11.5.6.2. AOSP build Environment Setup

11.5.6.2.1. AOSP build Environment for Hikey960

To setup Android build environment for Hikey960 board please follow steps below:

  1. The build setup file structure should be as below:

    <ROOT-DIR>
    |
    |------ android-root/
    |
    |------ simw-top/
    
  2. Downloading and building AOSP source code (refer https://source.android.com/setup/build/devices).

    In the steps below, android-root means $ROOT_DIR/android-root/.

    For simplicity of scripts, it is assumed that ROOT_DIR variable is set like as below:

    ROOT_DIR=/opt/_ddm/aospbld
    
  3. Setup REPO Tool:

    mkdir ~/bin
    PATH=~/bin:$PATH
    curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
    chmod a+x ~/bin/repo
    
  4. Download source code using REPO tool:

    ROOT_DIR=/opt/_ddm/aospbld # For example
    
    mkdir -p ${ROOT_DIR}/android-root
    cd ${ROOT_DIR}/android-root
    
    repo init -u https://android.googlesource.com/platform/manifest -b android-p-preview-2
    repo sync -j$(nproc)
    

    All scripts from here on assume ROOT_DIR is set.

  5. Apply patches from android.googlesource.com:

    cd ${ROOT_DIR}/android-root/prebuilts/tools
    git fetch https://android.googlesource.com/platform/prebuilts/tools refs/changes/02/682002/1 && git cherry-pick     FETCH_HEAD
    
    cd ${ROOT_DIR}/android-root/external/e2fsprogs/
    git fetch https://android.googlesource.com/platform/external/e2fsprogs refs/changes/05/683305/1 && git  cherry-pick FETCH_HEAD
    
    cd ${ROOT_DIR}/android-root/external/f2fs-tools
    git fetch https://android.googlesource.com/platform/external/f2fs-tools refs/changes/06/683306/1 && git     cherry-pick FETCH_HEAD
    
  6. Apply patches from host library.

    These patches are for Android Keymaster 3.0 Board init

    Scripts to apply the patches:

    cp ${ROOT_DIR}/simw-top/akm/src/Board_init/keymaster_sepolicy.patch ${ROOT_DIR}/android-root/system/sepolicy/
    cd ${ROOT_DIR}/android-root/system/sepolicy/
    patch -p1 < keymaster_sepolicy.patch
    
    cp ${ROOT_DIR}/simw-top/akm/src/Board_init/init_rc_file.patch ${ROOT_DIR}/android-root/system/core/
    cd ${ROOT_DIR}/android-root/system/core/
    patch -p1 < init_rc_file.patch
    
    • init_rc_file.patch is to update system ownership of I2C module and to create /data/vendor/SE05x secure directory.

    • keymaster_sepolicy.patch is to update SE050 Keymaster HAL policy for accessing I2C device for communication with SE050 and /data/vendor/SE05x secure directory for storing Platform SCP03 keys.

  7. Follow below instructions to build source code for hikey960:

    cd ${ROOT_DIR}/android-root
    export ANDROID_ROOT=$(pwd)
    source build/envsetup.sh
    lunch hikey960-userdebug
    make -j $(nproc)
    

    Note

    Based on CPU core, build will take 1-4 hrs.

  8. Installing images.

    Follow https://source.android.com/setup/build/devices#960fastboot

  9. Flashing images. Follow https://source.android.com/setup/build/devices#960images

    Note

    “fastboot” and “adb” are required for flashing images.

  10. If modifications are required to hikey kernel (e.g. add/remove device driver), please refer to https://source.android.com/setup/build/devices#960kernel for bulding hikey kernel and follow the instruction given on link to create new bootimage image.

11.5.6.2.2. AOSP build environment for iMX8M (coming soon)

To setup Android build environment for iMX8M board please follow below steps

  1. The build setup file structure should be like (your${ROOT_DIR} dir):

    <ROOT-DIR>
    |
    |------ android-root/
    |
    |------ simw-top/
    
  1. Downloading and building AOSP source code (refer section 3.2.3 : Build your own Android BSP Image from https://www.nxp.com/support/developer-resources/run-time-software/i.mx-developer-resources/evaluation-kit-for-the-i.mx-8m-applications-processor:MCIMX8M-EVK?tab=In-Depth_Tab). In the steps below, android-root means $ROOT_DIR/android-root/.

