ap/0001-ZX297520V3-511624.patch - R306 - Gitiles

 From 7d1985ec82ab00b5a9c88d13f0d2ef9482ede535 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=E9=AB=98=E5=8D=8E=E5=B3=B00318000169?=
  <gao.huafeng@sanechips.com.cn>
 Date: Tue, 27 Feb 2024 15:18:54 +0800
 Subject: [PATCH] =?UTF-8?q?=E7=94=A8=E6=88=B7=E6=95=85=E4=BA=8B=EF=BC=9A?=
  =?UTF-8?q?=E6=97=A0=20=E6=95=85=E9=9A=9C=E5=8D=95=E5=8F=B7=EF=BC=9AZX2975?=
  =?UTF-8?q?20V3-511624=20=20=E5=90=88=E5=85=A5=E5=86=85=E5=AE=B9:=20?=
  =?UTF-8?q?=E5=B9=BF=E5=B7=9E=E9=80=9A=E5=88=99=E5=BA=B7=E5=A8=81=EF=BC=9A?=
  =?UTF-8?q?=E6=96=87=E4=BB=B6=E7=B3=BB=E7=BB=9F=E7=AD=BE=E5=90=8D=E5=8A=A0?=
  =?UTF-8?q?=E5=AF=86=E9=9C=80=E6=B1=82=E8=AF=84=E4=BC=B0=E3=80=82=E6=B3=A2?=
  =?UTF-8?q?=E5=8F=8A=E5=88=86=E6=9E=90=EF=BC=9A=E5=90=AF=E5=8A=A8=20=20?=
  =?UTF-8?q?=E6=B5=8B=E8=AF=95=E5=BB=BA=E8=AE=AE=EF=BC=9A=E5=90=AF=E5=8A=A8?=
  =?UTF-8?q?=E5=92=8C=E5=BA=94=E7=94=A8=E9=AA=8C=E7=AD=BE=E5=8A=9F=E8=83=BD?=
  =?UTF-8?q?=E6=98=AF=E5=90=A6=E6=AD=A3=E5=B8=B8=20=20=E7=BB=84=E4=BB=B6?=
  =?UTF-8?q?=E6=A0=87=E7=AD=BE=EF=BC=9A=E6=97=A0=20=E5=BC=95=E5=85=A5?=
  =?UTF-8?q?=E6=9D=A5=E6=BA=90=EF=BC=9A=E5=85=B6=E5=AE=83?=
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 Change-Id: I9bd1fea056f4a34c7b21421703de5b14523262a7
 ---
  Makefile                                      |  18 +++
  build/gen_app_hash.sh                         |  65 +++++++++
  .../linux-3.4.x/include/linux/verify_app.h    |  16 +++
  os/linux/linux-3.4.x/init/Kconfig             |   8 ++
  os/linux/linux-3.4.x/init/Makefile            |   2 +-
  os/linux/linux-3.4.x/init/verify_app.c        | 130 ++++++++++++++++++
  project/pubconf.mk                            |   1 +
  project/zx297520v3/prj_cpe/build/config.mk    |   5 +-
  .../prj_cpe/config/normal/config.linux        |   2 +-
  .../prj_cpe/config/normal/verify_app_list.txt |   3 +
  10 files changed, 247 insertions(+), 3 deletions(-)
  create mode 100755 build/gen_app_hash.sh
  create mode 100755 os/linux/linux-3.4.x/include/linux/verify_app.h
  create mode 100755 os/linux/linux-3.4.x/init/verify_app.c
  create mode 100755 project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt

 diff --git a/Makefile b/Makefile
 index 97cd38f03..3b5cf553c 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -380,11 +380,29 @@ endif
  	make normal_conf
  	make AP_BUILD_TYPE=normal sys
  	make AP_BUILD_TYPE=normal rootfs
 +ifeq ($(VERIFY_APP_IN_KERNEL),yes)
 +	bash $(BUILD_DIR)/gen_app_hash.sh  $(PRJ_CONF_DIR)/normal/verify_app_list.txt $(ROOTFS_DIR)  $(LINUX_DIR)
 +	make kernel
 +ifeq ($(CONFIG_SINGLECORE),yes)
 +ifeq ($(USE_CPPS_KO),yes)
 +	make cpko
 +endif
 +endif
 +endif
  	make AP_BUILD_TYPE=normal copybin

  normal2:
  	make AP_BUILD_TYPE=normal sys
  	make AP_BUILD_TYPE=normal rootfs
 +ifeq ($(VERIFY_APP_IN_KERNEL),yes)
 +	bash $(BUILD_DIR)/gen_app_hash.sh  $(PRJ_CONF_DIR)/normal/verify_app_list.txt $(ROOTFS_DIR)  $(LINUX_DIR)
 +	make kernel
 +ifeq ($(CONFIG_SINGLECORE),yes)
 +ifeq ($(USE_CPPS_KO),yes)
 +	make cpko
 +endif
 +endif
 +endif
  	make AP_BUILD_TYPE=normal copybin

  normalclean:
