/
Allow ISPBOOOT.BIN (emmc) to burn OTP security keys to achieve secure boot

Allow ISPBOOOT.BIN (emmc) to burn OTP security keys to achieve secure boot

1. Download lastest code from https://github.com/sunplus-plus1/Q654 to make

jackyhsieh@scdiu3:~/c3v$ make config Select boards: [1] SP7350 Ev Board [2] SP7350 IO Board [3] SP7350 MC Board [4] SP7350 EVK Board [5] SP7350 Dual Ev Board [6] SP7350 XINK V1 Board [7] SP7350 XINK Nano Board [8] SP7350 YX5001 Nano Board [9] SP7350 SR1 Board [10] SP7350 IC1 Board [11] SP7350 IT1 Board [12] SP7350 EVS Board 1 Select boot devices: [1] eMMC [2] SPI-NAND [3] SPI-NOR (jffs2) [4] NOR/Romter (initramfs) [5] SD Card [6] TFTP server [8] 8-bit NAND 1 ... ... Select boot modes: [1] Normal boot [2] Secure boot 2 Current OTP secure key: [1] empty [2] written

If the IC's OTP secure public key is currently empty, select [1]

If it has been written, select [2]

The build system will include the script for adding public/private keys into the ISPBOOOT.BIN file. This script activates secure mode after the flashing process is completed.

For details on how to run ISP, please refer to “In-system Program (ISP) from an SD Card” at https://sunplus.atlassian.net/wiki/spaces/C3/pages/1994621039 and https://sunplus.atlassian.net/wiki/spaces/C3/pages/2201255949 .

Please insert jumper J75 to write OTP before doing ISP.

2. Modify files by yourself

================================================================================================ /home/jackyhsieh/c3v/boot/uboot ================================================================================================ diff --git a/drivers/soc/sunplus/sp_otp.c b/drivers/soc/sunplus/sp_otp.c index 37889dd0..0b5fc97d 100644 --- a/drivers/soc/sunplus/sp_otp.c +++ b/drivers/soc/sunplus/sp_otp.c @@ -339,6 +339,114 @@ static int do_write_otp(struct cmd_tbl *cmdtp, int flag, int argc, char * const return 0; } + +static int do_write_otp_bytes(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[]) +{ + unsigned int addr; + unsigned int otp_size; + char *hexstr; + int len, i; + int verify = 0; + + if (argc < 3 || argc > 4) { + return CMD_RET_USAGE; + } + + if (argc == 4) { + verify = simple_strtoul(argv[3], NULL, 0); + if (verify != 0 && verify != 1) { + printf("Error: verify_flag must be 0 or 1\n"); + return CMD_RET_USAGE; + } + } + + otp_size = QAK654_EFUSE_SIZE; + addr = simple_strtoul(argv[1], NULL, 0); + + if (((strcmp(argv[1], "0") != 0) && (addr == 0))) + return CMD_RET_USAGE; + + if (addr >= otp_size) + return CMD_RET_USAGE; + + hexstr = argv[2]; + len = strlen(hexstr); + + if (len % 2 != 0) { + printf("Error: hex string length must be even\n"); + return CMD_RET_USAGE; + } + + int count = len / 2; + if ((addr + count) > otp_size) { + printf("Error: write range exceeds OTP size\n"); + return CMD_RET_USAGE; + } + + // --- Write Loop --- + printf("write ... "); + for (i = 0; i < count; i++) { + char byte_str[3] = {0}; + unsigned int data; + char value; + + byte_str[0] = hexstr[i * 2]; + byte_str[1] = hexstr[i * 2 + 1]; + data = simple_strtoul(byte_str, NULL, 