developer | 23f9f0f | 2023-06-15 13:06:25 +0800 | [diff] [blame] | 1 | diff --git a/include/image.mk b/include/image.mk |
| 2 | index 92d343c..f93fb01 100644 |
| 3 | --- a/include/image.mk |
| 4 | +++ b/include/image.mk |
| 5 | @@ -440,6 +440,8 @@ else |
| 6 | DEVICE_CHECK_PROFILE = $(CONFIG_TARGET_$(if $(CONFIG_TARGET_MULTI_PROFILE),DEVICE_)$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_$(1)) |
| 7 | endif |
| 8 | |
| 9 | +ROOTFS_ENCRYPT = $(if $(ROE_KEY_DIR),$(wildcard $(ROE_KEY_DIR)/$(ROE_KEY_NAME).key),) |
| 10 | + |
| 11 | DEVICE_CHECK_FIT_KEY = $(if $(wildcard $(FIT_KEY_DIR)/$(FIT_KEY_NAME).key),install-images,install-disabled) |
| 12 | DEVICE_CHECK_FIT_DIR = $(if $(FIT_KEY_DIR),$(DEVICE_CHECK_FIT_KEY),install-images) |
| 13 | |
| 14 | diff --git a/target/linux/mediatek/image/Makefile b/target/linux/mediatek/image/Makefile |
| 15 | index 20e5977..52c266e 100644 |
| 16 | --- a/target/linux/mediatek/image/Makefile |
| 17 | +++ b/target/linux/mediatek/image/Makefile |
| 18 | @@ -16,6 +16,14 @@ define Build/sysupgrade-emmc |
| 19 | $(IMAGE_ROOTFS) |
| 20 | endef |
| 21 | |
| 22 | +define Build/fdt-patch-dm-crypt |
| 23 | + BIN=$(STAGING_DIR_HOST)/bin \ |
| 24 | + LIBFDT_PATH=$(STAGING_DIR_HOST)/lib \ |
| 25 | + $(TOPDIR)/scripts/fdt-patch-dm-crypt.sh \ |
| 26 | + $(KDIR)/image-sb-$(firstword $(DEVICE_DTS)).dtb \ |
| 27 | + $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary-$(firstword $(DEVICE_DTS)) |
| 28 | +endef |
| 29 | + |
| 30 | # build squashfs-hashed |
| 31 | define Build/squashfs-hashed |
| 32 | $(CP) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME)) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-$(firstword $(DEVICE_DTS)) |
| 33 | @@ -27,6 +35,7 @@ define Build/squashfs-hashed |
| 34 | fdt-patch-dm-verify $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary-$(firstword $(DEVICE_DTS)) \ |
| 35 | $(KDIR)/image-$(firstword $(DEVICE_DTS)).dtb $(KDIR)/image-sb-$(firstword $(DEVICE_DTS)).dtb \ |
| 36 | $(HASHED_BOOT_DEVICE) |
| 37 | + $(if $(ROOTFS_ENCRYPT),$(call Build/fdt-patch-dm-crypt)) |
| 38 | endef |
| 39 | |
| 40 | # build fw-ar-ver |
| 41 | @@ -40,6 +49,30 @@ define Build/fw-ar-ver |
| 42 | $(call get_fw_ar_ver,$(ANTI_ROLLBACK_TABLE),$(AUTO_AR_CONF)) |
| 43 | endef |
| 44 | |
| 45 | +define Build/rfsk-encrypt |
| 46 | + BIN=$(STAGING_DIR_HOST)/bin \ |
| 47 | + $(TOPDIR)/scripts/enc-rfsk.sh \ |
| 48 | + -d $(ROE_KEY_DIR) \ |
| 49 | + -f $@ \ |
| 50 | + -k $(ROE_KEY_DIR)/$(ROE_KEY_NAME) \ |
| 51 | + -s $(dir $@) |
| 52 | +endef |
| 53 | + |
| 54 | +define Build/fit-secret |
| 55 | + BIN=$(STAGING_DIR_HOST)/bin \ |
| 56 | + LIBFDT_PATH=$(STAGING_DIR_HOST)/lib \ |
| 57 | + $(TOPDIR)/scripts/enc-rfsk.sh \ |
| 58 | + -c "config-1" \ |
| 59 | + -d $(ROE_KEY_DIR) \ |
| 60 | + -f $@ \ |
| 61 | + -k $(ROE_KEY_DIR)/$(ROE_KEY_NAME) \ |
| 62 | + -s $(dir $@) |
| 63 | +endef |
| 64 | + |
| 65 | +define Build/rootfs-encrypt |
| 66 | + $(if $(ROOTFS_ENCRYPT),$(call Build/rfsk-encrypt)) |
| 67 | +endef |
| 68 | + |
| 69 | # build signed fit |
| 70 | define Build/fit-sign |
| 71 | $(TOPDIR)/scripts/mkits.sh \ |
| 72 | @@ -54,13 +87,18 @@ define Build/fit-sign |
| 73 | -v $(LINUX_VERSION) \ |
| 74 | $(if $(FIT_KEY_NAME),-S $(FIT_KEY_NAME)) \ |
| 75 | $(if $(FW_AR_VER),-r $(FW_AR_VER)) \ |
| 76 | - $(if $(CONFIG_TARGET_ROOTFS_SQUASHFS),-R $(ROOTFS/squashfs/$(DEVICE_NAME))) |
| 77 | + $(if $(CONFIG_TARGET_ROOTFS_SQUASHFS), \ |
| 78 | + $(if $(ROOTFS_ENCRYPT), \ |
| 79 | + -R $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-$(firstword $(DEVICE_DTS)), \ |
| 80 | + -R $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME)))) \ |
| 81 | + $(if $(ROOTFS_ENCRYPT),-m $(addsuffix -rfsk.enc,$(basename $@))) |
| 82 | PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage \ |
| 83 | -f $@.its \ |
| 84 | $(if $(FIT_KEY_DIR),-k $(FIT_KEY_DIR)) \ |
| 85 | -r \ |
| 86 | $@.new |
| 87 | @mv $@.new $@ |
| 88 | + $(if $(ROOTFS_ENCRYPT),$(call Build/fit-secret)) |
| 89 | endef |
| 90 | |
| 91 | # default all platform image(fit) build |
| 92 | @@ -78,6 +116,8 @@ define Device/Default |
| 93 | pad-rootfs | append-metadata |
| 94 | FIT_KEY_DIR := |
| 95 | FIT_KEY_NAME := |
| 96 | + ROE_KEY_DIR := |
| 97 | + ROE_KEY_NAME := |
| 98 | endef |
| 99 | |
| 100 | include $(SUBTARGET).mk |