 diff --git a/build/gen_app_hash.sh b/build/gen_app_hash.sh
 new file mode 100755
 index 000000000..479403809
 --- /dev/null
 +++ b/build/gen_app_hash.sh
 @@ -0,0 +1,65 @@
 +#!/bin/bash
 +
 +echo $#
 +
 +if [ $# -lt 3 ]; then
 +    echo "$0  app_list_file  rootfs_dir kernel_dir"
 +    exit 1
 +fi
 +APP_LIST_FILE=$1
 +ROOTFS_DIR=$2
 +KERNEL_DIR=$3
 +
 +if [ ! -f $APP_LIST_FILE ]; then
 +    echo "$APP_LIST_FILE NOT exist"
 +    exit 2
 +fi
 +
 +if [ ! -d $KERNEL_DIR ]; then
 +    echo "$KERNEL_DIR NOT exist"
 +    exit 3
 +fi
 +
 +if [ ! -d $ROOTFS_DIR ]; then
 +    echo "$ROOTFS_DIR NOT exist"
 +    exit 4
 +fi
 +VERIFY_APP_HEADER=$KERNEL_DIR/include/linux/verify_app.h
 +
 +file_array=()
 +hash_array=()
 +file_cnt=0
 +while read file_item; do
 +    if [ -f ${ROOTFS_DIR}${file_item} ]; then
 +        hash_val=`sha256sum ${ROOTFS_DIR}${file_item} | awk '{ print $1 }'`
 +        echo "${file_item} $hash_val ok"
 +        file_array+=("$file_item")
 +        hash_array+=("$hash_val")
 +        let "file_cnt=file_cnt+1"
 +    else
 +        echo "regular file ${ROOTFS_DIR}${file_item} NOT exist"
 +        exit 9
 +    fi
 +done < "${APP_LIST_FILE}"
 +
 +# æå°æ°ç»ä¸çæ°æ®
 +
 +echo "#ifndef __VERIFY_APP_H" > $VERIFY_APP_HEADER
 +echo "#define __VERIFY_APP_H" >> $VERIFY_APP_HEADER
 +echo ""                       >> $VERIFY_APP_HEADER
 +
 +echo "const int g_verify_app_cnt = $file_cnt;" >> $VERIFY_APP_HEADER
 +echo "const char *g_verify_file_array[] = {" >> $VERIFY_APP_HEADER
 +for element in "${file_array[@]}"; do
 +    echo "    \"$element\"," >> $VERIFY_APP_HEADER
 +done
 +echo "};" >> $VERIFY_APP_HEADER
 +
 +echo "const char *g_verify_hash_array[] = {" >> $VERIFY_APP_HEADER
 +for element in "${hash_array[@]}"; do
 +    echo "    \"$element\"," >> $VERIFY_APP_HEADER
 +done
 +echo "};" >> $VERIFY_APP_HEADER
 +
 +echo ""                       >> $VERIFY_APP_HEADER
 +echo "#endif" >> $VERIFY_APP_HEADER
 diff --git a/os/linux/linux-3.4.x/include/linux/verify_app.h b/os/linux/linux-3.4.x/include/linux/verify_app.h
 new file mode 100755
 index 000000000..90ed58b87
 --- /dev/null
 +++ b/os/linux/linux-3.4.x/include/linux/verify_app.h
 @@ -0,0 +1,16 @@
 +#ifndef __VERIFY_APP_H
 +#define __VERIFY_APP_H
 +
 +const int g_verify_app_cnt = 3;
 +const char *g_verify_file_array[] = {
 +    "/bin/busybox",
 +    "/etc/rc",
 +    "/sbin/zte_mdl",
 +};
 +const char *g_verify_hash_array[] = {
 +    "a071cc29b7bbd47e45a6698e5dde5564995172e7b530314dd375040e0b1d9a41",
 +    "1296e7b4fe520bbc0cdd0b76289afd86318674a99ea2d5faff52baf39854b5d6",
 +    "8a3815c1394f3b343ffc598c245fb356c80071ac3755927f0e7c6b7e8955c070",
 +};
 +
 +#endif
 diff --git a/os/linux/linux-3.4.x/init/Kconfig b/os/linux/linux-3.4.x/init/Kconfig
 index 3db3a515a..8742bb316 100644
 --- a/os/linux/linux-3.4.x/init/Kconfig
 +++ b/os/linux/linux-3.4.x/init/Kconfig
 @@ -1452,3 +1452,11 @@ config PADATA
  	bool

  source "kernel/Kconfig.locks"
 +
 +config VERIFY_APP_IN_KERNEL
 +	bool "Enable verify app in kernel"
 +	default n
 +	help
 +	  This option enables support for verify app in kernel. You almost
 +	  certainly want to say n here.