16); + value = (char)(data & 0xff); + // printf("%02X ", value); + + if (write_otp_data(HB_GP_REG, SP_OTPRX_REG, addr + i, &value) == -1) { + printf("Error: write failed at addr %u\n", addr + i); + return CMD_RET_FAILURE; + } + } + printf("\n"); +#ifdef OTP_PIO_MODE + printf("OTP write (PIO mode) complete !! (%d bytes)\n", count); +#else + printf("OTP write (HW mode) complete !! (%d bytes)\n", count); +#endif + + // --- Verify Loop --- + int verify_fail = 0; + if (verify == 1) { + printf("Verifying written data...\n"); + udelay(100); + char value; + for (i = 0; i < count; i++) { + unsigned int read_addr = addr + i; + unsigned int expected = simple_strtoul((char[]){ hexstr[i*2], hexstr[i*2+1], 0 }, NULL, 16); + + if (read_addr < 64) { + if (read_otp_data(HB_GP_REG, SP_OTPRX_REG, read_addr, &value) == -1) { + printf("Error: read failed at addr %u\n", read_addr); + return CMD_RET_FAILURE; + } + } else { + if (read_otp_key(OTP_KEY_REG, SP_OTPRX_REG, read_addr, &value) == -1) { + printf("Error: read failed at addr %u\n", read_addr); + return CMD_RET_FAILURE; + } + } + if ((unsigned char)value != (expected & 0xFF)) { + printf("Verify FAILED at addr %u: expected 0x%02X, got 0x%02X\n", + read_addr, expected & 0xFF, (unsigned char)value); + verify_fail = 1; + break; + } + } + } + + if (verify_fail) { + return CMD_RET_FAILURE; + } else { + printf("Verify SUCCESS: all %d bytes match!\n", count); + } + + return 0; +} + #endif @@ -350,11 +458,22 @@ U_BOOT_CMD( "[OTP address (0, 1,..., 127 byte) | all (a)]" ); - #ifdef SUPPORT_WRITE_OTP +#ifdef SUPPORT_WRITE_OTP +U_BOOT_CMD( + wotps, 4, 1, do_write_otp_bytes, + "write N bytes hex string to OTP (optional verify)", + "[OTP address] [hex string] [verify_flag]\n" + " verify_flag: 0=disable (default), 1=enable\n" + " Example:\n" + " wotp 0 12345678 -> write 0x12 0x34 0x56 0x78 (no verify)\n" + " wotp 0 12345678 1 -> write then verify" +); + U_BOOT_CMD( wotp, 3, 1, do_write_otp, "write 1 byte data to OTP", "[OTP address (0, 1,..., 127 byte)] [data (0~255)]" ); - #endif +#endif + diff --git a/include/configs/pentagram_common_sp7350.h b/include/configs/pentagram_common_sp7350.h index d42bf9f2..9aba30b7 100644 --- a/include/configs/pentagram_common_sp7350.h +++ b/include/configs/pentagram_common_sp7350.h @@ -263,6 +263,11 @@ #define RASPBIAN_INIT "" #endif +#if (FIP0 == 1) + #define SCRIPT_START_ADDR 0x200000 +#else + #define SCRIPT_START_ADDR 0x180000 +#endif #define SDCARD_EXT_CMD \ "scriptaddr=0x1000000; " \ @@ -525,7 +530,7 @@ "\0" \ "isp_common=setenv isp_ram_addr 0x1000000; " \ RASPBIAN_INIT \ - "fatload $isp_if $isp_dev $isp_ram_addr /ISPBOOOT.BIN 0x800 0x180000; " \ + "fatload $isp_if $isp_dev $isp_ram_addr /ISPBOOOT.BIN 0x800 " __stringify(SCRIPT_START_ADDR) "; " \ "setenv isp_main_storage ${sp_main_storage} && printenv isp_main_storage; " \ "setexpr script_addr $isp_ram_addr + 0x20 && setenv script_addr 0x${script_addr} && source $script_addr; " \ "\0" \ ================================================================================================ /home/jackyhsieh/c3v/boot/xboot ================================================================================================ diff --git a/Makefile b/Makefile index 52b1965..720d640 100644 --- a/Makefile +++ b/Makefile @@ -51,6 +51,10 @@ ifeq ($(ENCRYPTION),1) CFLAGS += -DCONFIG_ENCRYPTION endif +ifeq ($(FIP0),1) +CFLAGS += -DFIP0 +endif + ################# xboot size config ################ XBOOT_MAX =$$((96 * 1024)) diff --git a/include/config_xboot.h b/include/config_xboot.h index ef0f84a..11d94a3 100644 --- a/include/config_xboot.h +++ b/include/config_xboot.h @@ -64,10 +64,22 @@ #define USE_QKBOOT_IMG // consistent with draminit and uboot image /* ISP image offset */ + +#if FIP0 + +#define ISP_IMG_OFF_XBOOT (0) +#define ISP_IMG_OFF_UBOOT (192 * 1024) +#define ISP_IMG_OFF_FIP (1536 * 1024) +#define ISP_IMG_OFF_HEADER (2048 * 1024) + +#else + #define ISP_IMG_OFF_XBOOT (0) #define ISP_IMG_OFF_UBOOT (192 * 1024) #define ISP_IMG_OFF_HEADER (1536*1024) +#endif + // // ABIO config // diff --git a/xboot.c b/xboot.c index 792e51c..2bc14e1 100644 --- a/xboot.c +++ b/xboot.c @@ -1134,6 +1134,9 @@ static int fat_load_fip(u32 type) return -1; } } + #if FIP0 + fip_offset=ISP_IMG_OFF_FIP; + #endif if (fat_load_uhdr_image(&g_finfo, "fip", (void *)FIP_LOAD_ADDR, ((type==SDCARD_BOOT)?0:fip_offset), FIP_MAX_LEN,type) <= 0) { prn_string("failed to load fip \n"); return -1; ================================================================================================ /home/jackyhsieh/c3v/build ================================================================================================ diff --git a/Makefile b/Makefile index 3310aa2..18bd9f0 100644 --- a/Makefile +++ b/Makefile @@ -76,6 +76,7 @@ ARCH_UBOOT = $(ARCH_XBOOT) XBOOT_LPDDR4_MAX = $$((192 * 1024)) SDCARD_BOOT_MODE = 3 +SECURE_KEY ?= 9 # xboot uses name field of u-boot header to differeciate between C-chip boot image # and P-chip boot image. If name field has prefix "uboot_B", it boots from P chip. @@ -117,10 +118,29 @@ all: check elif [ "$(ROOTFS_CONTENT)" = "BUILDROOT" ]; then \ $(MAKE) buildroot; \ fi + @if [ "$(SECURE)" = "1" ] && [ "$(SECURE_KEY)" = "0" ]; then \ + $(MAKE) xboot SECURE=0; \ + cp $(XBOOT_PATH)/bin/${XBOOT_BIN} $(OUT_PATH)/xboot_non_secure; \ + fi @$(MAKE) xboot @$(MAKE) dtb + @if [ "$(SECURE)" = "1" ] && [ "$(SECURE_KEY)" = "0" ]; then \ + $(MAKE) uboot SECURE=0; \ + if [ $$? -ne 0 ]; then \ + exit 1; \ + fi; \ + cp $(UBOOT_PATH)/${UBOOT_BIN} $(OUT_PATH)/uboot_non_secure; \ + fi @$(MAKE) uboot + @if [ "$(SECURE)" = "1" ] && [ "$(SECURE_KEY)" = "0" ]; then \ + $(MAKE) fip SECURE=0; \ + if [ $$? -ne 0 ]; then \ + exit 1; \ + fi; \ + cp $(FIP_PATH)/build/$(FIP_BIN) $(OUT_PATH)/fip_non_secure; \ + fi @$(MAKE) fip + @$(MAKE) firmware @if [ "$(BOOT_FROM)" = "SPINOR" ]; then \ $(MAKE) rootfs ; \ @@ -140,7 +160,10 @@ firmware: #xboot build xboot: check - @$(MAKE) ARCH=$(ARCH_XBOOT) $(MAKE_JOBS) -C $(XBOOT_PATH) CROSS=$(CROSS_COMPILE_FOR_XBOOT) SECURE=$(SECURE) ENCRYPTION=$(ENCRYPTION) all + @$(MAKE) ARCH=$(ARCH_XBOOT) $(MAKE_JOBS) -C $(XBOOT_PATH) CROSS=$(CROSS_COMPILE_FOR_XBOOT) \ + FIP0=$$(( $(SECURE_KEY) == 0 ? 