NO PUBLIC DISCLOSURE PERMITTED: Please report postings of this document on public servers or websites to:
DocCtrlAgent@qualcomm.com.
Restricted Distribution: Not to be distributed to anyone who is not an employee of either Qualcomm Technologies, Inc. or its
affiliated companies without the express approval of Qualcomm Configuration Management.
Not to be used, copied, reproduced, or modified in whole or in part, nor its contents revealed in any manner to others without the
express written permission of Qualcomm Technologies, Inc.
Qualcomm and MSM are trademarks of Qualcomm Incorporated, registered in the United States and other countries. Other product
and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S.
and international law is strictly prohibited.
1 Introduction...................................................................................................... 5
1.1 Purpose.......................................................................................................................... 5
1.2 Conventions .................................................................................................................. 5
1.3 Technical assistance ...................................................................................................... 5
A References..................................................................................................... 18
A.1 Related documents ..................................................................................................... 18
A.2 Acronyms and terms .................................................................................................. 18
Figures
Figure 2-1 DebugPolicy generates debug policy output with preconfigured XMLs ................................... 7
Figure 2-2 DebugPolicy validates debug policy file against given XML .................................................... 8
Tables
Table 4-1 Revision 1 supported flags ........................................................................................................ 12
Table 4-2 Revision 2 supported flags ........................................................................................................ 13
Table 4-3 Revision 3 supported flags ........................................................................................................ 13
Table 4-4 Target revision and ELF signed offset....................................................................................... 17
Table 4-5 DebugPolicy file size formula ................................................................................................... 17
1.1 Purpose
To enable debugging of commercial secure devices, DebugPolicy file must be applied. The
DebugPolicy tool helps users – both Qualcomm® Technologies, Inc. (QTI) engineers and OEMs
– to easily configure, validate, and generate dp_AP_signed.mbn and/or dp_MSA_signed.mbn to
enable debugging of images on target.
1.2 Conventions
Function declarations, function names, type declarations, attributes, and code samples appear in a
different font, for example, #include.
Code variables appear in angle brackets, for example, <number>.
Shading indicates content that has been added or changed in this revision of the document.
The DebugPolicy tool is a standalone tool developed in Python. Its main functionality is
providing the ability to create and sign debug policy images, which is used to enable debugging
on commercial secure devices.
NOTE: MSM8994, MSM8992, and MSM8952 use revision 1, MSM8996 and later uses revision 2 and
MSM8998 and later (chipsets that support Double Signing) use revision 3.
sectools
Data Rule
Model Feeder
CL 1
Generate CL 2 CL 3
dp.mbn
Figure 2-1 DebugPolicy generates debug policy output with preconfigured XMLs
Figure 2-2 illustrates using the DebugPolicy tool to validate dp*.mbn against config file.
dp.mbn debugpolicy.xml
secimage.xml
(ELF)
Software Data
Validator Model
Comparator
DebugPolicy core
Valid?
Figure 2-2 DebugPolicy validates debug policy file against given XML
The DebugPolicy tool includes the following components/folders that are used to generate and
validate debug policy mbn:
<sectools>/
| sectools.py (main tool launcher command interface)
|
| -- config/ (chipset-specific config template directory)
| -- config/<chipset>/ (preconfigured config directory)
| -- config/xsd/ (xsd for config xml)
|
| -- sectools/features/dpc/ (main DebugPolicy core code)
| -- sectools/features/dpc/debugpolicy.py (main DebugPolicy python script)
|
| -- resources/data_prov_assets (assets for signing and encryption)
|
| -- sectools/common/core (infrastrure)
| -- sectools/common/crypto (crypto services)
| -- sectools/common/data_provisioning (data provision)
| -- sectools/common/parsegen (image utilities)
| -- sectools/common/utils (core utilities)
4.1 Prerequisites
OpenSSL 1.0.1 for Linux (or later versions); OpenSSL 1.0.1g for Windows is included in the
package
Python 2.7 (or later version)
The SecImage tool makes use of the system temporary folder as scratch space to create
intermediate output. Ensure that the tool has permission to write to that directory
Windows location: %temp% (This is an environment variable.)
Linux location: /tmp
A target that supports the DebugPolicy file. Current target support is for MSM8994 and later
To generate a DebugPolicy elf file that supports double signing, DebugPolicy version 4.x is
required. Current target supports MSM8998, and later chipsets support Double Signing.