  2. Setup REPO Tool:

    mkdir -p ${ROOT_DIR}/android-root
    cd ${ROOT_DIR}/android-root
    
    mkdir ~/bin
    PATH=~/bin:$PATH
    curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
    chmod a+x ~/bin/repo
    
  3. Download source code using REPO tool

    Get the Android source code from Google repo using the manifest and script provided inside the imx-o8.1.0_1.3.0_8m.tar.gz (Download package from https://www.nxp.com/support/developer-resources/ run-time-software/i.mx-developer-resources/evaluation-kit-for-the-i.mx-8m-applications -processor:MCIMX8M-EVK?tab=Design_Tools_Tab ).

    source ~/imx-o8.0.0_1.3.0_8mq-prc/imx_android_setup.sh
    
    # By default, the imx_android_setup.sh script will create the source code build environment
    in the folder ~/android_build
    
    # ${MY_ANDROID} will be refered as the i.MX Android source code root directory in all i.MX
    Andorid release documentation.
    
    export MY_ANDROID=~/android_build
    
  4. Building Android images:

    cd ${MY_ANDROID}
    export ANDROID_ROOT=$(pwd)
    source build/envsetup.sh
    lunch evk_8mq-userdebug
    make -j$(nproc) 2>&1 | tee build-log.txt
    

    Note

    Based on CPU core, build will take 1-4 hrs.

  5. Flashing newly generate images.

    1. The board images can be flashed to the target board by using the MFGTool. The release package includes MFGTool for i.MX 8MQuad EVK in android_O8.0.0_1.3.0_8M-PRC_tools.tar.gz. The MFGTool is mfgtools-mx8mq-beta.zip.

    2. Unzip the mfgtools-mx8mq-beta.zip file to a selected location. The directory is named MFGTool-Dir.

    #) Copy following files from $ROOT_DIR/android-root/out/target/product/evk_8mq to your MFGTool-Dir/Profiles/Linux/OS Firmware/files/ android/evk directory.

    u-boot-imx8mq.imx
    partition-table.img
    boot-imx8mq.img
    vbmeta-imx8mq.img
    system.img
    vendor.img.
    

11.5.6.3. SE050 based Android Keymaster

11.5.6.3.1. CMAKE based build system

  1. Download Android NDK from https://developer.android.com/ndk/downloads/ and store it in /usr/local/ eg. /usr/local/android-ndk-r18b-linux-x86_64

    cd /usr/local/
    wget http://dl.google.com/android/repository/android-ndk-r18b-linux-x86_64.zip
    unzip -d android-ndk-r18b-linux-x86_64 android-ndk-r18b-linux-x86_64.zip
    
  2. Once you are able to bring-up Android build environment for hikey960 follow below steps to build SE050 based android keymaster:

    cd ${ROOT_DIR}/android-root
    export ANDROID_ROOT=$(pwd)
    cd ${ROOT_DIR}/simw-top/scripts/android/cmake_based
    source board_config.sh hikey960
    ./setup_script.sh
    

    After successful execution you will be able to locate <simw-top_build> directory parallel to simw-top directory and simw-akm directory in $ROOT_DIR/android-root/system/keymaster

    Note

    If the patches are already applied, then instead of calling setup_script.sh, call build_script.sh

  3. A batch script keymaster_flash.bat will be copied to $ROOT_DIR/android-root/out/target/product/<BOARD_NAME>. Execute the batch script to push all the necessary files onto the target board.

11.5.6.3.2. AOSP based build system

  1. Setup simw-top inside $ROOT_DIR/android-root/vendor/nxp. If vendor/nxp does not exist inside $ROOT_DIR/android-root then create the same.