 +
 \ No newline at end of file
 diff --git a/os/linux/linux-3.4.x/init/Makefile b/os/linux/linux-3.4.x/init/Makefile
 index 6b473cd16..ab6b944cf 100644
 --- a/os/linux/linux-3.4.x/init/Makefile
 +++ b/os/linux/linux-3.4.x/init/Makefile
 @@ -9,7 +9,7 @@ else
  obj-$(CONFIG_BLK_DEV_INITRD)   += initramfs.o
  endif
  obj-$(CONFIG_GENERIC_CALIBRATE_DELAY) += calibrate.o
 -
 +obj-$(CONFIG_VERIFY_APP_IN_KERNEL) += verify_app.o
  mounts-y			:= do_mounts.o
  mounts-$(CONFIG_BLK_DEV_RAM)	+= do_mounts_rd.o
  mounts-$(CONFIG_BLK_DEV_INITRD)	+= do_mounts_initrd.o
 diff --git a/os/linux/linux-3.4.x/init/verify_app.c b/os/linux/linux-3.4.x/init/verify_app.c
 new file mode 100755
 index 000000000..5eccd9c8c
 --- /dev/null
 +++ b/os/linux/linux-3.4.x/init/verify_app.c
 @@ -0,0 +1,130 @@
 +/*
 + *  linux/init/verify_app.c
 + *
 + */
 +#include <linux/types.h>
 +#include <linux/kernel.h>
 +#include <linux/syscalls.h>
 +#include <linux/string.h>
 +#include <linux/ctype.h>
 +#include <linux/delay.h>
 +#include <linux/init.h>
 +#include <linux/security.h>
 +#include <linux/kthread.h>
 +#include <linux/crypto.h>
 +#include <crypto/hash.h>
 +#include <crypto/sha.h>
 +#include <linux/verify_app.h>
 +#include <linux/soc/zte/efuse/efuse_zx.h>
 +
 +#define VERIFY_TIMEOUT   30000      //ÑÓ³ÙÑéÇ©Ê±¼ä,½¨Òé´óÓÚ2s£»
 +
 +extern void zDrvEfuse_GetSecureMsg(T_ZDrvEfuse_Secure *secure);
 +
 +u8 *bin2hex(const u8 *old, const size_t oldlen)
 +{
 +    u8 *result = (u8 *)kmalloc((oldlen * 2 + 1), GFP_KERNEL);
 +    size_t i, j;
 +    int b = 0;
 +
 +    for (i = j = 0; i < oldlen; i++)
 +    {
 +        b = old[i] >> 4;
 +        result[j++] = (char)(87 + b + (((b - 10) >> 31) & -39));
 +        b = old[i] & 0xf;
 +        result[j++] = (char)(87 + b + (((b - 10) >> 31) & -39));
 +    }
 +    result[j] = '\0';
 +    return result;
 +}
 +
 +static int verify_app_entry(void *p)
 +{
 +    int    i = 0;
 +    int    rdlen;
 +    char  *buff = NULL;
 +    size_t size;
 +    struct file *fp;
 +    int bufflen = 4096;
 +    u8 *hashstring;
 +    u8 hash[SHA256_DIGEST_SIZE];
 +    struct shash_desc *desc;
 +    struct crypto_shash *sha256;
 +    T_ZDrvEfuse_Secure secure;
 +
 +    msleep(VERIFY_TIMEOUT);
 +
 +    zDrvEfuse_GetSecureMsg(&secure);
 +    if((secure.secureFlag & 0xFF) != 0xFF)
 +    {
 +        printk("verify secure boot don't open \n");
 +        return 0;
 +    }
 +
 +    sha256 = crypto_alloc_shash("sha256", 0, 0);
 +    if (IS_ERR(sha256)) {
 +        panic("verify sha256 error ! \n");
 +    }
 +    size = crypto_shash_descsize(sha256) + sizeof(*desc);
 +    desc = kzalloc(size, GFP_KERNEL);
 +    BUG_ON(desc == NULL);
 +    desc->tfm = sha256;
 +    buff = kmalloc(bufflen, GFP_KERNEL);
 +    BUG_ON(buff == NULL);
 +    for (i = 0; i < g_verify_app_cnt; i++)
 +    {
 +        fp = filp_open(g_verify_file_array[i], O_RDONLY, 0644);
 +        if (IS_ERR(fp))
 +        {
 +            printk("app=%s open fail \n",g_verify_file_array[i]);
 +            panic("verify open fail");
