroot" | ||
|
|
||
| create_qcomflash_vip_pkg() { | ||
| if ! qcom_check_signing_enabled ; then | ||
| bbwarn "qcomflash-vip requested but QCOM_FIRMWARE_SIGN_ENABLE is not '1'; skipping VIP generation" | ||
| return 0 | ||
| fi | ||
|
|
||
| if [ ! -d "${QCOMFLASH_DIR}" ]; then | ||
| bbfatal "qcomflash-vip: expected qcomflash output at ${QCOMFLASH_DIR}, but it does not exist" | ||
| fi | ||
|
|
||
| if [ ! -f "${QCOMFLASH_DIR}/${QCOM_VIP_FIREHOSE}" ]; then | ||
| bbfatal "qcomflash-vip: firehose programmer ${QCOM_VIP_FIREHOSE} not found in ${QCOMFLASH_DIR}" | ||
| fi | ||
|
|
||
| # 1. Mirror the qcomflash content into our output directory. The | ||
| # resulting tarball is a superset of the regular qcomflash tarball | ||
| bbnote "qcomflash-vip: mirroring qcomflash artefacts into ${QCOMFLASH_VIP_DIR}" | ||
| cp -al "${QCOMFLASH_DIR}"/. "${QCOMFLASH_VIP_DIR}/" | ||
|
|
||
| vipdir="${QCOMFLASH_VIP_DIR}/vip-tables" | ||
| install -d "${vipdir}" | ||
|
|
||
| # 2. Generate the digest table. qdl in --dry-run + --create-digests | ||
| # mode walks the rawprogram/patch XMLs the same way it would for a | ||
| # real flash, but instead of transferring data computes a digest | ||
| # over each programmed segment and writes them to | ||
| # DigestsToSign.bin under the requested directory. | ||
| ( | ||
| cd "${QCOMFLASH_VIP_DIR}" | ||
| "${QCOM_VIP_QDL}" --allow-fusing --dry-run \ | ||
| --create-digests="${vipdir}" \ | ||
| "${QCOM_VIP_FIREHOSE}" \ | ||
| rawprogram*.xml patch*.xml | ||
| ) || bbfatal "qcomflash-vip: qdl digest generation failed" | ||
|
|
||
| if [ ! -f "${vipdir}/DigestsToSign.bin" ]; then | ||
| bbfatal "qcomflash-vip: qdl did not produce DigestsToSign.bin in ${vipdir}" | ||
| fi | ||
|
|
||
| # 3. Wrap the digest table as an MBN so it has a proper Qualcomm | ||
| # firmware header, otherwise the on-target VIP verifier rejects | ||
| # it. mbn-tool generate writes the MBN beside the source bin. | ||
| "${QCOM_VIP_SECTOOLS}" mbn-tool generate \ | ||
| --data "${vipdir}/DigestsToSign.bin" \ | ||
| --mbn-version "${QCOM_VIP_MBN_VERSION}" \ | ||
| --outfile "${vipdir}/DigestsToSign.bin.mbn" \ | ||
| || bbfatal "qcomflash-vip: sectools mbn-tool generate failed" | ||
|
|
||
| # 4. Sign the MBN as image-id VIP using the same keying material as | ||
| # the rest of the firmware. qcom_sign_only_file looks up VIP in | ||
| # QCOM_FIRMWARE_SIGN_IMAGE_ID_MAP, validates it against the active | ||
| # security profile and runs sectools secure-image --sign in-place. | ||
| # | ||
| # We deliberately skip the post-sign verify-root step (use | ||
| # qcom_sign_only_file, not qcom_sign_verify_file): the upstream | ||
| # github security-profiles repo marks VIP with | ||
| # <oem_vouch_for_disallowed/>, which makes sectools' verify-root | ||
| # reject OEM-only signatures even though the boot ROM accepts | ||
| qcom_sign_only_file "${vipdir}/DigestsToSign.bin.mbn" | ||
|
|
||
| # 5. Bundle the mirrored qcomflash directory plus the signed VIP | ||
| # table into a single tarball. The tar layout mirrors the | ||
| # qcomflash convention: everything lives under <image>-<machine>/ | ||
| # so consumers that drive flashing from the extracted root can | ||
| # use exactly the same paths as they do for the plain qcomflash | ||
| # artefact, with the additional vip-tables/ subdir. | ||
| ${IMAGE_CMD_TAR} --sparse --numeric-owner \ | ||
| --transform="s,^\./,${IMAGE_BASENAME}-${MACHINE}/," \ | ||
| -cf- -C "${QCOMFLASH_VIP_DIR}" . \ | ||
| | pigz -p ${BB_NUMBER_THREADS} -9 -n --rsyncable \ | ||
| > "${IMGDEPLOYDIR}/${IMAGE_NAME}.qcomflash-vip.tar.gz" | ||
|
|
||
| ln -sf "${IMAGE_NAME}.qcomflash-vip.tar.gz" \ | ||
| "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.qcomflash-vip.tar.gz" | ||
| } | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would prefer this to be done as part of the main tarball, to avoid confusion.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. will do |
||
|
|
||
| create_qcomflash_vip_pkg[vardepsexclude] += "BB_NUMBER_THREADS DATETIME" | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, having a separate fstype kind of makes sense.