• 参考文档：
  1、https://blog.csdn.net/armfpga123/article/details/65446628
  2、https://blog.csdn.net/tq501501/article/details/94719382
  3、https://blog.csdn.net/the_Sunshine_of_King/article/details/74778109
  4、https://www.it610.com/article/1279351060980318208.htm

• 第一步生成key
  1、复制一份 共四个文件

/oem/common/sectools$ cp ./resources/data_prov_assets/General_Assets/Signing/openssl/opensslroot.cfg ./resources/data_prov_assets/Signing/Local/qc_kona_key
/oem/common/sectools$ cp ./resources/data_prov_assets/General_Assets/Signing/openssl/v3.ext ./resources/data_prov_assets/Signing/Local/qc_kona_key
/oem/common/sectools$ cp ./resources/data_prov_assets/General_Assets/Signing/openssl/v3_attest.ext ./resources/data_prov_assets/Signing/Local/qc_kona_key
/oem/common/sectools$ cp ./resources/data_prov_assets/Signing/Local/qti_presigned_certs-key2048_exp65537_paddingPSS/config.xml ./resources/data_prov_assets/Signing/Local/qc_kona_key

2、生成证书和密钥

openssl req -new -sha256 -key qpsa_rootca.key -x509 -out rootca_pem.crt -subj /C=US/ST=California/L="xxxx" -days 7300 -set_serial 1 -config opensslroot.cfg -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sigopt digest:sha256
/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$ ls
config.xml  opensslroot.cfg  qpsa_rootca.key  rootca_pem.crt  v3_attest.ext  v3.ext
/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$ openssl x509 -in rootca_pem.crt -inform PEM -out qpsa_rootca.cer -outform DER
/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$ ls
config.xml  opensslroot.cfg  qpsa_rootca.cer  qpsa_rootca.key  rootca_pem.crt  v3_attest.ext  v3.ext

/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$ openssl genrsa -out qpsa_attestca.key 2048ut attestca.csr -subj /C=US/ST=CA/L="San Diego"/OU="CDMA Technologies"/O=QUALCOMM/CN="QUALCOMM Attestation CA" -days 7300 -config opensslroot.cfg
Generating RSA private key, 2048 bit long modulus
..............................+++
...................................................................................+++
e is 65537 (0x10001)
oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$ openssl req -new -key qpsa_attestca.key -out attestca.csr -subj /C=US/ST=CA/L="San Diego"/OU="CDMA Technologies"/O=QUALCOMM/CN="QUALCOMM Attestation CA" -days 7300 -config opensslroot.cfg
/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$
/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$
/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$
/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$ ls
attestca.csr  config.xml  opensslroot.cfg  qpsa_attestca.key  qpsa_rootca.cer  qpsa_rootca.key  rootca_pem.crt  v3_attest.ext  v3.ext
/oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$
openssl x509 -req -in attestca.csr -CA rootca_pem.crt -CAkey qpsa_rootca.key -out attestca_pem.crt -set_serial 5 -days 7300 -extfile v3.ext -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sigopt digest:sha256

3、获取密钥

oem/common/sectools/resources/data_prov_assets/Signing/Local/qc_kona_key$ openssl dgst -sha384 qpsa_rootca.cer
xxxxxx

4、将第三步的密钥配置下
5、image签名
python sectools.py secimage --meta_build="/oem" --chipset=sm8250 --sign
6、编写脚本将签名后文件复制到out目录
7、更新NONHLOS

Generate NONHLOS.bin and spare image

cd $ROOT/common/build && python update_common_info.py
python common\build\build.py trigger NON-HLOS.bin update. some version
use update_common_info.py instead of build.py
8、烧入secdata
9、刷入签名后image
10、开机验证

• 遇到的问题：

Slot _a is unbootable, trying alternate slot
Err: line:1603 FindBootableSlot() status: Load Error
Err: line:1386 LoadImageAndAuth() status: Load Error
LoadImageAndAuth failed: Load Error

根本看不出来啥异常，需要打开kernel串口log

image002(12-01-17-30-06).jpg

原因ipa_fws没有签名成功， 其他情况类似都是子系统加载问题

• 刷机成板砖了，下载不进去了
  oem\sxr2130_boot\boot_images\QcomPkg\Library\DevPrgLib\devprg_transfer.c

int devprg_transfer_init(void)
{
//强制关闭vip
vip->state = VIP_DISABLED;
}

• 强制解锁
  \bootable\bootloader\edk2\QcomModulePkg\Library\BootLib\DeviceInfo.c
  DevInfo.is_unlocked = TRUE;
  DevInfo.is_unlock_critical = TRUE;