 +        }
 +        else
 +            fp->f_pos = 0;
 +        crypto_shash_init(desc);
 +        while(1)
 +        {
 +            rdlen = kernel_read(fp, fp->f_pos, buff, bufflen);
 +            if (rdlen > 0)
 +            {
 +                fp->f_pos += rdlen;
 +                crypto_shash_update(desc, buff, rdlen);
 +            }
 +            else if (rdlen == 0)
 +            {
 +                filp_close((struct file *)fp, NULL);
 +                crypto_shash_final(desc, hash);
 +                hashstring = bin2hex(hash, SHA256_DIGEST_SIZE);
 +                if (memcmp(hashstring, g_verify_hash_array[i], SHA256_DIGEST_SIZE))
 +                {
 +                    printk("verify app=%s hash=%s \n", g_verify_file_array[i], hashstring);
 +                    panic("verify hash fail");
 +                }
 +               // printk("verify app=%s success \n", g_verify_file_array[i]);
 +                kfree(hashstring);
 +                break;
 +            }
 +            else
 +            {
 +                printk("verify app=%s rdlen=%d \n", g_verify_file_array[i], rdlen);
 +                panic("verify read fail");
 +                break;
 +            }
 +        }
 +    }
 +
 +    crypto_free_shash(sha256);
 +    kfree(desc);
 +    kfree(buff);
 +    printk("verify app init success \n");
 +    return 0;
 +}
 +
 +static int __init verify_app_init(void)
 +{
 +    kthread_run(verify_app_entry, NULL, "verify_app");
 +    return 0;
 +}
 +
 +late_initcall(verify_app_init);
 +
 diff --git a/project/pubconf.mk b/project/pubconf.mk
 index 43d289bd2..b35f3f3b7 100755
 --- a/project/pubconf.mk
 +++ b/project/pubconf.mk
 @@ -62,4 +62,5 @@ export CONFIG_MIN_8M_VERSION ?= n
  export USE_ZCAT_MBIM ?= no
  export USE_RECOVERYFS ?= no
  export USE_OEM_FS ?= no
 +export VERIFY_APP_IN_KERNEL ?= no

 diff --git a/project/zx297520v3/prj_cpe/build/config.mk b/project/zx297520v3/prj_cpe/build/config.mk
 index b7bbac7a0..cbe5621f5 100755
 --- a/project/zx297520v3/prj_cpe/build/config.mk
 +++ b/project/zx297520v3/prj_cpe/build/config.mk
 @@ -77,4 +77,7 @@ endif
  export ENABLE_PHONECODE_IN_ATCTL=yes

  #¿ØÖÆÊÇ·ñÊ¹ÓÃ»ìÒô
 -export USE_MIXDATA_SUPPORT=no
 \ No newline at end of file
 +export USE_MIXDATA_SUPPORT=no
 +
 +#ÎÄ¼þÑéÇ©¿ª¹Ø
 +#VERIFY_APP_IN_KERNEL := yes
 diff --git a/project/zx297520v3/prj_cpe/config/normal/config.linux b/project/zx297520v3/prj_cpe/config/normal/config.linux
 index d6d117611..bd1d78ba8 100755
 --- a/project/zx297520v3/prj_cpe/config/normal/config.linux
 +++ b/project/zx297520v3/prj_cpe/config/normal/config.linux
 @@ -1916,7 +1916,7 @@ CONFIG_ACCURATE_CPU_PERCENT=y
  CONFIG_DEFAULT_SECURITY_DAC=y
  CONFIG_DEFAULT_SECURITY=""
  CONFIG_CRYPTO=y
 -
 +# CONFIG_VERIFY_APP_IN_KERNEL is not set
  #
  # Crypto core or helper
  #
 diff --git a/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt b/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt
 new file mode 100755
 index 000000000..f375abf3f
