topic Re: Manufacturing Protection with i.MX8MM: verify not working in i.MX Processors

Manufacturing Protection with i.MX8MM: verify not working

Sampo — Wed, 20 Mar 2024 08:31:03 GMT

I am trying to get Manufacturing Protection working with i.MX8MM. I am using U-boot 2022.04. I have followed the instructions in AN13222. First I have added these to the U-Boot configuration:
CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_CAAM_MFG_PROT = y
CONFIG_IMX_SECO_MFG_PROT = n

Then I have enabled secure boot and added these to the CSF file:
[Unlock]
Engine = CAAM
Features = MFG

Then I get the public key:
u-boot=> mfgprot pubk
Public key:
<RETRACTED>

Then I encrypt a dummy message:

u-boot=> mfgprot sign 0x43000000 4

Signing message with Manufacturing Protection Private Key
Message: FF FF FF FF
Message Representative Digest(SHA-256):
0E0E8DB6D2F0FF5650223850BF9086ED18FFD5C074DB6607730C5C770321A4A3
Signature:
C:
DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d:
6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

Then on an Ubuntu, I download and compile the mp-verification-tool from here: https://github.com/nxp-imx-support/imx_sec_apps/tree/master/mp-verification-tool

I run verify, but it does not work:

./verify -m ffffffff -k 04<RETRACTED> -c DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F -d 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

Public Key: 04<RETRACTED>
Public key verified

Message digest:
SHA-256: 890ed82cf09f2224
Signature:
c: DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d: 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

EC Signature: Invalid

What could be wrong?

Note: secure boot is enabled but the device is not closed. I do not wish to close the device yet, but could this be the cause of the problem?

Re: Manufacturing Protection with i.MX8MM: verify not working

JorgeCas — Fri, 22 Mar 2024 21:52:10 GMT

Hello,

As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.

Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.

Did you verified that HAB successfully authenticates the signed image?

Best regards.

Re: Manufacturing Protection with i.MX8MM: verify not working

Sampo — Tue, 26 Mar 2024 06:01:04 GMT

Ok, it was not clear to me that the device has to actually be closed. We're still testing things like key revocation, so that is why we have not closed the device. But once we do, I'll try again. Thanks.

Re: Manufacturing Protection with i.MX8MM: verify not working

Sampo — Fri, 05 Apr 2024 08:13:02 GMT

I finally closed the device, and went to try this again. However, I observed a new problem. Now the command "mfgprot pubk" does not appear to work:

u-boot=> mfgprot pubk
exit not allowed from main input shell.

Before closing the device, the command worked without any problems. What could be wrong?