Secure Boot -Generating cwe file

Trying to use Secure Boot with WP7608 and have a few questions going through the Secure Boot Application note from the source.

  1. Section 6.2 step 4 mentions about packaging signed images into a CWE image. The script mentions mdm9x28-image-cwe.inc depends on cwetool-native wherein it is not mentioned on how to use it ?

  2. Syntax of the script and whether it has to be put in the same folder as the signing server is not mentioned?

  3. How to verify the image is signed properly with the key, before loading it into the device?

  4. There is no build seen for cwetool-native does this need to be built in the SDK for use?

Further questions:

  1. to Generate cwe files do we need to use the linux source and bitbake tool?
    maybe we can provide the task using the command bitbake mdm9x28-image-minimal -c generate_cwe in this case how to specify the signed image components for cwe generation?

You can see this document:
Example on Secure boot implementation for WP76xx.docx (173.5 KB)

updated version including bootloader/kernel/rootFS/legatoFS authentication in FW R16:
Example on Secure boot implementation for WP76xx (version 7).docx (376.4 KB)

Dear @jyijyi

Thanks for the detailed documentation I will test this and update if any issues faced.

Thanks & Regards,

Pankaj Sant

@jyijyi

The android Signing tool provided in the attached document is pretty old and from 2021 to 2022 there has been new firmware released for WP76 ( from R16 to R16.1.1), can you please confirm if the attached tools in the document can still be used with R16.1.1?

Alternatively for user building WP76 yocto can he copy the tools from his own yocto workspace? This would be helpful as at every future firmware change the signing tool can be updated from the corresponding Yocto workspace?

aren’t the yocto version the same in R16.0.1 and R16.1?


BTW, here is an updated version of document for applying secure boot to new memory
Example on Secure boot implementation for WP76xx (version 6).docx (371.9 KB)

Of course you can take the one in your own workspace and diff to the one in document and see if there is any difference.

Following the steps on Ubuntu 18.04 when running the step to sign the image android_signature_add_R16.sh getting the following error:

./android_signature_add_R16.sh /boot boot-yocto-mdm9x28.4k.unsigned.img boot-yocto-mdm9x28.4k.img verity
Password for the private key file:
Exception in thread “main” java.security.NoSuchAlgorithmException: 1.2.840.113549.1.5.13 SecretKeyFactory not available
at java.base/javax.crypto.SecretKeyFactory.(SecretKeyFactory.java:122)
at java.base/javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:168)
at com.android.verity.Utils.decryptPrivateKey(Utils.java:150)
at com.android.verity.Utils.loadDERPrivateKey(Utils.java:166)
at com.android.verity.Utils.loadDERPrivateKeyFromFile(Utils.java:189)
at com.android.verity.BootSignature.doSignature(BootSignature.java:264)
at com.android.verity.BootSignature.main(BootSignature.java:324)
Looking here Java 256-bit AES Password-Based Encryption - Stack Overflow seems to be Java bug

Is there any solution to this issue in ubuntu 18.04? Which Ubuntu version is recommended for signing the ubuntu image?

Actual bug info here :

https://bugs.openjdk.org/browse/JDK-8226824

Java Version used in Ubuntu 18.04:

java --version
openjdk 11.0.17 2022-10-18
OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu218.04)
OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Ubuntu-1ubuntu218.04, mixed mode, sharing)

I used java8 in ubuntu

owner@CNHKG-EX-001367:~/QMI/MBPL/R23/USB$ java -version

openjdk version "1.8.0_292"

OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1~16.04.1-b10)

OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

Have used java8 on ubuntu 18.04 as below:

Still facing the same error? I see that if there is no password provided in step 2 generate keystore cwe image then the error is not faced.

Can you kindly confirm if providing password in step 2 is mandatory or we can use without password.

Using incorrect password should show the followings:


owner@CNHKG-EX-001367:~/Yocto/tools/signing_dir$ ./android_signature_add.sh /boot boot-yocto-mdm9x28.4k.unsigned.img boot-yocto-mdm9x28.4k.img
Password for the private key file: 
Password may be bad.
Exception in thread "main" java.security.spec.InvalidKeySpecException: Cannot retrieve the PKCS8EncodedKeySpec
	at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:255)
	at com.android.verity.Utils.decryptPrivateKey(Utils.java:158)
	at com.android.verity.Utils.loadDERPrivateKey(Utils.java:166)
	at com.android.verity.Utils.loadDERPrivateKeyFromFile(Utils.java:189)
	at com.android.verity.BootSignature.doSignature(BootSignature.java:264)
	at com.android.verity.BootSignature.main(BootSignature.java:324)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
	at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
	at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:432)
	at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
	at javax.crypto.Cipher.doFinal(Cipher.java:2168)
	at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:250)
	... 5 more

Using correct password should show the followings:


owner@CNHKG-EX-001367:~/Yocto/tools/signing_dir$ ./android_signature_add.sh /boot boot-yocto-mdm9x28.4k.unsigned.img boot-yocto-mdm9x28.4k.img
Password for the private key file: 
owner@CNHKG-EX-001367:

You can try the same openjdk version “1.8.0_292” as mine

What if we do not use the password at all? No password we just press enter during creating of keystore.

have you created a test key that required password?
you can then test the password with your environment

Yes the key is created without password and used for signing the image and the module is working correctly with the signed image.

For the legato image signing the yocto code does not contain the legato-af can you let us know how we can use the files from legato-af from VScode?

then do you mean your java was working fine for signing the image?
What version did you use at that time?

For your second question, do you mean the following in step 4?

I think you can use this one:
./build_bin/tmp/sysroots-components/x86_64/cwetool-native/usr/bin/hdrcnv

For ubinize.cfg , you can use mine as it is just a configuration file:
ubinize.cfg (514 Bytes)

Thanks I will try these files but for the rhash.bin I am not able to find it in my legato app setup using Vscode:

here is the reference from document:

Here is the image of my vscode setup where rhash.bin is missing in leaf-data folder:

Also not available in current folder as seen here:

Regarding the java issue I skipped entering password here in step 6 :

Just press enter without any password and then when signing the image here:

it does not ask you for password. It seems the password step is not mandatory and it is just for protection of the keystore.

btw for the java issue when I get some time I will try to make a docker container with Ubuntu 16 and try to sign the image in the container.

Will share that details later for now can you please let me know how to get the rhash.bin in vscode setup?

Thanks in advance.

you need to make the legato image by “make wp76xx” in leaf shell , after that you will see it here:

(lsh:WP76_stable) owner@CNHKG-EX-001367:~/LEAF/WP76/leaf-data/WP76_stable/wp76-legato$ ls ./build/wp76xx/rhash.bin 
./build/wp76xx/rhash.bin

will make_wp76xx generate the rhash.bin for the default legato AF inside the leaf-data folder? In our case we have applications outside the leaf-data folder and we convert the .update file to .cwe.

Therefore do we have to move our applications into default .sdef so our applications are built with make_wp76xx and are included in rhash.bin?

Yes. i did it inside the leaf-data folder
I suggest you try on default one with “make wp76xx” first, this can make sure the signing procedure is working fine first.
After that you can add your application to your legato image.

e.g.