 --- /dev/null
 +++ b/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt
 @@ -0,0 +1,3 @@
 +/bin/busybox
 +/etc/rc
 +/sbin/zte_cpe
 --
 2.25.1
	From 7d1985ec82ab00b5a9c88d13f0d2ef9482ede535 Mon Sep 17 00:00:00 2001
	From: =?UTF-8?q?=E9=AB=98=E5=8D=8E=E5=B3=B00318000169?=
	<gao.huafeng@sanechips.com.cn>
	Date: Tue, 27 Feb 2024 15:18:54 +0800
	Subject: [PATCH] =?UTF-8?q?=E7=94=A8=E6=88=B7=E6=95=85=E4=BA=8B=EF=BC=9A?=
	=?UTF-8?q?=E6=97=A0=20=E6=95=85=E9=9A=9C=E5=8D=95=E5=8F=B7=EF=BC=9AZX2975?=
	=?UTF-8?q?20V3-511624=20=20=E5=90=88=E5=85=A5=E5=86=85=E5=AE=B9:=20?=
	=?UTF-8?q?=E5=B9=BF=E5=B7=9E=E9=80=9A=E5=88=99=E5=BA=B7=E5=A8=81=EF=BC=9A?=
	=?UTF-8?q?=E6=96=87=E4=BB=B6=E7=B3=BB=E7=BB=9F=E7=AD=BE=E5=90=8D=E5=8A=A0?=
	=?UTF-8?q?=E5=AF=86=E9=9C=80=E6=B1=82=E8=AF=84=E4=BC=B0=E3=80=82=E6=B3=A2?=
	=?UTF-8?q?=E5=8F=8A=E5=88=86=E6=9E=90=EF=BC=9A=E5=90=AF=E5=8A=A8=20=20?=
	=?UTF-8?q?=E6=B5=8B=E8=AF=95=E5=BB=BA=E8=AE=AE=EF=BC=9A=E5=90=AF=E5=8A=A8?=
	=?UTF-8?q?=E5=92=8C=E5=BA=94=E7=94=A8=E9=AA=8C=E7=AD=BE=E5=8A=9F=E8=83=BD?=
	=?UTF-8?q?=E6=98=AF=E5=90=A6=E6=AD=A3=E5=B8=B8=20=20=E7=BB=84=E4=BB=B6?=
	=?UTF-8?q?=E6=A0=87=E7=AD=BE=EF=BC=9A=E6=97=A0=20=E5=BC=95=E5=85=A5?=
	=?UTF-8?q?=E6=9D=A5=E6=BA=90=EF=BC=9A=E5=85=B6=E5=AE=83?=
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	Change-Id: I9bd1fea056f4a34c7b21421703de5b14523262a7
	---
	Makefile \| 18 +++
	build/gen_app_hash.sh \| 65 +++++++++
	.../linux-3.4.x/include/linux/verify_app.h \| 16 +++
	os/linux/linux-3.4.x/init/Kconfig \| 8 ++
	os/linux/linux-3.4.x/init/Makefile \| 2 +-
	os/linux/linux-3.4.x/init/verify_app.c \| 130 ++++++++++++++++++
	project/pubconf.mk \| 1 +
	project/zx297520v3/prj_cpe/build/config.mk \| 5 +-
	.../prj_cpe/config/normal/config.linux \| 2 +-
	.../prj_cpe/config/normal/verify_app_list.txt \| 3 +
	10 files changed, 247 insertions(+), 3 deletions(-)
	create mode 100755 build/gen_app_hash.sh
	create mode 100755 os/linux/linux-3.4.x/include/linux/verify_app.h
	create mode 100755 os/linux/linux-3.4.x/init/verify_app.c
	create mode 100755 project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt

	diff --git a/Makefile b/Makefile
	index 97cd38f03..3b5cf553c 100644
	--- a/Makefile
	+++ b/Makefile
	@@ -380,11 +380,29 @@ endif
	make normal_conf
	make AP_BUILD_TYPE=normal sys
	make AP_BUILD_TYPE=normal rootfs
	+ifeq ($(VERIFY_APP_IN_KERNEL),yes)
	+ bash $(BUILD_DIR)/gen_app_hash.sh $(PRJ_CONF_DIR)/normal/verify_app_list.txt $(ROOTFS_DIR) $(LINUX_DIR)
	+ make kernel
	+ifeq ($(CONFIG_SINGLECORE),yes)
	+ifeq ($(USE_CPPS_KO),yes)
	+ make cpko
	+endif
	+endif
	+endif
	make AP_BUILD_TYPE=normal copybin

	normal2:
	make AP_BUILD_TYPE=normal sys
	make AP_BUILD_TYPE=normal rootfs
	+ifeq ($(VERIFY_APP_IN_KERNEL),yes)
	+ bash $(BUILD_DIR)/gen_app_hash.sh $(PRJ_CONF_DIR)/normal/verify_app_list.txt $(ROOTFS_DIR) $(LINUX_DIR)
	+ make kernel
	+ifeq ($(CONFIG_SINGLECORE),yes)
	+ifeq ($(USE_CPPS_KO),yes)
	+ make cpko
	+endif
	+endif
	+endif
	make AP_BUILD_TYPE=normal copybin

