topic Re: Cannot read Manufacturing Protection public key with closed i.MX8MM in i.MX Processors

Cannot read Manufacturing Protection public key with closed i.MX8MM

Sampo — Mon, 15 Apr 2024 12:55:22 GMT

Hello, I have tried using manufacturing protection with i.MX8MM. I have followed the instructions in AN13222. I have enabled the following features in U-Boot:

CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_CAAM_MFG_PROT = y
CONFIG_IMX_SECO_MFG_PROT = n

I have also added the following to the CSF file, between [Authenticate CSF] and [Install Key]:

[Unlock]
Engine = CAAM
Features = MFG

After this, the commands "mfgprot pubk" and "mfgprot sign" work, but since the device is not closed, the result is not valid.

Then I close the device. Secure boot works. But when I try to get the manufacturing protection public key, I get the following error (with some debugs enabled):

u-boot=> mfgprot pubk
Generating Manufacturing Protection Public Key
SEC Dequeue timed out
Error in public key generation -2
exit not allowed from main input shell.

The command "mfgprot sign" still works.

Re: Cannot read Manufacturing Protection public key with closed i.MX8MM

AldoG — Tue, 16 Apr 2024 01:00:29 GMT

Hello,

Did you follow section 3.2 Private key persistence
This step is to ensure that the private key is available to software after the device boots. The Manufacturing Protection private key is cleared during the boot unless the signature (CSF) contains the Unlock command, informing the HAB/AHAB to leave the key. The 'Unlock' command is added to the CSF description file.

Since unless the private key is preserved during the boot, none of the Manufacturing Protection features are functional.

Best regards/Saludos,
Aldo.

Re: Cannot read Manufacturing Protection public key with closed i.MX8MM

Sampo — Tue, 16 Apr 2024 05:17:34 GMT

Yes, I have followed those instructions. Just to be sure, here is the template of our CSF file:

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "CST_SRK"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "CST_CSF_CERT"

[Authenticate CSF]

[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID

[Unlock]
# Leave manufacturing protection key
Engine = CAAM
Features = MFG

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "CST_IMG_CERT"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7e0fc0 0x1a000 0x2a600 "flash.bin"

Re: Cannot read Manufacturing Protection public key with closed i.MX8MM

fourtrax1 — Wed, 10 Jul 2024 16:56:08 GMT

Hi Sampo, I have a similar problem after closing the device. Have you ever found a solution?

Re: Cannot read Manufacturing Protection public key with closed i.MX8MM

Sampo — Thu, 11 Jul 2024 05:15:47 GMT

Actually yes, it was just human error. The CSF file that I included in the previous message wasn't actually included in the image, it was using the default one. Once I made sure that the MFG was really unlocked, everything worked fine.