1.å¦ä½ç¼è¯OpenWrt
2.OP-TEE之安全存储
å¦ä½ç¼è¯OpenWrt
ãOpenwrt å®æ¹æ£å¼çåè¡çæ¯å·²ç¼è¯å¥½äºçæ åæ件ï¼åç¼åbinætrxãtrx2ï¼ï¼æ¤æ åæ件å¯ä»Openwrtå®æ¹ç½ç«çä¸è½½é¡µé¢ä¸è½»æ¾è·åå°ï¼è¿æ¥å°å为 OpenWrtå®æ¹ç½ç«ãè¿äºç¼è¯å¥½çæ åæ件æ¯åºäºé»è®¤çé 置设置ï¼ä¸åªé对åæ¯æçå¹³å°æ设å¤çãå æ¤ï¼ä¸ºä»ä¹è¦æé ä¸ä¸ªèªå·±çæ åæ件ï¼çç±æ以ä¸åç¹ï¼
æ¨æ³æ¥æä¸ä¸ªä¸ªæ§åçé ç½®OpenWrtï¼å½°æ¾ä¸ªæ§ï¼å¨æåååéæ¾ææ¾æï¼å¼ä¸ªç©ç¬ï¼ï¼
æ¨æ³å¨å®éªæ§çå¹³å°ä¸æµè¯OpenWrtï¼
æ¨åä¸æµè¯æåä¸å¼åOpenWrtçå·¥ä½ï¼
æè ï¼æç®åçç®çå°±æ¯ä¸ºäºä¿æèªå·±çOpenwrt为ææ°çæ¬ï¼
ãè¥æ³å®ç°ä¸è¿°ç®çï¼å ¶å®å¾ç®åï¼æä¸è¿°æåå³å¯æåç¼è¯åºä¸ä¸ªæ¨çOpenwrtæ¥ã
åå¤å·¥ä½
å¨å¼å§ç¼è¯Openwrtä¹åéè¦æ¨åäºåå¤å·¥ä½ï¼ä¸å ¶ä»ç¼è¯è¿ç¨ä¸æ ·ï¼ç±»ä¼¼çç¼è¯å·¥å ·åç¼è¯ç¯å¢æ¯å¿ ä¸å¯å°çï¼
ä¸ä¸ªæ建OpenWrtæ åçç³»ç»å¹³å°ï¼ç®å说就æ¯åå¤ä¸ä¸ªæä½ç³»ç»ï¼æ¯å¦UbuntuãDebiançï¼ï¼
ç¡®ä¿å®è£ äºæéçä¾èµå ³ç³»åºï¼ ï¼å¨debianç³»ç»ä¸å°±æ¯å®è£ åç§éè¦ç软件å ï¼
OpenWrtæºä»£ç å¯æ¬
é¦å ï¼ å¼æºç»éå°æ¯æç¼è¯Openwrtçæä½ç³»ç»ï¼åºè¯äºï¼ãå®ä½æºæè èææº(Vmware æè Qemu)éçæä½ç³»ç»é½è¡ï¼è¿éæ¨è使ç¨Linuxç³»ç»ã bsdåmac osxç³»ç»ä¹å¯ä»¥ç¼ï¼ä½ä¸æ¨èï¼ä¸æªéªè¯æ¯å¦å¯ç¼è¯æåãä¸æåå®æ¨ä½¿ç¨çæ¯Debianæä½ç³»ç»ï¼ä½¿ç¨ apt-get æ¥ç®¡çå . æ¿ä»£çéæ©æ¯ Ubuntu (åæ¯ Kubuntu,码分 Xubuntu çå³å¯)ã
第äºæ¥, å°±æ¯å®è£ æéè¦çåç§è½¯ä»¶å , å æ¬ç¼è¯å¨,解åå·¥å ·,ç¹å®çåºç. è¿äºå·¥ä½å¯ä»¥ç®åçéè¿é®å ¥ä»¥ä¸å½ä»¤ (é常éè¦root æè æ¯ sudo æé)ï¼ä»¥rootæéå®è£ ä¸å软件å (å¯è½å¹¶ä¸å®æ´ï¼ä¼ææ示ï¼æ示缺å°å³è£ å°±å¯ä»¥äºï¼:
ä½(x)请æ§è¡ä¸åå½ä»¤:
# apt-get install build-essential asciidoc binutils bzip2 gawk gettext \
git libncurses5-dev libz-dev patch unzip zlib1g-dev