	normalclean:
	diff --git a/build/gen_app_hash.sh b/build/gen_app_hash.sh
	new file mode 100755
	index 000000000..479403809
	--- /dev/null
	+++ b/build/gen_app_hash.sh
	@@ -0,0 +1,65 @@
	+#!/bin/bash
	+
	+echo $#
	+
	+if [ $# -lt 3 ]; then
	+ echo "$0 app_list_file rootfs_dir kernel_dir"
	+ exit 1
	+fi
	+APP_LIST_FILE=$1
	+ROOTFS_DIR=$2
	+KERNEL_DIR=$3
	+
	+if [ ! -f $APP_LIST_FILE ]; then
	+ echo "$APP_LIST_FILE NOT exist"
	+ exit 2
	+fi
	+
	+if [ ! -d $KERNEL_DIR ]; then
	+ echo "$KERNEL_DIR NOT exist"
	+ exit 3
	+fi
	+
	+if [ ! -d $ROOTFS_DIR ]; then
	+ echo "$ROOTFS_DIR NOT exist"
	+ exit 4
	+fi
	+VERIFY_APP_HEADER=$KERNEL_DIR/include/linux/verify_app.h
	+
	+file_array=()
	+hash_array=()
	+file_cnt=0
	+while read file_item; do
	+ if [ -f ${ROOTFS_DIR}${file_item} ]; then
	+ hash_val=`sha256sum ${ROOTFS_DIR}${file_item} \| awk '{ print $1 }'`
	+ echo "${file_item} $hash_val ok"
	+ file_array+=("$file_item")
	+ hash_array+=("$hash_val")
	+ let "file_cnt=file_cnt+1"
	+ else
	+ echo "regular file ${ROOTFS_DIR}${file_item} NOT exist"
	+ exit 9
	+ fi
	+done < "${APP_LIST_FILE}"
	+
	+# æå°æ°ç»ä¸çæ°æ®
	+
	+echo "#ifndef __VERIFY_APP_H" > $VERIFY_APP_HEADER
	+echo "#define __VERIFY_APP_H" >> $VERIFY_APP_HEADER
	+echo "" >> $VERIFY_APP_HEADER
	+
	+echo "const int g_verify_app_cnt = $file_cnt;" >> $VERIFY_APP_HEADER
	+echo "const char *g_verify_file_array[] = {" >> $VERIFY_APP_HEADER
	+for element in "${file_array[@]}"; do
	+ echo " \"$element\"," >> $VERIFY_APP_HEADER
	+done
	+echo "};" >> $VERIFY_APP_HEADER
	+
	+echo "const char *g_verify_hash_array[] = {" >> $VERIFY_APP_HEADER
	+for element in "${hash_array[@]}"; do
	+ echo " \"$element\"," >> $VERIFY_APP_HEADER
	+done
	+echo "};" >> $VERIFY_APP_HEADER
	+
	+echo "" >> $VERIFY_APP_HEADER
	+echo "#endif" >> $VERIFY_APP_HEADER
	diff --git a/os/linux/linux-3.4.x/include/linux/verify_app.h b/os/linux/linux-3.4.x/include/linux/verify_app.h
	new file mode 100755
	index 000000000..90ed58b87
	--- /dev/null
	+++ b/os/linux/linux-3.4.x/include/linux/verify_app.h
	@@ -0,0 +1,16 @@
	+#ifndef __VERIFY_APP_H
	+#define __VERIFY_APP_H
	+
	+const int g_verify_app_cnt = 3;
	+const char *g_verify_file_array[] = {
	+ "/bin/busybox",
	+ "/etc/rc",
	+ "/sbin/zte_mdl",
	+};
	+const char *g_verify_hash_array[] = {
	+ "a071cc29b7bbd47e45a6698e5dde5564995172e7b530314dd375040e0b1d9a41",
	+ "1296e7b4fe520bbc0cdd0b76289afd86318674a99ea2d5faff52baf39854b5d6",
	+ "8a3815c1394f3b343ffc598c245fb356c80071ac3755927f0e7c6b7e8955c070",
	+};
	+
	+#endif
	diff --git a/os/linux/linux-3.4.x/init/Kconfig b/os/linux/linux-3.4.x/init/Kconfig
	index 3db3a515a..8742bb316 100644
	--- a/os/linux/linux-3.4.x/init/Kconfig
	+++ b/os/linux/linux-3.4.x/init/Kconfig
	@@ -1452,3 +1452,11 @@ config PADATA
	bool

	source "kernel/Kconfig.locks"
	+
	+config VERIFY_APP_IN_KERNEL
	+ bool "Enable verify app in kernel"
	+ default n
	+ help
	+ This option enables support for verify app in kernel. You almost
	+ certainly want to say n here.
