# 生成已签名的 sec.elf 镜像

生成签名的 sec.elf 镜像涉及使用加密签名创建安全的可执行和可链接格式 (ELF) 文件。对此镜像进行签名可确保其真实性、完整性和来源。

出于安全原因，熔丝二进制文件用于永久禁用设备的某些功能或组件。生成签名的 sec.elf 镜像以及熔丝二进制文件涉及一系列步骤，以确保固件的完整性和设备的安全性。请参阅 [SecTools V2: Fuse Blower User Guide](https://docs.qualcomm.com/bundle/80-NM248-9/resource/80-NM248-9_REV_AB_SecTools_V2__Fuse_Blower_User_Guide.pdf)，生成熔丝二进制文件。

## 使用 SecTools 集成示例命令

本节仅提供示例命令。以下是 Windows 上 Sectools 的示例命令：

Note

- 可根据需要替换 oem-id “**0x1**” 和 oem-product-id “**0xabcd**” 的值。
- 您可以将“**–fuse-pk-hash-0**“的值替换为”**OEM-KEYS/qpsa\_rootca.cer**“的 **SHA384**。

> 
> 
> 要计算正确的 PK\_HASH 值，请使用以下命令：
> 
> 
> 
> > 
> > 
> > > 
> > > 
> > > openssl dgst -sha384 qpsa_rootca.cer
> > >         Copy to clipboard
> > 
> > 
> > 
> > 如需了解更多信息，请参阅[为 RSA 和 ECDSA 生成 SHA-384 哈希](https://docs.qualcomm.com/doc/80-70018-11SC/topic/generate-sha-384-hash-for-rsa-and-ecdsa.html#generate-sha-384-hash-for-rsa-and-ecdsa)。
- 在下面的 sec.elf 生成命令中替换此处从用户根证书生成的摘要。

- 阶段 1：基本安全启动（镜像身份验证 + OEMID + 型号 ID）

    运行以下命令：

> 
> 
> Tab QCS5430/QCS6490
> Tab QCS9075/QCS9100
> 
> <meta>/common/sectoolsv2/ext/linux/sectools fuse-blower --security-profile <meta>/common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0=<sha384 of OEM-KEYS/qpsa_rootca.cer> --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
>         Copy to clipboard
> 
> <meta>/common/sectoolsv2/ext/linux/sectools fuse-blower --security-profile <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta>/common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
>         Copy to clipboard
- 阶段 2：完成全部安全启动（基本安全启动 + 调试禁用 + 防回滚 + 写入权限禁用）：

    运行以下命令。

> 
> 
> Tab QCS5430/QCS6490
> Tab QCS9075/QCS9100
> 
> <meta>/common/sectoolsv2/ext/linux/sectools fuse-blower --security-profile <meta\>/common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable
>         -fuse-write-permission-write-disable
>         --fuse-write-permissions-write-disable
>         --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
>         Copy to clipboard
> 
> <meta>/common/sectoolsv2/ext/Linux/sectools  --fuse-blower --security-profile <meta>/common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
>         Copy to clipboard

> 
> 
> Note
> 
> 
> *SecTools* 指南可供具有授权访问权限的许可用户使用。

## 后续步骤

- 要将完整的软件镜像写入存储设备以确保设备已更新、功能正常、安全且经过优化，请参阅[刷写镜像](https://docs.qualcomm.com/doc/80-70018-11SC/topic/flash-the-images.html#flash-the-images)。
- 要执行严格的访问控制，请参阅[启用 SELinux](https://docs.qualcomm.com/doc/80-70018-11SC/topic/enable-selinux.html#enable-selinux)。

Last Published: Apr 29, 2025

[Previous Topic
签名镜像](https://docs.qualcomm.com/bundle/publicresource/80-70018-11SC/topics/sign-the-images.md) [Next Topic
刷写镜像](https://docs.qualcomm.com/bundle/publicresource/80-70018-11SC/topics/flash-the-images.md)