ä½(x_)请æ§è¡ä¸åå½ä»¤ï¼å¤è£ äºåªäºåºæ软件å å¢ï¼è¯·æ¨ä»ç»çä¸çå¦ï¼:
# apt-get install build-essential asciidoc binutils bzip2 gawk gettext \
git libncurses5-dev libz-dev patch unzip zlib1g-dev ia-libs \
libgcc1 libc6-dev-i
åè æ¬åè¡¨ä¸ æåçç¼è¯ç¯å¢æéè¦è½¯ä»¶å æåºã
æäºä¾èµç为åºæ软件å ä¹è®¸æä½ç³»ç»ä¸å·²ç»å®è£ è¿ï¼æ¤æ¶apt-getä¼ä½åºæ示ï¼æ示æ¨å¿½ç¥æéæ°å®è£ çï¼ï¼å«ç´§å¼ ï¼æ¾è½»æ¾äºï¼ç¼è¯Openwrtä¸ä¼åç¼è¯DDï¼WRTé£æ ·é¾çï¼è³å°æ¬äººæ¯ä½ä¼å°äºç¼è¯DDï¼WRTçé¾ï¼ã
æåä¸è½½ä¸ä»½å®æ´ç Openwrt æºç å°ç¼è¯ç¯å¢ä¸ãå ³äºOpenwrtçæºä»£ç ä¸è½½ï¼éå¾æäºï¼ä¸æ¯éè¿ svn ï¼ä¸æ¯éè¿ gitï¼å»ºè®®ä½¿ç¨ svn ï¼å 为Openwrt主è¦ä»¥ svn æ¥ç»´æ¤Openwrtç³»ç»ççæ¬ãå¦å¤ï¼è¯·æ³¨æOpenwrtä¸ä¸åçåæ¯çæ¬ï¼ä¸ä¸ªæ¯ç¨å¾è¾å¤çå¼åå¿«ç §ï¼ä¿ç§° trunkï¼äºæ¯ç¨³å®çï¼ä¿ç§° backfireã
å®è£ Subversion
è¥ä½ æ³éè¿svnä¸è½½æºä»£ç ,ä½ éå®è£ SubversionãSubversion,æ称SVN, æ¯OpenWrtçprojectä¸ç¨æ¥æ§å¶çæ¬çç³»ç»,å®é常类似ç CVSççé¢å使ç¨æ¡æ¬¾ã æ§è¡ä¸è¿°å½ä»¤å³å¯å®è£ SVNï¼å¾å®¹æçï¼
# apt-get install subversion
Subversionå®è£ å®æ¯ï¼éè¿SVNå½ä»¤å¯è·åå¾å°ä¸ä»½OpenWrt纯åæºä»£ç ãæ¨è¿å¾å建ä¸ä¸ªç®å½ä»¥ä¾¿åæ¾è·åå¾å°çOpenwrtæºä»£ç ï¼è¦è·åæºä»£ç ä½ è¿å¾è¾å ¥subversionå½ä»¤æ¥è·å (svnéè¿ç§æä½ç§°ä¹ä¸º'check out') ãå½ä»¤å¾ç®åçï¼ç»§ç»çä¸å»å°±è½è§å°äºï¼å«çæ¥ï¼èå¿ç¹å¿ã
ç¼è¯æµç¨
ç¼è¯ä¸å±äºæ¨ç设å¤çç¹å®Openwrtåºä»¶ä»¥ä¸ä¸äºä¸ªæ¥éª¤ï¼
éè¿Subversionå½ä»¤è·å¾æºä»£ç ï¼
æ´æ°(æå®è£ ) package feedsãpackage feedsæ æ³ç¡®åç¿»è¯ï¼å¾ è¯å§ï¼ï¼
