痞子衡嵌入式：開啓NXP-MCUBootUtility工具的HAB加密功能 - CST（中英雙語）

時間 2019-12-11

標籤痞子嵌入開啓 nxp mcubootutility 工具 hab 加密功能 cst 中英雙語简体版

原文原文鏈接

爲了便於你們快速驗證軟件HAB加密功能，特將已開啓HAB加密功能的cst工具上傳至百度網盤，僅用做我的學習用途，違者後果自負。
  -- 連接: https://pan.baidu.com/s/1lcFverYPDDp0qjxCcWpkug
  -- 提取碼: 3873
  使用方法：將下載到的壓縮包cst_3.0.1_hab_crypto.zip解壓後將其全部文件拷貝到 \NXP-MCUBootUtility\tools\cst 文件夾下便可。

1 Reason for enabling HAB encryption function 爲何要開啓HAB加密功能

　　NXP-MCUBootUtility is a tool designed for NXP MCU secure encryption boot. It fully supports secure encryption boot functions (signature only, signature and encryption) based on HAB implementation. HAB related functions are based on NXP's official HAB enablement tools. Due to the restriction of export control on security product, HAB Code Signing Tool cannot be directly integrated into NXP-MCUBootUtility installation package, so if you want to enbale HAB signature and encryption function for NXP-MCUBootUtility, You need to add HAB Code Signing Tool into NXP-MCUBootUtility manually. This article teaches you how to add HAB Code Signing Tool into NXP-MCUBootUtility to activate HAB encryption function.html

　　NXP-MCUBootUtility是一個專爲NXP MCU安全加密啓動而設計的工具，其能完整支持基於HAB實現的安全加密啓動（單簽名，簽名和加密），而HAB相關的功能是藉助恩智浦官方的HAB Code Signing Tool工具來實現的，HAB Code Signing Tool跟安全加密有關，由於一些跟歐美出口管制有關的緣由，NXP-MCUBootUtility不可以直接將HAB Code Signing Tool工具集成到軟件安裝包裏，因此若是要在NXP-MCUBootUtility裏開啓HAB簽名和加密功能，須要本身將HAB Code Signing Tool工具添加到NXP-MCUBootUtility裏，本篇文章即教你們如何添加HAB Code Signing Tool工具進NXP-MCUBootUtility以激活HAB加密功能。web

2 Enable HAB signature function first 首先開啓HAB簽名功能

　　First, you need to refer to 《開啓NXP-MCUBootUtility工具的HAB簽名功能 - CST》, This article teaches you to add the CST tool into NXP-MCUBootUtility and activates the HAB signature function, the prerequisite for activating HAB encryption function is to enable HAB signature function.安全

　　首先參照《開啓NXP-MCUBootUtility工具的HAB簽名功能 - CST》這篇文章教你將CST工具添加進NXP-MCUBootUtility裏並激活HAB簽名功能，激活HAB加密的前提是使能HAB簽名。app

3 Regenerate cst.exe with AES encryption function 從新生成含AES加密功能的cst.exe

　　The signature and encryption functions of NXP-MCUBootUtility are implemented by calling \NXP-MCUBootUtility\tools\cst\mingw32\bin\cst.exe. The cs.exe in the CST package downloaded from NXP's official website does not include AES encryption function by default. So we need to recompile and generate cst.exe with AES encryption function.frontend

　　NXP-MCUBootUtility的簽名和加密功能均是經過調用\NXP-MCUBootUtility\tools\cst\mingw32\bin\cst.exe實現的，從恩智浦官網下載的CST包裏的cst.exe默認沒有開啓AES加密功能，所以咱們須要從新編譯生成含AES加密功能的cst.exe。工具

3.1 Install gcc under MSYS2 在MSYS2下安裝gcc

　　First, you need to download the msys2 installation package on the website http://www.msys2.org/ and select the appropriate installation package according to your system (x86_64 is for 64bit system, i686 is for 32bit systems), We choose msys2-x86_64-20180531.exe here. After the installation is complete, open the MSYS2 MSYS console from the Start menu.學習