1 : 0 )) \ + SECURE=$(SECURE) \ + ENCRYPTION=$(ENCRYPTION) all @$(MAKE) secure SECURE_PATH=xboot @$(MAKE) warmboot @@ -156,6 +179,7 @@ fip: check @cd optee; ./optee_build.sh $(CHIP) $(CROSS_ARM64_COMPILE); cd .. ; @$(MAKE) -f $(FIP_PATH)/sp7350.mk CROSS=$(CROSS_ARM64_COMPILE) build ; @$(MAKE) secure SECURE_PATH=fip ; + #uboot build uboot: check @if [ $(BOOT_KERNEL_FROM_TFTP) -eq 1 ]; then \ @@ -164,9 +188,10 @@ uboot: check -DBOARD_MAC_ADDR=$(BOARD_MAC_ADDR) -DOVERLAYFS=$(OVERLAYFS) -DUSER_NAME=$(USER_NAME)"; \ else \ $(MAKE) ARCH=$(ARCH_UBOOT) $(MAKE_JOBS) -C $(UBOOT_PATH) all CROSS_COMPILE=$(CROSS_COMPILE_FOR_LINUX) EXT_DTB=../../linux/kernel/dtb \ - KCPPFLAGS="-DSPINOR=$(SPINOR) -DNOR_JFFS2=$(NOR_JFFS2) -DCOMPILE_WITH_SECURE=$(SECURE) -DOVERLAYFS=$(OVERLAYFS) -DNAND_PAGE_SIZE=$(NAND_PAGE_SIZE)"; \ + KCPPFLAGS="-DSPINOR=$(SPINOR) -DNOR_JFFS2=$(NOR_JFFS2) -DCOMPILE_WITH_SECURE=$(SECURE) -DOVERLAYFS=$(OVERLAYFS) \ + -DFIP0=$$(( $(SECURE_KEY) == 0 ? 1 : 0 )) \ + -DNAND_PAGE_SIZE=$(NAND_PAGE_SIZE)"; \ fi - @dd if=$(TOPDIR)/$(UBOOT_PATH)/u-boot.bin of=$(TOPDIR)/$(UBOOT_PATH)/u-boot.bin bs=1 skip=64 conv=notrunc 2>/dev/null ; @$(MAKE) secure SECURE_PATH=uboot @@ -405,7 +430,9 @@ isp: check tool_isp exit 1; \ fi \ fi - @cd out/; OVERLAYFS=$(OVERLAYFS) ./$(ISP_SHELL) $(BOOT_FROM) $(CHIP) $(FLASH_SIZE) $(NAND_PAGE_SIZE) $(NAND_PAGE_CNT) + @cd out/; OVERLAYFS=$(OVERLAYFS) \ + FIP0=$$(( $(SECURE) == 1 && $(SECURE_KEY) == 0 ? 1 : 0 )) \ + ./$(ISP_SHELL) $(BOOT_FROM) $(CHIP) $(FLASH_SIZE) $(NAND_PAGE_SIZE) $(NAND_PAGE_CNT) @if [ "$(BOOT_FROM)" = "SDCARD" ]; then \ $(ECHO) $(COLOR_YELLOW) "Generating image for SD card..." $(COLOR_ORIGIN); \ @@ -646,6 +673,7 @@ info: @$(ECHO) "ZMEM =" $(ZMEM) @$(ECHO) "OVERLAYFS =" $(OVERLAYFS) @$(ECHO) "SECURE =" $(SECURE) + @$(ECHO) "SECURE_KEY =" $(SECURE_KEY) @$(ECHO) "ENCRYPTION =" $(ENCRYPTION) @$(ECHO) "ROOTFS_CONTENT =" $(ROOTFS_CONTENT) diff --git a/config.sh b/config.sh index 256813d..8a05ae4 100755 --- a/config.sh +++ b/config.sh @@ -754,6 +754,17 @@ read secure if [ "$secure" = "2" ]; then echo "SECURE=1" >> $BUILD_CONFIG echo "ENCRYPTION=1" >> $BUILD_CONFIG + if [ "$bootdev" = "emmc" ]; then + $ECHO $COLOR_GREEN"Current OTP secure key:"$COLOR_ORIGIN + $ECHO $COLOR_ORIGIN"[1] empty"$COLOR_ORIGIN + $ECHO $COLOR_ORIGIN"[2] written"$COLOR_ORIGIN + read secure_key + securekey=0 + if [ "$secure_key" == "2" ]; then + securekey=1 + fi + echo "SECURE_KEY=${securekey}" >> $BUILD_CONFIG + fi fi sel_chip=$(chip_lookup $chip) diff --git a/isp.sh b/isp.sh index 32776e9..5a6340a 100755 --- a/isp.sh +++ b/isp.sh @@ -30,8 +30,29 @@ D=dtb F=fip.img # Partition name = file name -cp $X xboot0 -cp $U uboot0 +if [ "${FIP0}" = "1" ]; then + PUBKEY=`cat $TOP/build/tools/secure_sp7350/secure/otp_Sb_keys/ed_pub_0.hex` + if [ "$?" != "0" ]; then + exit 1 + fi + PRIKEY=`cat $TOP/build/tools/secure_sp7350/secure/otp_Device_keys/x_priv_0.hex` + if [ "$?" != "0" ]; then + exit 1 + fi + cp xboot_non_secure xboot0 + if [ "$?" != "0" ]; then + exit 1 + fi + cp