å建ä¸ä¸ªé»è®¤é 置以æ£æ¥ç¼è¯ç¯å¢æ¯å¦æå»ºå¥½äº (åå¦éè¦çè¯)ï¼
ç¨Menuconfigæ¥é ç½®å³å°ç¼è¯çæçåºä»¶æ åæ件çé 置项ï¼
æåå¼å§ç¼è¯åºä»¶ï¼
ä¸è½½æºä»£ç
æåï¼ä¸è½½ä¸ä»½å®æ´çOpenWrtæºä»£ç ãä½ å¯éæ©ï¼
ä¸è½½ç¨³å®åè¡çï¼æ
ä¸è½½å¼åç (ä¿ç§°"trunk"ç)ã
使ç¨åè¡ççæºç
æªæ¢æ¬ææ¶, Openwrtå ¬å¼åè¡ç稳å®ç为 OpenWrt . "backfire"ãæ¤çæ¬æ¯æ稳å®çï¼ä½ä¹è®¸ä¸å æ¬ææ°æ´æ°çè¡¥ä¸æææ°ç¼åçåºçæ°åè½ã
ä¸è¿°ä»£ç å³ä¸¾ä¾è¯´æäºéè¿svnä»brandkfireè·å¾backfireæºä»£ç ï¼æ¤çæ¬æææ¯ä»trunkåæ¯çè¡¥ä¸ä¹å¨backfireçæ¬ä¸äºï¼å³å å«ä¿®å¤è¡¥ä¸ï¼ï¼
# mkdir OpenWrt/
# cd OpenWrt/
# svn co svn://svn.openwrt.org/openwrt/branches/backfire
注解: ä¸è¿°svnå½ä»¤å°å¨å½åç®å½å建ä¸ä¸ª OpenWrt/backfire/ åç®å½ï¼æ¤ç®å½å å«æ¤å½ä»¤è·åå°çæºä»£ç ã
æ¨ä¹å¯ä»¥éè¿ä¸è¿°å½ä»¤ï¼ä¸è½½ä¸å«ä¿®å¤è¡¥ä¸çbackfireçåçæºç ï¼
# svn co svn://svn.openwrt.org/openwrt/tags/backfire_.
使ç¨å¼åçæºä»£ç
å½åçå¼åçæ¬åæ¯(trunk)å·²å å«ææ°çå®éªè¡¥ä¸ãæ¤åæ¯æ许è¿çªç ´äºOpenwrtåæ¥æä¸æ¯æç硬件设å¤çéå¶å¦ï¼æåçåæ¶ä¹æé£é©åå¨ãå æ¤ï¼ç¼è¯trunkçï¼æ ä¹ï½
# mkdir OpenWrt/
# cd OpenWrt/
# svn co svn://svn.openwrt.org/openwrt/trunk/
æ´å¤è¯¦ç»èµæ详è§ï¼ binations might break the build process, so it can take some experimentation before the expected result is reached. Added to this, the OpenWrt developers are themselves only maintaining a smaller set of packages â which includes all default packages â but, the feeds-script makes it very simple to handle a locally maintained set of packages and integrate them in the build-process.
