Bootloader源代码

// // Copyright (c) Microsoft Corporation. All rights reserved. // // // Use of this source code is subject to the terms of the Microsoft end-user // license agreement (EULA) under which you licensed this SOFTWARE PRODUCT. // If you did not accept the terms of the EULA, you are not authorized to use // this source code. For a copy of the EULA, please see the LICENSE.RTF on your // install media. // ****************************************************************************** * * * Test Certificate for Secure Boot Loader (SBL) * * * ****************************************************************************** FILES ----- SBL_Test_Certificate.pfx - a test certificate used for development of SBL SBL_Test_Certificate.h - the test certificate's public key, as extracted by DumpKey.exe public_keys.c - contains one or more public keys and key lengths #includes SBL_TestCertificate.h OVERVIEW -------- Images must be signed with a certificate (using ImageHash.exe). The certificate's public key is extracted into a .h file (using DumpKey.exe). The public key is then compiled into the bootloader. Your device's bootloader may include more than one public key. In this way, the bootloader will accept signed images from multiple authorities. The SBL for Mainstone (Secure_Eboot) was developed using a test certificate, which is included here. If you flash Secure_Eboot.bin/nb0 onto Mainstone, it will only allow download of images signed with the test certificate. *** THE TEST CERTIFICATE IS PROVIDED FOR YOUR REFERENCE ONLY. *** *** DO NOT USE THE TEST CERTIFICATE OR CORRESPONDING PUBLIC KEY *** *** IN A PRODUCTION ENVIRONMENT. *** Most of the following are described in more detail on MSDN, but here are Quick-Start instructions: IMPORTING A CERTIFICATE TO YOUR CERTIFICATE STORE ------------------------------------------------- 1) from a cmd prompt on your image-signing machine, launch mmc.exe 2) select File > Add/Remove Snap-In... 3) click Add... 4) choose Certificates; click Add 5) choose which certificate store to manage, as appropriate (e.g. "My user account" if you want the certificate available only to the currently logged-in user) 6) return to the main MMC window, and expand the tree view to: Console Root > Certificates - Current User > Personal > Certificates 7) right-click on Certificates and choose All Tasks > Import... 8) browse to your certificate file (e.g. SBL_Test_Certificate.pfx) 10) when prompted for the private key password, enter "test123" (without the quotes) if you are importing SBL_Test_Certificate.pfx. 11) finish the wizard You may now use this certificate to sign images for the Secure Boot Loader. EXTRACTING THE CERTIFICATE'S PUBLIC KEY --------------------------------------- 1) cd to the directory in which you build your bootloader source code 2) run DumpKey.exe <headerfile> e.g. DumpKey public_key.h 3) using the GUI, select the certificate you previously imported 4) select "View Certificate" 5) VERIFY that you see "You have a private key that corresponds to this certificate." If you do not, the certificate was improperly created, or improperly imported into the certificate store. 4) Click OK; public_key.h will be created public_key.h contains the certificate's public key. The bootloader uses this key to verify that images were signed with the correct certificate. ADDING THE PUBLIC KEY TO YOUR SECURE BOOT LOADER ------------------------------------------------ 1) cd to the directory in which you build your bootloader source code 2) edit public_keys.c to #include the header file 3) edit g_rgpbPublicKeys[] and g_rgdwKeyLengths[] to include the key/length from the header file NOTE: if you include more than one public key in the bootloader, they are searched in order until one is found that successfully validates the image being downloaded. SIGNING AN IMAGE WITH THE CERTIFICATE ------------------------------------- 1) copy your image to a temporary folder. Or, run ImageHash from a folder other than your flat release directory. 2) run ImageHash.exe <input file> <output file> <packet size in KB> e.g ImageHash.exe NK.bin NK_signed.bin 1024 See the documentation for ImageHash.exe for a full explanation of the command line options.