Quectel SC20 User manual

Type
User manual

This manual is also suitable for

SC20 Secure Boot
User Guide
LTE Module Series
Rev. SC20_Secure_Boot_User_Guide_V1.0
Date: 2016-09-26
www.quectel.com
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 1 / 15
Our aim is to provide customers with timely and comprehensive service. For any
assistance, please contact our company headquarters:
Quectel Wireless Solutions Co., Ltd.
Office 501, Building 13, No.99, Tianzhou Road, Shanghai, China, 200233
Tel: +86 21 5108 6236
Or our local office. For more information, please visit:
http://www.quectel.com/support/salesupport.aspx
For technical support, or to report documentation errors, please visit:
http://www.quectel.com/support/techsupport.aspx
Or email to: [email protected]
GENERAL NOTES
QUECTEL OFFERS THE INFORMATION AS A SERVICE TO ITS CUSTOMERS. THE INFORMATION
PROVIDED IS BASED UPON CUSTOMERS’ REQUIREMENTS. QUECTEL MAKES EVERY EFFORT
TO ENSURE THE QUALITY OF THE INFORMATION IT MAKES AVAILABLE. QUECTEL DOES NOT
MAKE ANY WARRANTY AS TO THE INFORMATION CONTAINED HEREIN, AND DOES NOT ACCEPT
ANY LIABILITY FOR ANY INJURY, LOSS OR DAMAGE OF ANY KIND INCURRED BY USE OF OR
RELIANCE UPON THE INFORMATION. ALL INFORMATION SUPPLIED HEREIN IS SUBJECT TO
CHANGE WITHOUT PRIOR NOTICE.
COPYRIGHT
THE INFORMATION CONTAINED HERE IS PROPRIETARY TECHNICAL INFORMATION OF
QUECTEL CO., LTD. TRANSMITTING, REPRODUCTION, DISSEMINATION AND EDITING OF THIS
DOCUMENT AS WELL AS UTILIZATION OF THE CONTENT ARE FORBIDDEN WITHOUT
PERMISSION. OFFENDERS WILL BE HELD LIABLE FOR PAYMENT OF DAMAGES. ALL RIGHTS
ARE RESERVED IN THE EVENT OF A PATENT GRANT OR REGISTRATION OF A UTILITY MODEL
OR DESIGN.
Copyright © Quectel Wireless Solutions Co., Ltd. 2016. All rights reserved.
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 2 / 15
About the Document
History
Revision
Date
Author
Description
1.0
2016-09-26
Barret YUAN
Initial
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 3 / 15
Contents
About the Document ................................................................................................................................ 2
Contents .................................................................................................................................................... 3
Table Index ............................................................................................................................................... 4
Figure Index .............................................................................................................................................. 5
1 Introduction ....................................................................................................................................... 6
2 MSM8909 Secure Boot Flowchart .................................................................................................... 7
3 Configure OEM Key .......................................................................................................................... 9
4 Generate Secure Images ................................................................................................................ 10
5 Generate sec.dat ............................................................................................................................. 13
6 Download Image via QFIL ............................................................................................................... 14
7 Appendix A Reference .................................................................................................................... 15
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 4 / 15
Table Index
TABLE 1: OEM KEY LIST .................................................................................................................................... 9
TABLE 2: DIRECTORY LIST OF SIGNED IMAGE AND SOURCE IMAGE ....................................................... 11
TABLE 3: TERMS AND ABBREVIATIONS ........................................................................................................ 15
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 5 / 15
Figure Index
FIGURE 1: MSM8909 SECURE BOOT FLOWCHART ...................................................................................... 7
FIGURE 2: SIGNED IMAGE STORAGE DIRECTORY ..................................................................................... 10
FIGURE 3: SEC.DAT CONSTRUCTION ........................................................................................................... 13
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 6 / 15
1 Introduction
This document mainly introduces how to use the secure boot function of Quectel SC20 module.