åå¦ä½ éè¦LuCI, è¦å°Administration èåé,å¨LuCIç»ä»¶çåèåä¸, 并éæ©: luci-admin-core, luci-admin-full, and luci-admin-miniç»ä»¶å ã
åå¦ä½ ä¸éè¦PPP,ä½ å¯å°Networkèåä¸åæ¶å¯¹å®çéæ©ï¼ä»¥ä¾¿ç¼è¯æ¶ä¸å å«æ¤ç»ä»¶ã
Menuconfigç¨æ³: ç¡®ä¿è¿äºç»ä»¶å æ¯ä»¥ '*'æå·æ è®°èä¸æ¯ 'M'æ è®°ã
å¦æä½ æ¯ä»¥æå· '*'æ 记该ç»ä»¶å , å该ç»ä»¶å å°ç¼è¯è¿æç»çæçOpenWrtåºä»¶ä¸ã
å¦æä½ ä» ä»¥ 'M'æ 记该ç»ä»¶å , å该ç»ä»¶å å°ä¸ä¼ç¼è¯è¿æç»çæçOpenWrtåºä»¶ä¸ã
The final step before the process of compiling the intended image(s) is to exit 'menuconfig' â this also includes the option to save a specific configuration or load an already existing, and pre-configured, version.
Exit and save.
Source Mirrors
The 'Build system settings' include some efficient options for changing package locations which makes it easy to handle a local package set:
Local mirror for source packages
Download folder
In the case of the first option, you simply enter a full URL to the web or ftp server on which the package sources are hosted. Download folder would in the same way be the path to a local folder on the build system (or network). If you have a web/ftp-server hosting the tarballs, the OpenWrt build system will try this one before trying to download from the location(s) mentioned in the Makefiles . Similar if a local 'download folder', residing on the build system, has been specified. The 'Kernel modules' option is required if you need specific (non-standard) drivers and so forth â this would typically be things like modules for USB or particular network interface drivers etc.
ç¼è¯åºä»¶
ä¸äºå ·å¤ï¼åªæ¬ ä¸é£,éè¿ä¸é¢ç®åçmakeå½ä»¤æ¥ç¼è¯:
# make
å¨å¤æ ¸çµèä¸ç¼è¯
å ·æå¤æ ¸CPUå¤çå¨ççµèè¿è¡ç¼è¯ï¼ä½¿ç¨ä¸è¿°åæ°å¯ä»¤ç¼è¯è¿ç¨å éã 常è§ç¨æ³ä¸º <æ¨cpuå¤çå¨çæ°ç® + 1> â ä¾å¦ä½¿ç¨3è¿ç¨æ¥ç¼è¯ (å³åæ ¸CPU), å½ä»¤ååæ°å¦ä¸:
# make -j 3
åå°ç¼è¯
è¥ä½ å¨è¿ä¸ªç³»ç»å ç¼è¯OpenWrtçåæ¶è¿å¤çå ¶ä»ï¼å¯ä»¥è®©é²ç½®çI/OåCPUæ¥å¨åå°ç¼è¯åºä»¶ (åæ ¸CPU):
# ionice -c 3 nice -n make -j 2
ç¼è¯ç®åçåºæ¬ç软件å
å½ä½ 为OpenWrtå¼åææå 软件å ,ç¼è¯ç®åçåºæ¬ç软件å å¯ä»¥å¾è½»æå°ç¼è¯è¯¥è½¯ä»¶å (ä¾å¦ï¼ 软件å cups):
# make package/cups/compile V=
ä¸ä¸ªå¨Feedséç软件å 大约æ¯è¿æ ·åç:
# make package/feeds/packages/ndyndns/compile V=
ç¼è¯é误
å¦æå æç§ä¸ç¥éçåå èç¼è¯å¤±è´¥,ä¸é¢æç§ç®åçæ¹æ³æ¥å¾ç¥ç¼è¯å°åºéå¨åªéäº:
# make V= 2>&1 |tee build.log |grep -i error
ä¸è¿°ç¼è¯å½ä»¤æ为ï¼Våæ°ï¼å°åºéä¿¡æ¯ä¿åå¨build.logï¼çæè¾åºå®æ´è¯¦ç»çå¯æ¬ï¼with stdout piped to stderrï¼ï¼åªæå¨å±å¹ä¸æ¾ç¤ºçé误ã
举ä¾è¯´æ:
# ionice -c 3 nice -n make -j 2 V= CONFIG_DEBUG_SECTION_MISMATCH=y 2>&1 \
|tee build.log |egrep -i '(warn|error)'
The above saves a full verbose copy of the build output (with stdout piped to stderr) in build.log and outputs only warnings and errors while building using only background resources on a dual core CPU.