	+
	\ No newline at end of file
	diff --git a/os/linux/linux-3.4.x/init/Makefile b/os/linux/linux-3.4.x/init/Makefile
	index 6b473cd16..ab6b944cf 100644
	--- a/os/linux/linux-3.4.x/init/Makefile
	+++ b/os/linux/linux-3.4.x/init/Makefile
	@@ -9,7 +9,7 @@ else
	obj-$(CONFIG_BLK_DEV_INITRD) += initramfs.o
	endif
	obj-$(CONFIG_GENERIC_CALIBRATE_DELAY) += calibrate.o
	-
	+obj-$(CONFIG_VERIFY_APP_IN_KERNEL) += verify_app.o
	mounts-y := do_mounts.o
	mounts-$(CONFIG_BLK_DEV_RAM) += do_mounts_rd.o
	mounts-$(CONFIG_BLK_DEV_INITRD) += do_mounts_initrd.o
	diff --git a/os/linux/linux-3.4.x/init/verify_app.c b/os/linux/linux-3.4.x/init/verify_app.c
	new file mode 100755
	index 000000000..5eccd9c8c
	--- /dev/null
	+++ b/os/linux/linux-3.4.x/init/verify_app.c
	@@ -0,0 +1,130 @@
	+/*
	+ * linux/init/verify_app.c
	+ *
	+ */
	+#include <linux/types.h>
	+#include <linux/kernel.h>
	+#include <linux/syscalls.h>
	+#include <linux/string.h>
	+#include <linux/ctype.h>
	+#include <linux/delay.h>
	+#include <linux/init.h>
	+#include <linux/security.h>
	+#include <linux/kthread.h>
	+#include <linux/crypto.h>
	+#include <crypto/hash.h>
	+#include <crypto/sha.h>
	+#include <linux/verify_app.h>
	+#include <linux/soc/zte/efuse/efuse_zx.h>
	+
	+#define VERIFY_TIMEOUT 30000 //ÑÓ³ÙÑéÇ©Ê±¼ä,½¨Òé´óÓÚ2s£»
	+
	+extern void zDrvEfuse_GetSecureMsg(T_ZDrvEfuse_Secure *secure);
	+
	+u8 bin2hex(const u8 old, const size_t oldlen)
	+{
	+ u8 result = (u8 )kmalloc((oldlen * 2 + 1), GFP_KERNEL);
	+ size_t i, j;
	+ int b = 0;
	+
	+ for (i = j = 0; i < oldlen; i++)
	+ {
	+ b = old[i] >> 4;
	+ result[j++] = (char)(87 + b + (((b - 10) >> 31) & -39));
	+ b = old[i] & 0xf;
	+ result[j++] = (char)(87 + b + (((b - 10) >> 31) & -39));
	+ }
	+ result[j] = '\0';
	+ return result;
	+}
	+
	+static int verify_app_entry(void *p)
	+{
	+ int i = 0;
	+ int rdlen;
	+ char *buff = NULL;
	+ size_t size;
	+ struct file *fp;
	+ int bufflen = 4096;
	+ u8 *hashstring;
	+ u8 hash[SHA256_DIGEST_SIZE];
	+ struct shash_desc *desc;
	+ struct crypto_shash *sha256;
	+ T_ZDrvEfuse_Secure secure;
	+
	+ msleep(VERIFY_TIMEOUT);
	+
	+ zDrvEfuse_GetSecureMsg(&secure);
	+ if((secure.secureFlag & 0xFF) != 0xFF)
	+ {
	+ printk("verify secure boot don't open \n");
	+ return 0;
	+ }
	+
	+ sha256 = crypto_alloc_shash("sha256", 0, 0);
	+ if (IS_ERR(sha256)) {
	+ panic("verify sha256 error ! \n");
	+ }
	+ size = crypto_shash_descsize(sha256) + sizeof(*desc);
	+ desc = kzalloc(size, GFP_KERNEL);
	+ BUG_ON(desc == NULL);
	+ desc->tfm = sha256;
	+ buff = kmalloc(bufflen, GFP_KERNEL);
	+ BUG_ON(buff == NULL);
	+ for (i = 0; i < g_verify_app_cnt; i++)
	+ {
	+ fp = filp_open(g_verify_file_array[i], O_RDONLY, 0644);
	+ if (IS_ERR(fp))
	+ {
	+ printk("app=%s open fail \n",g_verify_file_array[i]);