Secure boot refers to the boot up sequence that establishes a trusted platform for secure applications. It
starts as an immutable sequence that validates the origin of the code using cryptographic authentication
so only authorized software can be executed. The boot up sequence places SC20 in a known security
state and protects it against binary manipulation of software and reflashing attacks.
A secure boot system adds cryptographic checks to each stage of the boot up process. This process
asserts the authenticity of all secure software images that are executed by SC20. The additional check
prevents any unauthorized or maliciously modified software from running on SC20. Secure boot is
enabled through a set of hardware fuses. For the code to be executed, it must be signed by the trusted
entity identified in the hardware fuses.
The flow to enable secure boot:
1. Configure OEM Key. The new keys can be used to sign images and generate sec.dat
2. Generate secure images, download signed images (use fastboot or QFIL tool)
3. Generate sec.dat and download it to SC20. Once secure boot fuses are blown, the device cannot
use other keys.
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 7 / 15
2 MSM8909 Secure Boot Flowchart
Figure 1: MSM8909 Secure Boot Flowchart
1. Power on the system and take MSM8909 AP CPU out from RESET.
2. Cortex-A7 APPS PBL:
a. Loads, executes, and authenticates the SBL1 segment #1 from SC20 to L2 (as TCM).
b. Loads, executes, and authenticates SBL1 segment #2* (DDR/SDI equivalent) to RPM code RAM,
then jumps to SBL1.
3. SBL1#1
a. Loads and authenticates the QSEE/TZ image from the boot device to DDR.
b. Loads and authenticates the RPM firmware image from the boot device to RPM code RAM.
c. Loads and authenticates the HLOS APPSBL image from the boot device to DDR.
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 8 / 15
4. SBL1 #1 transfers execution to QSEE/TZ.
5. QSEE/TZ sets up secure environment and brings RPM out of RESET to start execution of RPM
firmware.
6. QSEE/TZ jumps to HLOS APPSBL to start execution.
SBL1 segment#2 is equal to DDR driver + SDI equivalent copied to RPM code RAM.
DDR is initialized by SBL1 segment#2 and part of the SDI functionality included in SBL1 segment#2.
7. HLOS APPSBL loads and authenticates the HLOS kernel.
8. HLOS kernel:
a. Loads the Modem Boot Authenticator (MBA) to DDR via PIL.
b. Brings modem DSP Q6 out of RESET.
c. Loads the AMSS modem image to DDR via PIL.
c’. Modem PBL copies the MBA from DDR to modem TCM, authenticates MBA and finally jumps to
MBA image.
c”. MBA authenticates modem image and then jumps to modem.
d. HLOS loads the Pronto image to DDR via PIL.
d’. HLOS brings Pronto out of RESET and Pronto image starts execution.
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 9 / 15
3 Configure OEM Key
The flow to configure OEM key is illustrated below:
1. Extract sectool.tar, and then overwrite the directory “common/tools/sectools”.
2. Extract makeCrt.tar, run makecrt.dat, and then copy new keys to
“common/tools/sectools/resources/data_prov_assets/Signing/Local/oem_certs”
3.
sectool.tar and makeCrt.tar are available in the Tools directory.
Table 1: OEM Key List
Keys
Description
qpsa_rootca.key
Root CA private key
qpsa_rootca.cer
Root certificate
qpsa_attestca.key
Attestation CA private key
qpsa_attestca.cer
Attestation CA certificate
NOTE
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 10 / 15
4 Generate Secure Images
1. Use the following command to sign all images from <meta_build> and validate the signed image:
seccools.py secimage m <meta_build> -p <chipset> -o <output_dir> -sa
Store the signed images in <output_dir>. If <output_dir> is not given, the default location would be
<Secimage_dir>\secimage_output.
In this case, the directory is common/tools/sectools/secimage_output/8909/
Figure 2: Signed Image Storage Directory
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 11 / 15
Table 2: Directory List of Signed Image and Source Image
if venus.* is not signed, then camera and video cannot work. Use the signed image to rebuild android
system image.
Path of venus.*:
LINUX/android/vendor/qcom/proprietary/prebuilt_HY11/target/product/msm8909/system/etc/firmware/ven
us.*
2. Copy signed images to individual image file path.
Extract moveSecDat.bat.tar; copy moveSecDat.bat to work directory (containing boot_images/, common/,
Signed Image
Source Image
common\tools\sectools\secimage_output\
8909\cmnlib\cmnlib.mbn
trustzone_images/build/ms/bin/MAZAANAA/cmnlib.mbn
common\tools\sectools\secimage_output\
8909\widevine\widevine.mbn
trustzone_images/build/ms/bin/MAZAANAA/widevine.mbn
common\tools\sectools\secimage_output\
8909\keymaster\keymaster.mbn
trustzone_images/build/ms/bin/MAZAANAA/keymaster.mb