4.2 Configurations
Two configuration files, DebugPolicy config file and SecImage config file, are included and
required for each target supported in order to create a debug policy mbn file with the desired
settings for the specified target. The configuration files are chipset-specific and located in the
following directories:
config\<platform>\<platform>_debugpolicy.xml
config\<platform>\<platform>_dbgp_secimage.xml
<debugpolicy.xml>
| -- revision: number denoting type of config file to use
Revision 1:
| -- serial_number_start: device serial number range start that applies
| -- serial_number_end: device serial number range end that applies
| -- flags: defines set of flag entries
| -- bit_pos: bit position for a flag [0:63]
| -- value: 0 or 1
Revision 2:
| -- flags: defines set of flag entries
| -- bit_pos: bit position for a flag [0:63]
| -- value: 0 or 1
| -- image_id_list: defines a set of image id’s applies, array of 32
| -- image_id: hex representation of an image ID, 32 bit
| -- root_cert_hash_list: defines a set of root cert hash signatures
| -- root_cert_hash: hash value of a root certificate (256-bit)
| -- serial_num_list: defines a set of serial numbers
| -- serial_num: hex representation of a serial number, 32 bit
| -- elf: configurable ELF parameters for the debug policy
| -- elf_class: 32 or 64 bit
| -- phys_addr: debug policy’s load address in raw partition (hex)
Revision 3:
| -- flags: defines set of flag entries
| -- bit_pos: bit position for a flag [0:63]
| -- value: 0 or 1
| -- image_id_list: defines a set of image id’s applies, array of 32
| -- image_id: hex representation of an image ID, 32 bit
| -- root_cert_hash_list: defines a set of root cert hash signatures
| -- root_cert_hash: hash value of a root certificate (256-bit)
| -- serial_num_list: defines a set of serial numbers
| -- serial_num: hex representation of a serial number, 32 bit
| -- root_cert_hash_qti_list: defines a set of root cert hash qti signatures
| -- root_cert_hash_qti: hash value of a root certificate (256-bit)
| -- elf: configurable ELF parameters for the debug policy
| -- elf_class: 32 or 64 bit
| -- phys_addr: debug policy’s load address in raw partition (hex)
1
Must be consistent with image ID defined by signer configuration.
NOTE: In DebugPolicy v1.0, both the serial_number_start and serial_number_end values must be the
same, as it only supports enabling the debug policy on a single device.
NOTE: The serial_num_list field is a replacement for the serial_number_start and serial_num_end fields
in Revision 1, as Revision 2 accepts a list of specific serial numbers as opposed to a supported
serial number range.
4.2.1.3 Flags
Flags is a 64-bit value, the most significant 16 bits of which is reserved for OEM use.
Supported flags for the revisions are listed in the following tables:
Revision 1 (Table 4-1)
Revision 2 (Table 4-2)
Revision 3 (Table 4-3)
4.2.1.4 Image ID
For image ID information, refer to Sectools: SecImage Tool User Guide (80-NM248-1).
If the image list is empty, the debug policy certificate hash is used as the root of trust for all
images. If the image list contains one or more image ID values, the debug policy certificate hash
will only be used to authenticate images with an ID found in the list.
<dbgp_secimage.xml>
| --general_properties:
| -- msm_part: defines JTAG ID used to sign the debug policy file
| -- selected_cert_config: defines the signing certificate for signing
sectools.py debugpolicy
--dbgp_config_path=<DebugPolicy config file>
--platform=<platform>
--input_file=<DebugPolicy ELF>
--secimage_config_path=<secimage config file>
--sign_id=<sign id>
--output_dir=<destination directory>
--generate
--sign
--validate
--rch=<hash>
2
Maps to certs in resources\data_prov_assets\Signing\Local.
–-version
--help
-d (for debug)
Where:
<DebugPolicy config file> is the path to the <platform>_debugpolicy.xml config file
which contains DebugPolicy parameters and configuration.
<platform> is the name of the platform for the set of config files to be used (for example,
8994 as <platform> will use config files from the following default directory:
.\config\8994).
<DebugPolicy ELF> is the DebugPolicy file path to sign or validate.
--sign_id with –-generate: Generates the signed DebugPolicy file with given input
sign_id.
--sign_id with –-sign: Signs/Resigns the DebugPolicy file with given input sign_id.
--sign_id with –-validate: The input DebugPolicy file is validated with given input
sign_id.
sectools.py debugpolicy
--dbgp_config_path=config\<platform>\<platform>_debugpolicy.xml
--secimage_config_path=config\<platform>\<platform>_dbgp_secimage.xml
--generate
--validate
The DebugPolicy (ELF) .mbn and DebugPolicy_log.txt can be found at the default output
directory.
sectools.py debugpolicy
--dbgp_config_path=config\<platform>\<platform>_debugpolicy.xml
--secimage_config_path=config\<platform>\<platform>_dbgp_secimage.xml
--input_file=<DebugPolicy file path>
--validate
In the command prompt, the DebugPolicy tool will indicate if the given signed debug policy file
is valid or not; it will also compare against debugpolicy.xml and print config mismatch if any.
MSM8952 V1 0x3000
MSM8992 V1 0x3000
MSM8994 V1 0x3000
MSM8996 V2 0x3000
MSM8998 V3 0x3000
SDM660 V3 0x3000
SDM630 V3 0x3000
V1 168 + n * 32 (0xA8 + n *0x20) 0xA8 + n *0x20 + 0x3000 root cert hash count = n
root cert hash size = 32 bytes
V2 960 (0x3C0) 0x3C0 + 0x3000 Fixed
V3 1092 (0x444) 0x444 + 0x3000 Fixed