  2. Follow below steps to build SE050 based android keymaster.:

    cd ${ROOT_DIR}/android-root
    cp vendor/nxp/simw-top/akm/src/interface_keymaster/patch/aosp/interface_keymaster3.0.patch hardware/interfaces/
    cd hardware/interfaces/
    patch -p1 < interface_keymaster3.0.patch
    cd ${ROOT_DIR}/android-root/vendor/nxp/simw-top
    mm -j$(nproc)
    cd ${ROOT_DIR}/android-root/hardware/interfaces/keymaster/3.0/default
    mm -j$(nproc)
    
  3. AKM supports Various Auth Mechanism ,below are the list of supported Auth types:

    None
    PlatfSCP03
    UserID
    AESKey
    ECKey
    UserID_PlatfSCP03
    AESKey_PlatfSCP03
    ECKey_PlatfSCP03
    
  4. By default SE05X Authentication is through None.For any other Auth type follow below steps:

    cd ${ROOT_DIR}/android-root/vendor/nxp/simw-top
    mm SE05X_Auth=(Auth Type) -j$(nproc)
    eg. mm SE05X_Auth=PlatfSCP03 -j$(nproc)
    cd ${ROOT_DIR}/android-root/hardware/interfaces/keymaster/3.0/default
    mm -j$(nproc)
    
  5. After successful build copy keymaster_flash.bat located at $ROOT_DIR/android-root/vendor/nxp/simw-top/scripts/android/aosp_based to $ROOT_DIR/android-root/out/target/product/<BOARD_NAME>. Execute the batch script to push all the necessary files onto the target board.

  6. Other way to build SE050 based android keymaster is as follows:

    cd ${ROOT_DIR}/android-root
    export ANDROID_ROOT=$(pwd)
    cd ${ANDROID_ROOT}/vendor/nxp/simw-top/scripts/android/aosp_based
    source board_config.sh hikey960
    ./setup_script.sh
    
  7. A batch script keymaster_flash.bat will be copied to $ROOT_DIR/android-root/out/target/product/<BOARD_NAME>. Execute the batch script to push all the necessary files onto the target board.

11.5.6.4. Extract Secure Element Information

Refer to SE Platform Information on Android platform.

11.5.6.5. Rotate Platform SCP03 Keys

Project se05xRotatePlatfSCP03 is available to update Platform SCP03 keys on the SE. Build the project with build configuration SE05X_Auth=PlatfSCP03. For details about the tool, refer to SE05X Rotate PlatformSCP Keys Demo.

After building the project, push the built binary on the android device using adb tool and run it from the command line.

11.5.6.6. How to use own Platform SCP03 Keys

Refer to Section 11.10 Using own Platform SCP03 Keys for details on how to use your own Platform SCP03 keys.

Note

Be sure to apply keymaster_sepolicy.patch to allow Platform SCP03 keys access to keymaster service.

11.5.6.7. Retrieve Existing Certificates

Refer to Get Certificate from the SE.

11.5.6.8. Key Attestation

Key attestation support is available for RSA and ECC keys. The attestation keys and certificates need to be pre-injected at the following keyIDs:

#define ATTESTATION_KEY_RSA_KEYID 0x00000001
#define ATTESTATION_KEY_ECC_KEYID 0x00000004
#define ATTESTATION_CERTIFICATE_RSA_KEYID 0x00000011
#define ATTESTATION_CERTIFICATE_ECC_KEYID 0x00000014

For details on how to inject certificates into SE, refer Section 5.7.20 Inject Certificate into SE.

11.5.6.9. How To Enable Logging

By default, information logs, error logs and warning logs are enabled but debug logs are disabled. To enable debug logs define NX_LOG_ENABLE_DEFAULT_DEBUG as 1 in $ROOT_DIR/simw-top/hostlib/hostLib/libCommon/infra/nxLog_DefaultConfig.h

11.5.6.9.1. I2C connections with SE05x

  1. Below Diagram shows the wiring connection between Host Device and SE05x

../_images/HD-SE-connections.png

11.5.6.9.2. I2C data transceive operation

  1. The Host Device acts as an I2C_master while SE05x shall be the I2C_slave.

  2. HD transmits requested frame from applicaton layer to SE over I2C Bus. SE sends acknowledgement (ACK/NACK) for the received frame.

  3. SE processes the recieved frame and prepares the response accordingly. HD polls for Read till the time Response is prepared and sent over I2C bus.

  4. Following Diagram demonstrate the same.

../_images/I2C-operation.png