n
common\tools\sectools\secimage_output\
8909\wcnss\wcnss.mbn
wcnss_proc/build/ms/bin/SCAQMAZ/reloc\wcnss.mbn
common\tools\sectools\secimage_output\
8909\mba\mba.mbn
modem_proc/build/ms/bin/8909.genns.prod\mba.mbn
common\tools\sectools\secimage_output\
8909\modem\modem.mbn
modem_proc/build/ms/bin/8909.genns.prod\qdsp6sw.mbn
common\tools\sectools\secimage_output\
8909\venus\venus.*
LINUX/android/vendor/qcom/proprietary/prebuilt_HY11/tar
get/product/msm8909/system/etc/firmware/venus.*
common\tools\sectools\secimage_output\
8909\appsbl\ emmc_appsboot.mbn
LINUX\android\out\target\product\msm8909\emmc_appsb
oot.mbn
common\tools\sectools\secimage_output\
8909\qsee\ tz.mbn
trustzone_images\build\ms\bin\MAZAANAA\tz.mbn
common\tools\sectools\secimage_output\
8909\sampelapp\ sampelapp.mbn
trustzone_images\build\ms\bin\MAZAANAA\
sampelapp.mbn
common\tools\sectools\secimage_output\
8909\rpm\rpm.mbn
rpm_proc\build\ms\bin\8909\pm8909\rpm.mbn
common\tools\sectools\secimage_output\
8909\sbl1\ sbl1.mbn
boot_images\build\ms\bin\8909\emmc\unsigned\sbl1.mbn
common\tools\sectools\secimage_output\
8909\prog_emmc_ddr\prog_emmc_fireh
ose_8909_ddr.mbn
boot_images\build\ms\bin\8909\emmc\unsigned\prog_em
mc_firehose_8909_ddr.mbn
NOTE
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 12 / 15
modem_proc/, trustzone_images/, etc.); run this script; and finally copy signed images to the individual
image file path.
1.
moveSecDat.bat.tar is available in the Tools directory.
3. Use QFIL (Qualcomm Flash Image Loader) to get Flat Meta Build.
NOTE
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 13 / 15
5 Generate sec.dat
Figure 3: sec.dat Construction
sec.dat contains fuses info that is going to be blown by trustzone. Customers can enable secure boot,
blow read/write permissions, blow OEM special fuses.
How to generate sec.dat
The following command is used to generate sec.dat:
python common\tools\sectools\sectools.py fuseblower p 8909 g
Storage directory
New sec.dat can be found at the default <output_dir>: common/tools/sectools/common_output/v1/sec.dat
The old sec.dat is stored in: common\tools\sectools\resources\build\sec.dat. It is recommended to back
up the old one before using the new one to replace the old one.
sec.dat file loading using fastboot tool
The command below can be used when using fastboot tool for sec.dat file loading:
fastboot flash sec <sec.dat file path>
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 14 / 15
6 Download Image via QFIL
When using QFIL for image downloading under emergency download mode on SC20, it will return an
error to indicate download failure.
Reason
The technical reason is that there is no native (.exe/dll) available that would sign digest table; therefore,
QFIL will not be able to operate in VIP mode.
QFIL team would develop a tool which can support VIP mode when the signing tool that would work in
windows environment is ready. Currently it's not ready.
Temporary solution
The following solution can be temporarily used by customers when they use QFIL to download images to
SC20.
Make the following file modifications first, then rebuilt prog_emmc_firehose_8909_ddr.mbn, and finally
sign the image. Use the signed image for downloading, the downloading will be successful.
File Paths:
boot_images\core\storage\tools\deviceprogrammer_ddr\src\firehose\deviceprogrammer_initialize.c
boot_images\core\storage\tools\deviceprogrammer\src\firehose\emmc\deviceprogrammer_initialize.c
// In function void deviceprogrammer_init_hw()
+/* comment out - start
#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
// The check below is used to ensure that only VIP programmer is run on secure boot devices
// In other words, signing the non-VIP programmer is NOT recommended
if (FALSE == isValidationMode() && TRUE == isAuthenticationEnabled()) { strlcat(err_log, "Secure boot
detected. VIP not enabled:fail ", sizeof(err_log)); }
#endif
+ comment out - end */
Quectel
Confidential
LTE Module Series
SC20 Secure Boot User Guide
SC20_Secure_Boot_User_Guide Confidential / Released 15 / 15
7 Appendix A Reference
Table 3: Terms and Abbreviations
Abbreviation
Description
AP
Application Processor
APPSBL
Applications Boot Loader
APPS PBL
Applications Primary Boot Loader
BP
Baseband Processor
CA
Certificate Authority
HLOS
High-Level Operating System
mba
Modem Boot Authentication
PIL
Peripheral Image Loading
QFIL
Quelcomm Flash Image Loader
QSEE
Qualcomm Secure Execution Environment
RPM
Resource Power Manager
SBL
Secondary Boot Loader
TCM
Tightly Coupled Memory
TZ
Trustzone
Quectel
Confidential
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16

Quectel SC20 User manual

Type
User manual
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI