manualshive.com logo in svg

NXP Semiconductors ASUG, User Manual

Share
Download
NXP Semiconductors ASUG User Manual Download Page 29

The Android build system signes the vbmeta image with the private key above and stores one copy of the public key in the signed
vbmeta image. During AVB verification, U-Boot validates the public key first and then uses the public key to authenticate the
signed vbmeta image.

8.10.2 How to set the vbmeta public key

The public key should be stored in Trusty OS backed RPMB for Android Auto. Perform the following steps to set the public key.
Make your board enter fastboot mode, and enter the following commands on the host side:

 fastboot stage ${your-key-directory}/test_rsa4096_public.bin
 fastboot oem set-public-key

The public key test_rsa4096_public.bin should be extracted from the specified private key. If no private key is specified, set the
public key as prebuilt testkey_public_rsa4096.bin, which is extracted from the default private key testkey_rsa4096.pem.

8.11 Key attestation

The keystore key attestation aims to provide a way to strongly determine if an asymmetric key pair is hardware-backed, what the
properties of the key are, and what constraints are applied to its usage.
Google provides the attestation "keybox", which contains private keys (RSA and ECDSA) and the corresponding certificate chains
to partners from the Android Partner Front End (APFE). After retrieving the "keybox" from Google, you need to parse the "keybox"
and provision the keys and certificates to secure storage. Both keys and certificates should be Distinguished Encoding Rules
(DER) encoded.
Fastboot commands are provided to provision the attestation keys and certificates. Make sure the secure storage is properly
initialized for Trusty OS:

• Set RSA private key:

fastboot stage <path-to-rsa-private-key>
fastboot oem set-rsa-atte-key

• Set ECDSA private key:

fastboot stage <path-to-ecdsa-private-key>
fastboot oem set-ec-atte-key

• Append RSA certificate chain:

fastboot stage <path-to-rsa-atte-cert>
fastboot oem append-rsa-atte-cert

 

This command may need to be executed multiple times to append the whole certificate chain.

  NOTE  

• Append ECDSA certificate chain:

fastboot stage <path-to-ecdsa-cert>
fastboot oem append-ec-atte-cert

 

This command may need to be executed multiple times to append the whole certificate chain.

  NOTE  

After provisioning all the keys and certificates, the keystore attestation feature should work properly.

NXP Semiconductors

Customized Configuration

Android

 User's Guide, Rev. P9.0.0_2.3.2, 6 March 2020

User's Guide

29 / 31

Summary of Contents for ASUG

Page 1: ...the necessary packages are installed for an Android build See Setting up your machine on the Android website source android com source initializing html In addition to the packages requested on the A...

Page 2: ...bin curl https storage googleapis com git repo downloads repo bin repo chmod a x bin repo export PATH PATH bin source imx p9 0 0_2 3 2 imx_android_setup sh By default the imx_android_setup sh script...

Page 3: ...uild_id mk in your MY_ANDROID directory For details see the Android Frequently Asked Questions The following outputs are generated by default in MY_ANDROID out target product evk_8mn root root file sy...

Page 4: ...ing a kernel image To build boot img see Building boot img To build dtbo img see Building dtbo img NOTE 3 2 1 Configuration examples of building i MX devices The following table shows examples of usin...

Page 5: ...ccess and debuggability preferred for debugging Installs modules tagged with debug ro debuggable 1 adb is enabled by default There are two methods for the build of Android image Method 1 Set the envir...

Page 6: ...uild envsetup sh lunch evk_8mn userdebug make bootloader j4 For other platforms use lunch buildName buildType to set up the build configuration For detailed build configuration see Section 3 2 Buildin...

Page 7: ...the Android Platform with a Prebuilt Image Table 6 Image packages Image package Description android_p9 0 0_2 3 2_image_8mnevk tar gz Prebuilt image for i MX 8M Nano EVK board which includes NXP extend...

Page 8: ...no EVK board to support MIPI panel output rpmb_key_test bin Prebuilt test RPMB key which can be used to set the RPMB key as fixed 32 bytes 0x00 testkey_public_rsa4096 bin Prebuilt AVB public key which...

Page 9: ...vices on the development system MMC SD must be programmed with the U Boot boot loader The i MX 8 series boot process determines what storage device to access based on the switch settings When the boot...

Page 10: ...img format a kernel recovery ramdisk boot img 4 boot_b Follow boot_a 48 MB boot img format a kernel recovery ramdisk boot img 5 system_a Follow boot_b 2560 MB EXT4 Mount as system Android system file...

Page 11: ...each Linux PC Unmount all the SD card partitions before running the script Put related bootloader boot image system image and vbmeta image in your current directory This script needs simg2img tool to...

