1Overview
This document explains the steps to enable the HDCP2.X
function based on the Android? Extended Wi-Fi Display
Sink Release package. It describes how to enable the High
Assurance Boot (HAB) for an Android image, how to generate
and provision keyblob for HDCP2.X key, and how to enable
the HDCP2.X functions based on i.MX Android Extended Wi-
Fi Display Sink Release package. For more information, see
the Android? User's Guide (AUG), i.MX Android?
Extended Wi-Fi Display Sink Release Notes (AEWDSRN),
and i.MX 6 Linux High Assurance Boot (HAB) User's Guide
(IMX6HABUG).2Preparation Unpack the imx-android-hdcp2.x.tar.gz file by using the
following commands:
$ cd ~ (or any other directory you like) $ tar xzvf L5.1.1_2.1.0-HDCP2.x.tar.gz $ cd L5.1.1_2.1.0-HDCP2.x $ tar xzvf HDCPLib.tar.gz $ tar xzvf mxc_secureboot.tar.gz
$ tar xzvf Patches.tar.gz
User's Guide Rev. L5.1.1_2.1.0-ga, 01/2016Android? HDCP2.x User's Guide ? 2016 Freescale Semiconductor, Inc.
Contents
1Overview....................................................................12Preparation................................................................13Patching i.MX Android HDCP2.x Package......................................................................24Android High Assurance Boot (HAB)......................35HDCP Keyblobs........................................................56Revision History. (6)
3Patching i.MX Android HDCP2.x Package
3.1Enabling secure boot in the Android platform's U-Boot
Rebuild the Android platform's U-Boot image with the patches to myandroid/bootloader/bootable/u-boot. The patches are included in L5.1.1_2.1.0-HDCP2.x/Patches/android, which can be applied as:
$ cd myandroid/bootloader/bootable/u-boot $ git apply ~/L5.1.1_2.1.0-HDCP2.x/Patches/bootable/bootloader/uboot-imx/0001-Enable-CONFIG_SECURE_BOOT-for-android-bootloader.patch
3.2Enabling secure boot in MFGTool's U-Boot
Rebuild the MFGTool's U-Boot image with the patches to myandroid/bootloader/bootable/u-boot. The patches are included in L5.1.1_2.1.0-HDCP2.x/Patches/mfgtool, which can be applied as:
$ cd myandroid/bootloader/bootable/u-boot $ git apply ~/L5.1.1_2.1.0-HDCP2.x/Patches/bootable/bootloader/uboot-imx/0001-Enable-CONFIG_SECURE_BOOT-for-android-bootloader.patch
3.3Disabling non-security features in a boot image
Rebuild boot.img with the following patches in myandroid/device/fsl.
All these patches are included in L5.1.1_2.1.0-HDCP2.x/Patches/android, which can be applied as:
$ cd myandroid/device/fsl $ git apply ~/L5.1.1_2.1.0-HDCP2.x/Patches/device/fsl/0001-Disable-runtime-config-on-dm_verity.patch $ git apply ~/L5.1.1_2.1.0-HDCP2.x/Patches/device/fsl/0002-Change-shell-to-be-executed-in-shell-user.patch
3.3.1Disabling DM_VERITY runtime configurable feature
The patch 0001-Disable-runtime-config-on-dm_verity.patch is used to disable DM_VERITY runtime configurable feature in boot.img. It has the following changes. Users should follow the Android? Frequently Asked Questions to generate the keys to sign the verity table of system.img.
diff --git a/sabresd_6dq/BoardConfig.mk b/sabresd_6dq/BoardConfig.mk index 516c8e5..86800e4 100644--- a/sabresd_6dq/BoardConfig.mk +++ b/sabresd_6dq/BoardConfig.mk @@ -80,7 +80,7 @@ TARGET_SELECT_KEY := 28# we don't support sparse image.TARGET_USERIMAGES_SPARSE_EXT_DISABLED := false -DM_VERITY_RUNTIME_CONFIG := true +DM_VERITY_RUNTIME_CONFIG := false # uncomment below lines if use NAND
#TARGET_USERIMAGES_USE_UBIFS = true
NOTE
With DM_VERITY enabled, the boot.img and recovery.img files include the verity
metadata of system.img. Any changes in system.img require a rebuild of boot.img and
recovery.img. Otherwise, boot.img and recovery.img fail to load system.img.
3.4Enabling the CAAM driver in MFGTool's kernel DTS
Rebuild the zImage with the following patches in myandroid/kernel_imx.