uboot_non_secure uboot0 + if [ "$?" != "0" ]; then + exit 1 + fi + FIP0=fip_non_secure +else + cp $X xboot0 + cp $U uboot0 +fi + cp $X xboot1 cp $U uboot1 cp $U uboot2 @@ -91,6 +112,7 @@ if [ "$1" = "EMMC" ]; then fi EMMC_SIZE=$(($EMMC_SIZE-0x2000000)) if [ "$OVERLAYFS" = "1" ]; then + PUBKEY=${PUBKEY} PRIKEY=${PRIKEY} FIP0=${FIP0} \ isp pack_image ISPBOOOT.BIN \ xboot0 uboot0 \ xboot1 0x100000 \ @@ -105,6 +127,7 @@ if [ "$1" = "EMMC" ]; then rootfs none \ $OVERLAY $EMMC_SIZE else + PUBKEY=${PUBKEY} PRIKEY=${PRIKEY} FIP0=${FIP0} \ isp pack_image ISPBOOOT.BIN \ xboot0 uboot0 \ xboot1 0x100000 \ @@ -196,6 +219,9 @@ rm -rf rootfs rm -rf $OVERLAY rm -rf reserve rm -rf fip +rm -f xboot_non_secure +rm -f uboot_non_secure +rm -f fip_non_secure # Create image for booting from SD card or USB storage. if [ "$1" = "SDCARD" ]; then diff --git a/tools/isp/isp.c b/tools/isp/isp.c index 42aa2f0..80e5472 100644 --- a/tools/isp/isp.c +++ b/tools/isp/isp.c @@ -117,6 +117,7 @@ #define FILE_SIZE_IMAGE_XBOOT0 (192 << 10) #define FILE_SIZE_IMAGE_UBOOT0 ((1536 << 10) - FILE_SIZE_IMAGE_XBOOT0) //add 512k uboot size for nand +#define FILE_SIZE_IMAGE_FIP0 ((1856 << 10) - FILE_SIZE_IMAGE_UBOOT0) //add 512k fip size #define NAND_READ_BY_PARTITION_NAME // if not defined, it's by NAND address // #define PARTITION_SIZE_BAD_BLOCK_DOES_NOT_COUNT @@ -195,6 +196,7 @@ struct isp_info_s { u08 full_file_name[NUM_OF_PARTITION][SIZE_FULL_FILE_NAME]; u08 full_file_name_xboot0[SIZE_FULL_FILE_NAME]; u08 full_file_name_uboot0[SIZE_FULL_FILE_NAME]; + u08 full_file_name_fip0[SIZE_FULL_FILE_NAME]; u08 file_name_pack_image[SIZE_FULL_FILE_NAME]; // u08 base_file_name_pack_image[SIZE_FILE_NAME]; int nand_block_size; @@ -204,7 +206,11 @@ struct isp_info_s { char file_disk_image[32]; int idx_gpt_header_primary; u08 *key_ptr; + int secure; + char pubkey[512]; + char prikey[512]; }; + #define FLAGS_STAGE_WRITE (1 << 0) #define FLAGS_STAGE_VERIFY (1 << 1) #define FLAGS_GPT_CREATED (1 << 2) @@ -454,6 +460,21 @@ int gen_script_main(char *file_name_isp_script, int nand_or_emmc) fprintf(fd, "echo \"%s\"\n", cmd); fprintf(fd, "%s\n\n", cmd); } else if (nand_or_emmc == IDX_EMMC) { + if (isp_info.secure) { + fprintf(fd, "setexpr reg_addr 0xf8800000\n"); + fprintf(fd, "md.l ${reg_addr} 1\n"); + fprintf(fd, "setexpr reg_val *${reg_addr}\n"); + fprintf(fd, "if test ${reg_val} = a30; then\n"); + fprintf(fd, "\techo \"MP bit can only be enabled on version B \"\n"); + fprintf(fd, "\texit\n"); + fprintf(fd, "fi\n"); + // fprintf(fd, "echo write public key %s\n", isp_info.pubkey); + fprintf(fd, "wotps 64 %s 1 || exit\n", isp_info.pubkey); + // fprintf(fd, "echo write private key %s 1\n", isp_info.prikey); + fprintf(fd, "wotps 96 %s 1 || exit\n", isp_info.prikey); + // fprintf(fd, "echo MP and secure enable\n"); + fprintf(fd, "wotps 0 05 1 || exit\n"); + } fprintf(fd, "echo Initialize eMMC ...