ä¸é®ç¼è¯
å³ä½¿ç¨èæ¬æ¥ç¼è¯Openwrtåºä»¶ã许å¤æåç¼è¯Openwrtæ¯ç¨çèæ¬æ¥ç¼è¯çï¼è¯¦è§: https://forum.openwrt.org/viewtopic.php?id=
çæçåºä»¶å¨åª
ç¼è¯æååæçæçåºä»¶æ件ä½äºbinç®å½ä¸ï¼å¯ç¨å¦ä¸å½ä»¤æ¥çï¼
# cd bin/
# ls */
æ¸ ç
ç¼è¯OpneWrtæ¶ä½ å¯è½éè¦ä¸ä¸ªæ¸ æ´å¹²åçç¼è¯ç¯å¢ã 以ä¸æä½æå©ç¨ç¼è¯å·¥ä½:
æ¸ æ´
æ¸ æ´trunk/ ç®å½ï¼å¨ç¼è¯è¿ç¨ä¸ä½¿ç¨âmake cleanâå½ä»¤å³å¯ã æ¤å½ä»¤å°å é¤binç®å½åbuild_dirç®å½ä¸çæææ件åæ件夹ã
## See CAUTION below
# make clean
OP-TEE之安全存储
OP-TEE:守护数据安全的加密宝箱 在信息化时代,数据安全的码分重要性不言而喻。OP-TEE,码分作为开放源代码的码分quickadapter源码可信执行环境(TEE)解决方案,其核心使命就是码分确保静态敏感数据在存储过程中的机密性和完整性。它借助硬件可信根,码分为这些关键信息提供了坚实的码分保护屏障。安全存储的码分必要性
安全存储不仅仅是存储数据那么简单,它就像一道加密的码分盾牌,保护着那些核心的码分、不能被随意访问的码分hello语音直播源码信息。OP-TEE通过区分REE(用户态)和TEE(可信态),码分确保即使在REE侧内存或安全存储设备中,码分数据也受到严密加密和签名策略的码分保护,从而抵御潜在的码分安全威胁。OP-TEE的手淘支付源码安全存储策略
OP-TEE的加密策略分为两大类:REE文件系统方案和RPMB安全存储。两者相辅相成,为用户提供多重防护。REE文件系统是默认方案,通过配置CFG_REE_FS=y启用,而RPMB则利用eMMC设备的打造世界改源码特定区域,通过配置CFG_RPMB_FS=y来增强安全性。REE文件系统方案
REE文件系统安全架构设计巧妙,TA通过调用内部API和系统服务,加密数据后通过tee-supplicant存储到Linux文件系统中,如/data/tee/目录。跳转转转源码密钥管理模块负责数据加密和密钥的生成,包括SSK(设备级密钥)、TSK(TA级密钥)和FEK(文件加密密钥)的管理。RPMB安全存储方案
RPMB方案则更为直接,通过tee-supplicant与eMMC控制器交互,使用一次性编程的密钥进行数据加密和写入。OP-TEE配置CFG_RPMB_WRITE_KEY和CFG_RPMB_TESTKEY能决定是否由系统自身进行密钥编程,确保在生产环境下的安全性。使用指南
要启用安全存储,需在配置文件中分别设置REE文件系统和RPMB的开关。对于REE文件系统,需要芯片平台提供的tee_opt_get_hw_unique_key和tee_opt_get_die_id接口;对于RPMB,还需配置密钥编程选项。实践与验证
为了验证OP-TEE的安全存储功能,开发者可以参考xtest中的regression_.c和storage.c系列接口进行测试,文件系统安全存储方案的性能可以通过命令xtest -t benchmark 进行基准测试。 OP-TEE的安全存储解决方案,凭借其细致的架构设计和灵活的配置选项,为数据存储提供了强大的安全保障,是现代应用中守护隐私与安全的得力助手。