FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

AN13222 i.MX Manufacturing Protection verification keys issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AN13222 i.MX Manufacturing Protection verification keys issue

‎08-09-2022 01:13 PM
4,943 Views
valentinraevsky
Contributor I

Dear NXP Support,

We’ve followed the instructions of the AN13222 i.MX Manufacturing Protection but ran into a verification keys issue on our imx8mm device.

Here is our brief procedure:

U-Boot (2021.04):

IOT-GATE-iMX8 => mfgprot pubk
Public key:
<REDACTED_MF_PUBLIC_KEY>

IOT-GATE-iMX8 => mw 0xbe000000 0x11BADA55
IOT-GATE-iMX8 => md 0xbe000000 1

be000000: 11bada55

IOT-GATE-iMX8 => mfgprot sign 0xbe000000 4

Signing message with Manufacturing Protection Private Key
Message: 55 DA BA 11
Message Representative Digest(SHA-256):
7D334EA2FF597D06B49D0F936A6E308B74C578148A9FD41A21E0B0F457ED371C
Signature:
C:
9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d:
09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

Kernel (5.15.32):

./verify -m 55daba11 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

Public Key: 04<REDACTED_MF_PUBLIC_KEY>
Public key verified

Message digest:
SHA-256: f6aa60da7f6eed15
Signature:
c: 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d: 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

EC Signature: Invalid

 

We’d appreciate it if you could help in fixing the issue.

 

Thanks in advances,

Valentin Raevsky.

Labels (1)
0 Kudos
Reply
15 Replies

‎08-29-2022 12:14 AM
4,879 Views
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @valentinraevsky 

Can you please share the u-boot configuration file?

Thanks & Regards

Sanket Parekh

0 Kudos
Reply

‎09-09-2022 12:37 PM
4,826 Views
valentinraevsky
Contributor I

Hi,

The U-boot config is attached.

 

Regards,

Valentin.

Preview file
43 KB
0 Kudos
Reply

‎09-11-2022 09:19 PM
4,810 Views
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @valentinraevsky 

For Manufacturing protection verification below configuration should be enable in u-boot.

CONFIG_SECURE_BOOT=y

Please add the same and check the Manufacturing protection verification.

Thanks & Regards

Sanket Parekh

0 Kudos
Reply

‎09-15-2022 08:31 AM
4,791 Views
bobjenkins
Contributor I

Also, please note that our i.MX8MM units are not affected by this issue: https://community.nxp.com/t5/Known-Limitations-and-Guidelines/i-MX8M-8MM-CAAM-Manufacturing-Protecti....

0 Kudos
Reply

‎09-15-2022 06:48 AM
4,794 Views
bobjenkins
Contributor I

Hello Sanket,

We tried to add "CONFIG_SECURE_BOOT=y" to either the defconfig or .config directly. However, when building the uboot, the change gets automatically reverted.

The closest config option I was able to find was "CONFIG_EFI_SECURE_BOOT". However, when we set that to "CONFIG_EFI_SECURE_BOOT=y", and flashed the HAB signed uboot to the board, the verification of manufacturing protection signed messages returns the same "EC Signature: Invalid" error.

Any thoughts on what to try next?

Cheers and Thanks!

Bob

0 Kudos
Reply

‎09-15-2022 10:35 PM
4,785 Views
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @bobjenkins 

I hope you are doing well.

As per the attached snapshot few configurations are enable for manufacturing protection verification.

You are using IMX8MM board, So you will have to add all this configuration in imx8mm_evk_defconfig file.

Thanks & Regards

Preview file
31 KB
0 Kudos
Reply

‎09-21-2022 07:48 AM
4,763 Views
bobjenkins
Contributor I

Hey @Sanket_Parekh,

I added those config options to the "imx8mm_evk_defconfig" file, recompiled uboot, re-signed with HAB and flashed it to the board. I'm still getting "EC Signature: Invalid" verifying a message signed with e.g., "mfgprot sign 0xbe000000 4".

Cheers and Thanks!
Bob

0 Kudos
Reply

‎10-19-2022 08:22 AM
4,570 Views
vraevsky
Contributor II
Hello Bob,

Can you please share the "bdinfo" from the board that the command "mfgprot sign 0xbe000000 4" were issued.

Thanks in advances,
Valentin.
0 Kudos
Reply

‎09-23-2022 06:01 AM
4,729 Views
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @bobjenkins ,

I hope you are doing well.
 
have you referred to section 3.2 Private key persistence in AN13222?
please configure the CSF as shown in section 3.2.
 
Thanks & Regards
Sanket Parekh
0 Kudos
Reply

‎10-19-2022 09:02 AM
4,565 Views
vraevsky
Contributor II

Dear NXP Support,

Please help us in understanding what we did wrong with issuing the "AN13222.pdf"

We have performed two test:
1) TEE_LOAD_ADDR = "0xbe000000"
attached log: compulab-imx8mm-TEE_LOAD_ADDR-0xbe000000.log
2) TEE_LOAD_ADDR = "0x56000000"
attached log:compulab-imx8mm-TEE_LOAD_ADDR-0x56000000.lgo

We’d appreciate it if you could help in solving the issue.

Regards,
Valentin.

compulab-imx8mm-TEE_LOAD_ADDR-0x56000000.log
compulab-imx8mm-TEE_LOAD_ADDR-0xbe000000.log
0 Kudos
Reply

‎10-27-2022 02:31 AM
4,400 Views
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @valentinraevsky,

Reason for EC Signature: Invalid is  "The Manufacturing Protection private key is cleared during the boot unless the signature (CSF) contains the Unlock command, informing the HAB/AHAB to leave the key."
 
Could you please try adding the 'Unlock' command in the CSF description file, as shown below:
      [Unlock] 
      Engine = CAAM 
      Features = MFG
 
You can refer to section "3.2 Private key persistence" in the application note "AN13222 i.MX Manufacturing Protection."
 
Also, kindly refer to "uboot-imx/doc/imx/habv4/guides/mx8m_secure_boot.txt" for more information.

 

Thanks & Regards

Sanket Parekh

0 Kudos
Reply

‎10-28-2022 01:29 PM
4,380 Views
vraevsky
Contributor II

Hi @Sanket_Parekh,

Thanks for your reply. The csf_spl/csf_fit have this block. Unfortunately, it does not work.

Files used for signing:

https://github.com/compulab-yokneam/cst-tools/blob/master/imx8/hab/csf_spl.in

https://github.com/compulab-yokneam/cst-tools/blob/master/imx8/hab/csf_fit.in

 

Regards,

Valentin.

0 Kudos
Reply

‎10-31-2022 04:43 AM
4,356 Views
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @vraevsky 

Please perform the steps given in section  4.1 MP enablement verification in AN13222 i.MX Manufacturing Protection and send the corresponding output.
 
Thanks & Regards
Sanket Parekh
0 Kudos
Reply

‎08-26-2022 05:22 AM
4,894 Views
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @valentinraevsky 

Can you please try the below mentioned command?

./verify -m 11BADA55 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

Thanks & Regards

Sanket Parekh

0 Kudos
Reply

‎08-26-2022 08:14 AM
4,890 Views
valentinraevsky
Contributor I

It doesn't work. Replies with the same result:

./verify -m 11BADA55 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

Public Key: 04<REDACTED_MF_PUBLIC_KEY>
Public key verified

Message digest:
SHA-256: 31e972db714a19b6
Signature:
c: 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d: 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

EC Signature: Invalid

0 Kudos
Reply