\n"); fprintf(fd, "mmc dev 0 && mmc rescan\n\n"); #ifndef XBOOT1_IN_EMMC_BOOTPART @@ -967,7 +988,7 @@ int pack_image(int argc, char **argv) FILE *fd; int i, j, set_partition_size; struct stat file_stat; - char tmp_file[32], tmp_file2[32], tmp_file3[32], file_name_isp_script[NUM_STORAGE][32], cmd[1024]; + char tmp_file[32], tmp_file2[32], tmp_file3[32], file_name_isp_script[NUM_STORAGE][32], cmd[2048]; u32 tmp_u32, isp_script_size[NUM_STORAGE], file_offset_isp_script[NUM_STORAGE]; u32 offset_of_last_file; u32 next_partition_start_address; @@ -1048,6 +1069,10 @@ int pack_image(int argc, char **argv) printf("Error for '%s': %s: %d\n", argv[i], __FILE__, __LINE__); exit(-1); } + if (isp_info.full_file_name_fip0[0] != 0) { + truncate(isp_info.full_file_name_fip0, FILE_SIZE_IMAGE_FIP0); + offset_of_last_file += FILE_SIZE_IMAGE_FIP0; + } } else if ((i >= ARGC_PACK_IMAGE_XBOOT1_FILE) && (i <= idx_last_info_of_binary_partition)) { if (strlen(argv[i]) > SIZE_FULL_FILE_NAME) { printf("Error: %s: %d\n", __FILE__, __LINE__); @@ -1270,7 +1295,9 @@ int pack_image(int argc, char **argv) fprintf(fd, "echo Load ISP main script and run it ...\n"); fprintf(fd, "if test \"$isp_main_storage\" = nand ; then\n"); + fprintf(fd, " fatload $isp_if $isp_dev $isp_ram_addr /%s 0x%x 0x%x\n", basename(isp_info.file_name_pack_image), isp_script_size[IDX_NAND], file_offset_isp_script[IDX_NAND]); + fprintf(fd, "elif test \"$isp_main_storage\" = emmc ; then\n"); #ifdef SUPPORT_MAIN_STORAGE_IS_EMMC fprintf(fd, " fatload $isp_if $isp_dev $isp_ram_addr /%s 0x%x 0x%x\n", basename(isp_info.file_name_pack_image), isp_script_size[IDX_EMMC], file_offset_isp_script[IDX_EMMC]); @@ -1281,6 +1308,7 @@ int pack_image(int argc, char **argv) fprintf(fd, "else\n"); fprintf(fd, " setenv isp_main_storage nand\n"); // for U-Boot backward compatible, default to nand + fprintf(fd, " fatload $isp_if $isp_dev $isp_ram_addr /%s 0x%x 0x%x\n", basename(isp_info.file_name_pack_image), isp_script_size[IDX_NAND], file_offset_isp_script[IDX_NAND]); fprintf(fd, "fi\n"); fprintf(fd, "source $isp_ram_addr\n"); @@ -1330,7 +1358,8 @@ int pack_image(int argc, char **argv) } fclose(fd); - sprintf(cmd, "cat %s %s %s %s > %s", isp_info.full_file_name_xboot0, isp_info.full_file_name_uboot0, tmp_file2, tmp_file, isp_info.file_name_pack_image); + sprintf(cmd, "cat %s %s %s %s %s > %s", isp_info.full_file_name_xboot0, isp_info.full_file_name_uboot0, isp_info.full_file_name_fip0, tmp_file2, tmp_file, isp_info.file_name_pack_image); + // printf("%s\n", cmd); system(cmd); @@ -2454,6 +2483,22 @@ int main(int argc, char **argv) // Initialize global data. memset(&isp_info, 0, sizeof(isp_info)); + + const char *value = getenv("FIP0"); + if (value != NULL && strcmp(value, "0") != 0) { + isp_info.secure = 1; + strcpy(isp_info.full_file_name_fip0, value); + printf("create fip0=%s\n", isp_info.full_file_name_fip0); + + value = getenv("PUBKEY"); + if (value) strcpy(isp_info.pubkey, value); + value = getenv("PRIKEY"); + if (value) strcpy(isp_info.prikey, value); + + printf("pubkey=%s\n", isp_info.pubkey); + printf("prikey=%s\n", isp_info.prikey); + } + strncpy(isp_info.file_header.signature, file_header_signature, sizeof(isp_info.file_header.signature)); if (strcmp(sub_cmd, "pack_image") == 0) {