All of these patches are included in L5.1.1_2.1.0-HDCP2.x/Patches/android, which can be applied as:
$ cd myandroid/kernel_imx $ git apply ~/L5.1.1_2.1.0-HDCP2.x/Patches/kernel_imx/0001-Add-CAAM-Keyblob-config-for-mfg-tool-s-kernel-config.patch
3.5Adding HDCP support based on Android extended Wi-Fi display sink package
The HDCPLib.tar.gz package is used to add HDCP support in Android Extended Wi-Fi Display Sink. The following are the steps to add the HDCP support:
1.Follow Section 3.3 "Patch Freescale extended features code" in the Android? User's Guide (AUG) to patch the Android Extended Wi-Fi Display Sink.
https://www.sodocs.net/doc/37325898.html,e the following commands to patch HDCP libraries to wfd-proprietary:
tar zxvf ~/L5.1.1_2.1.0-HDCP2.x/HDCPLib.tar.gz -C ~/myandroid/device/wfd-proprietary/3.Follow Section 3.4 "Building Android images" in the Android? User's Guide (AUG) to build Android images.4Android High Assurance Boot (HAB)
4.1Generating key pair and public key's fuse file, and enabling HAB for i.MX 6DualQuad/6DualLite
To generate key pair and public key's fuse file, and enable HAB for i.MX 6DualQuad/6DualLite, perform the following steps:
1.Download the CST Tool as described in the i.MX 6 Linux High Assurance Boot (HAB) User's Guide (IMX6HABUG).
2.Follow the steps from 1 to 6, and 18 in "4 Test Procedure" in the i.MX 6 Linux High Assurance Boot (HAB) User's Guide (IMX6HABUG).
4.2Signing the Android boot/recovery image and U-Boot image
1.Prepare tools for HAB:
$ cd ~$ tar xzvf mxc_secureboot.tar.gz
# Assuming the cst tools installed into ~/cst-2.2
$ cd ~/mxc_secureboot
$ cp mxc_secureboot/template ~/cst-2.2/. -r
$ cp mxc_secureboot/u-boot ~/cst-2.2/. -r
$ cp mxc_secureboot/zImage ~/cst-2.2/. -r
$ cp mxc_secureboot/bootimg ~/cst-2.2/. -r
2.Sign the U-Boot image:
$ cp ~/myandroid/out/target/product/sabresd_6dq/u-boot-imx6q.imx ~/cst-2.2/u-boot/u-boot.imx
$ cd ~/cst-2.2/u-boot
$ ./mk_secure_uboot
$ mv u-boot-signed-pad.imx u-boot-imx6q-signed-pad.imx
3.Sign the recovery image:
$ cp ~/myandroid/out/target/product/sabresd_6dq/recovery-imx6q.img ~/cst-2.2/bootimg/ boot.img
$ cd ~/cst-2.2/bootimg
$ ./mk_secure_bootimg 0x12000000 [6QDL: 0x12000000 6SL/SX/7D: 0x80800000]
$ mv boot-signed-pad.img recovery-imx6q-signed-pad.img
4.Sign the boot image:
$ cp ~/myandroid/out/target/product/sabresd_6dq/boot-imx6q.img ~/cst-2.2/bootimg/
boot.img
$ cd ~/cst-2.2/bootimg
$ ./mk_secure_bootimg 0x12000000 [6QDL: 0x12000000 6SL/SX/7D: 0x80800000]
$ mv boot-signed-pad.img boot-imx6q-signed-pad.img
5.Sign the zImage to be used in the MFGTool:
$ cp ~/myandroid/kernel_imx/arch/arm/boot ~/cst-2.2/zImage
$ cd ~/cst-2.2/zImage
$ ./mk_secure_zimage 0x12000000 [6QDL: 0x12000000 6SL/SX/7D: 0x80800000]
NOTE
The mk_secure_bootimg script only takes boot.img as the input file, and boot-signed-
pad.img as the output file. When being used to sign recovery.img, the recovery.img needs
to be renamed as boot.img.
4.3Downloading Android images to the SD Card or eMMC with
the MFGTool
To download Android images to the SD Card or eMMC with the MFGTool, perform the following steps:
1.The bootloader u-boot-imx6q-sabresd.imx in mfgtools\Profiles\Linux\OS Firmware\firmware needs to be built with the
patches in L5.1.1_2.1.0-HDCP2.x/Patches/mfgtool/uboot.
2.The zImage in mfgtools\Profiles\Linux\OS Firmware\firmware needs to be built with the patches in L5.1.1_2.1.0-
HDCP2.x/Patches/mfgtool/kernel_imx.
3.Sign u-boot-imx6q-sabresd.imx and zImage in mfgtools\Profiles\Linux\OS Firmware\firmware as steps 11 and 12 in
the link: https://www.sodocs.net/doc/37325898.html,/docs/DOC-96451
4.See the Android? Quick Start Guide (AQSUG) to download the signed Android boot image and U-Boot image.