Page 12: ...on table img default If it is set to 7 use partition table 7GB img for 8 GB SD card If it is set to 14 use partition table 14GB img for 16 GB SD card If it is set to 28 use partition table 28GB img fo...

Page 13: ...ngs Boot mode switch SW1101 from 1 4 bit eMMC boot 0100 To boot from SD change the board Boot_Mode switch to SW1101 1100 from 1 4 bit To boot from eMMC change the board Boot_Mode switch to SW1101 0100...

Page 14: ...such as U Boot environments kernel command line and DM verity configuartions 6 2 1 U Boot environment bootcmd the first variable to run after U Boot boot bootargs the kernel command line which the bo...

Page 15: ...annot be large than 1184 MB as teh Cortex M4 core will also allocate memory from CMA and Cortex M4 cannot use the memory large than 0xDFFFFFFFF androidboot selinux Argument to disable selinux check an...

Page 16: ...To configure fps change this value to 480p60 480p50 480p30 The system will find out and work at the best display mode and display mode can be changed through this bootargs androidboot fbTileSupport I...

Page 17: ...a Boot up the device b Choose Settings Developer Options OEM Unlocking to enable OEM unlocking c Execute the following command on the target side to make the board enter fastboot mode reboot bootload...

Page 18: ...often very similar to their previous versions so the package only needs to contain encoding of the differences between the two files You can install the incremental update package only on a device tha...

Page 19: ...ad bin to board s sdcard dir adb push payload bin sdcard 3 Cat the content of payload_properties txt like this FILE_HASH 0fSBbXonyTjaAzMpwTBgM9AVtlBeyOigpCCgkoOfHKY FILE_SIZE 379074366 METADATA_HASH I...

Page 20: ..._ota_folder content is like this Make sure that you have at least 6 files as follows in server_ota_folder or the OTA application will be aborted build server var www evk_8mn_pie_9 ls build prop build_...

Page 21: ...ay be many DTS for one board For example in MY_ANDROID device fsl imx8m evk_8mn BoardConfig mk TARGET_BOARD_DTS_CONFIG imx8mn fsl imx8mn ddr4 evk trusty dtb TARGET_BOARD_DTS_CONFIG imx8mn mipi panel f...

Page 22: ...camera media_profiles_1080p xml Maximum to 1080P 30FPS and 8 Mbps for recording video Maximum to 720P 30FPS and 3 Mbps for recording video media_profiles_720p xml Maximum to 720P 30FPS and 3 Mbps for...

Page 23: ...8m aiy_8mq init rc For the i MX 8QuadXPlus MEK board the source folder is MY_ANDROID device fsl imx8q mek_8q init rc NOTE 8 5 How to enable low power audio The DirectAudioPlayer application is provide...

Page 24: ...id Quick Start Guide AQSUG DirectAudioPlayer supports limited audio files which is declared in device s audio_policy_configuration xml with AUDIO_OUTPUT_FLAG_DIRECT AUDIO_OUTPUT_FLAG_HW_AV_SYNC flag O...

Page 25: ...t from i MX 8QuadXPlus VPU output To achieve the best performance of video playback take the following methods to accelerate the video playback through i MX 8QuadXPlus DPU Enable it by the default dev...

Page 26: ...wnload the corresponding version SCFW from here L4 14 98_2 0 1_SCFWKIT 1 2 2 5 Unzip the porting kit and SCFW for i MX 8QuadXPlus imx scfw porting kit bin cd imx scfw porting kit src tar xf scfw_expor...

Page 27: ...the specified RPMB key or random RPMB key The RPMB key cannot be changed once it is set To set a specified RPMB key perform the following operations Make your board enter fastboot mode Execute the co...

Page 28: ...a_keygen_bits 4096 outform PEM out test_rsa4096_private pem The public key can be extracted from the private key The avbtool in MY_ANDROID external avb supports such commands You can get the public ke...

Page 29: ...attestation keybox which contains private keys RSA and ECDSA and the corresponding certificate chains to partners from the Android Partner Front End APFE After retrieving the keybox from Google you n...

Page 30: ...2 0 0 ga 04 2019 i MX 8M i MX 8QuadMax and i MX 8QuadXPlus GA release P9 0 0_2 3 0 08 2019 i MX 8M Mini i MX 8M Quad i MX 8M Nano and i MX 8QuadXPlus Alpha release P9 0 0_2 3 2 02 2020 i MX 8M Nano i...

Page 31: ...e design and operating safeguards to minimize the risks associated with their applications and products NXP the NXP logo NXP SECURE CONNECTIONS FOR A SMARTER WORLD COOLFLUX EMBRACE GREENCHIP HITAG I2C...

Reviews:

No comments

Brands by name

Popular brands

Load more brands