	+ panic("verify open fail");
	+ }
	+ else
	+ fp->f_pos = 0;
	+ crypto_shash_init(desc);
	+ while(1)
	+ {
	+ rdlen = kernel_read(fp, fp->f_pos, buff, bufflen);
	+ if (rdlen > 0)
	+ {
	+ fp->f_pos += rdlen;
	+ crypto_shash_update(desc, buff, rdlen);
	+ }
	+ else if (rdlen == 0)
	+ {
	+ filp_close((struct file *)fp, NULL);
	+ crypto_shash_final(desc, hash);
	+ hashstring = bin2hex(hash, SHA256_DIGEST_SIZE);
	+ if (memcmp(hashstring, g_verify_hash_array[i], SHA256_DIGEST_SIZE))
	+ {
	+ printk("verify app=%s hash=%s \n", g_verify_file_array[i], hashstring);
	+ panic("verify hash fail");
	+ }
	+ // printk("verify app=%s success \n", g_verify_file_array[i]);
	+ kfree(hashstring);
	+ break;
	+ }
	+ else
	+ {
	+ printk("verify app=%s rdlen=%d \n", g_verify_file_array[i], rdlen);
	+ panic("verify read fail");
	+ break;
	+ }
	+ }
	+ }
	+
	+ crypto_free_shash(sha256);
	+ kfree(desc);
	+ kfree(buff);
	+ printk("verify app init success \n");
	+ return 0;
	+}
	+
	+static int __init verify_app_init(void)
	+{
	+ kthread_run(verify_app_entry, NULL, "verify_app");
	+ return 0;
	+}
	+
	+late_initcall(verify_app_init);
	+
	diff --git a/project/pubconf.mk b/project/pubconf.mk
	index 43d289bd2..b35f3f3b7 100755
	--- a/project/pubconf.mk
	+++ b/project/pubconf.mk
	@@ -62,4 +62,5 @@ export CONFIG_MIN_8M_VERSION ?= n
	export USE_ZCAT_MBIM ?= no
	export USE_RECOVERYFS ?= no
	export USE_OEM_FS ?= no
	+export VERIFY_APP_IN_KERNEL ?= no

	diff --git a/project/zx297520v3/prj_cpe/build/config.mk b/project/zx297520v3/prj_cpe/build/config.mk
	index b7bbac7a0..cbe5621f5 100755
	--- a/project/zx297520v3/prj_cpe/build/config.mk
	+++ b/project/zx297520v3/prj_cpe/build/config.mk
	@@ -77,4 +77,7 @@ endif
	export ENABLE_PHONECODE_IN_ATCTL=yes

	#¿ØÖÆÊÇ·ñÊ¹ÓÃ»ìÒô
	-export USE_MIXDATA_SUPPORT=no
	\ No newline at end of file
	+export USE_MIXDATA_SUPPORT=no
	+
	+#ÎÄ¼þÑéÇ©¿ª¹Ø
	+#VERIFY_APP_IN_KERNEL := yes
	diff --git a/project/zx297520v3/prj_cpe/config/normal/config.linux b/project/zx297520v3/prj_cpe/config/normal/config.linux
	index d6d117611..bd1d78ba8 100755
	--- a/project/zx297520v3/prj_cpe/config/normal/config.linux
	+++ b/project/zx297520v3/prj_cpe/config/normal/config.linux
	@@ -1916,7 +1916,7 @@ CONFIG_ACCURATE_CPU_PERCENT=y
	CONFIG_DEFAULT_SECURITY_DAC=y
	CONFIG_DEFAULT_SECURITY=""
	CONFIG_CRYPTO=y
	-
	+# CONFIG_VERIFY_APP_IN_KERNEL is not set
	#
	# Crypto core or helper
	#
	diff --git a/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt b/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt
	new file mode 100755
	index 000000000..f375abf3f
	--- /dev/null
	+++ b/project/zx297520v3/prj_cpe/config/normal/verify_app_list.txt
	@@ -0,0 +1,3 @@
	+/bin/busybox
	+/etc/rc
	+/sbin/zte_cpe
	--
	2.25.1