　　首先在網站 http://www.msys2.org/ 下載msys2的安裝包，根據你的系統選擇合適的安裝包（x86_64適用於64bit系統，i686適用於32bit系統），這裏選擇的是msys2-x86_64-20180531.exe，安裝完成後從開始菜單裏打開MSYS2 MSYS控制檯。測試

　　Execute the following four commands in sequence, and just input y when encountering ":: Proceed with installation? [Y/n]" questions. Note that you may need to close the console and reopen after the first command is executed. After successful execution of all commands, the basic configuration of MSYS2 and the installation of standard packages and gcc for compilation are completed.網站

　　依次執行以下四條命令，遇到":: Proceed with installation? [Y/n]"詢問所有輸入y，注意第一條命令執行後可能須要關閉控制檯從新打開。全部命令正常執行結束後便完成了MSYS2的基礎更新配置以及用於編譯的標準包和gcc的安裝。ui

jay@pc MSYS ~
$ pacman -Syu
$ pacman -Su
$ pacman -S –-needed base-devel
$ pacman -S mingw-w64-i686-gcc

3.2 Compile openssl under MinGW 在MinGW下編譯openssl

　　Then download the openssl source package on the website https://www.openssl.org/, it is recommended to select the 1.0.x version (1.1.x version seems to have issues). We choose openssl-1.0.2q.tar.gz here. After downloading, decompress it and place it in the \NXP-MCUBootUtility\tools\openssl directory. Open the MSYS2 MinGW 32-bit console from the Start menu.

　　而後在網站 https://www.openssl.org/ 下載openssl的源碼包，推薦選擇1.0.x版本（1.1.x版本經測試有問題），這裏選擇的是openssl-1.0.2q.tar.gz，下載完成後將其解壓放置到\NXP-MCUBootUtility\tools\openssl\目錄下，從開始菜單裏打開MSYS2 MinGW 32-bit控制檯。

　　Use the cd command to checkout to the \NXP-MCUBootUtility\tools\openssl\openssl-1.0.2q directory and execute the following three commands in sequence. Note that the second command takes a little longer time (about 10 minutes). Please be patient.

　　使用cd命令切換到\NXP-MCUBootUtility\tools\openssl\openssl-1.0.2q目錄下，依次執行以下三條命令，注意第二條命令執行時間稍長（大約10分鐘），請耐心等待。

jay@pc MINGW32 /d/NXP-MCUBootUtility/tools/openssl/openssl-1.0.2q
$ ./config
$ make
$ cp ms/applink.c include/openssl/

3.3 Generate cst.exe under MinGW 在MinGW下生成cst.exe

　　Use the cd command to checkout to the \NXP-MCUBootUtility\tools\cst\code\back_end\src directory and execute the following two commands in sequence.

　　繼續在MSYS2 MinGW 32-bit控制檯下操做，使用cd命令切換到\NXP-MCUBootUtility\tools\cst\code\back_end\src目錄下，依次執行以下兩條命令。

jay@pc MINGW32 /d/NXP-MCUBootUtility/tools/cst/code/back_end/src
$ gcc *.c -o cst.exe -I ../hdr -I ../../../../openssl/openssl-1.0.2q/include/ -L ../../../mingw32/lib/ -L ../../../../openssl/openssl-1.0.2q -lfrontend -lcrypto -lgdi32 -static
$ cp cst.exe ../../../mingw32/bin/

　　At this point, the HAB encryption function is also activated. Open the NXP-MCUBootUtility and select the "HAB Encrypted Image Boot" mode in the Secure Boot Type and then enjoy it.

　　至此NXP-MCUBootUtility的HAB加密功能也被激活了，打開NXP-MCUBootUtility軟件，在Secure Boot Type裏選擇"HAB Encrypted Image Boot"模式試試吧。