NOTE
?The code base for U-Boot and kernel in the MFGTool should be from the i.MX 6
Linux 3.14.38_6qp GA release.
?The default u-boot-imx6q-sabresd.imx in the default Android release MFGTool
does not enable the secure boot.
?Users need to follow the i.MX 6 Linux High Assurance Boot (HAB) User's Guide
(IMX6HABUG) to build a secure boot-enabled U-Boot for MFGTools.
?Users need to sign the U-Boot and zImage in the MFGTool.
?The process of signing U-Boot of the MFGTool is different from signing U-Boot
for booting device from the SD Card or eMMC.
5HDCP Keyblobs
There are two keys for each HDCP Sink device as shown in the following figure.
?128 bit Secret Global Constant (lc 128 ). The length of Secret Global Constant (lc 128 ) is 36 bytes, which includes its SHA1.
?Device Certification, which includes the Device Public Certification and Device Private Certification. The Device Certification is 862 bytes, which includes its SHA1.
The Wi-Fi Display Sink needs to access two keys to support the Wi-Fi Display Source with HDCP enabled. It is high risk to store these two keys directly in storage. i.MX 6Quad/6DualLite has the hardware security module to encrypt key to keyblob and decrypt keyblob to key. Device only needs to store the HDCP keyblobs in storeage. The HDCP keys can only be
decrypted by the same i.MX 6Quad/6DualLite, which can be used to generate the keyblob. The decryption and encryption
process is performed with the hardware security module, which is acted as the black box to users. Array
Figure 1. HDCP keyblobs
5.1Generating HDCP key files
The user should request HDCP keys for Sink device from the Digital Content Protection, LLC (DCP). The user should have
the HDCP keys for Sink device as the following format:
HDCP Sink Key text format
KSV: xxxxx
Content: xxxx
To generate HDCP key files, perform the following steps:
1.Copy the first 72 characters in Content to the file lc_128.txt. and the remainder in Content to the hdcp2_key.txt.
https://www.sodocs.net/doc/37325898.html,e the following commands to generate the key file in Linux OS:
$ xxd -r -p lc_128.txt hdcpv2trans_license_constant.bin $ xxd -r -p hdcp2_key.txt hdcpv2trans_kp.bin
5.2Generating and provisioning HDCP Keyblobs
The mfgtools-HDCP2x.zip file is used to generate and provision HDCP keyblobs into the system. The keyblobs are stored in the device partition. The setps are as follows:
1.Unzip the mfgtools-HDCP2x.zip file into a Windows ? OS computer.
2.Put the HDCP keys in the following folder. Make sure to have the same file name as follows:
?mfgtools-HDCP2x\Profiles\Linux\OS
?Firmware\files\android\hdcp-keys\hdcpv2trans_kp.bin
?mfgtools-HDCP2x\Profiles\Linux\OS
?Firmware\files\android\hdcp-keys\hdcpv2trans_license_constant.bin
3.Make your board into download mode.
4.Click the VBS according to your board type.
NOTE
?The steps in this section should be done after the Android images are downloaded
into the device with the MFGTool. Otherwise, the process of Android images
downloading erases the HDCP keyblobs in the device partition.
?Users should follow the steps 1 - 3 in Downloading Android images to the SD Card
or eMMC with the MFGTool to generated the bootloader and zImage for the
MFGTool.
Document Number:AHDCP2XUG Rev. L5.1.1_2.1.0-ga
01/2016Information in this document is provided solely to enable system and software implementers to use Freescale products. There are no express or implied copyright licenses granted hereunder to design or fabricate any integrated circuits based on the information in this document.
Freescale reserves the right to make changes without further notice to any products herein. Freescale makes no warranty, representation, or guarantee regarding the suitability of its products for any particular purpose, nor does Freescale assume any liability arising out of the application or use of any product or circuit, and specifically disclaims any and all liability, including without limitation consequential or incidental damages. “Typical” parameters that may be provided in Freescale data sheets and/or specifications can and do vary in different applications, and actual performance may vary over time. All operating parameters, including “typicals,” must be validated for each customer application by customer’s technical experts. Freescale does not convey any license under its patent rights nor the rights of others. Freescale sells products pursuant to standard terms and conditions of sale, which can be found at the following address: https://www.sodocs.net/doc/37325898.html,/SalesTermsandConditions.
How to Reach Us:
Home Page:
https://www.sodocs.net/doc/37325898.html,
Web Support:
https://www.sodocs.net/doc/37325898.html,/support
Freescale and the Freescale logo are trademarks of Freescale Semiconductor, Inc.,
Reg. U.S. Pat. & Tm. Off. All other product or service names are the property of their
respective owners. ARM, ARM Powered logo, and Cortex are registered trademarks of
ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.
? 2016 Freescale Semiconductor, Inc.