Dear NXP Support,
We’ve followed the instructions of the AN13222 i.MX Manufacturing Protection but ran into a verification keys issue on our imx8mm device.
Here is our brief procedure:
U-Boot (2021.04):
IOT-GATE-iMX8 => mfgprot pubk
Public key:
<REDACTED_MF_PUBLIC_KEY>
IOT-GATE-iMX8 => mw 0xbe000000 0x11BADA55
IOT-GATE-iMX8 => md 0xbe000000 1
be000000: 11bada55
IOT-GATE-iMX8 => mfgprot sign 0xbe000000 4
Signing message with Manufacturing Protection Private Key
Message: 55 DA BA 11
Message Representative Digest(SHA-256):
7D334EA2FF597D06B49D0F936A6E308B74C578148A9FD41A21E0B0F457ED371C
Signature:
C:
9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d:
09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A
Kernel (5.15.32):
./verify -m 55daba11 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A
Public Key: 04<REDACTED_MF_PUBLIC_KEY>
Public key verified
Message digest:
SHA-256: f6aa60da7f6eed15
Signature:
c: 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d: 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A
EC Signature: Invalid
We’d appreciate it if you could help in fixing the issue.
Thanks in advances,
Valentin Raevsky.
Can you please share the u-boot configuration file?
Thanks & Regards
Sanket Parekh
For Manufacturing protection verification below configuration should be enable in u-boot.
CONFIG_SECURE_BOOT=y
Please add the same and check the Manufacturing protection verification.
Thanks & Regards
Sanket Parekh
Also, please note that our i.MX8MM units are not affected by this issue: https://community.nxp.com/t5/Known-Limitations-and-Guidelines/i-MX8M-8MM-CAAM-Manufacturing-Protecti....
Hello Sanket,
We tried to add "CONFIG_SECURE_BOOT=y" to either the defconfig or .config directly. However, when building the uboot, the change gets automatically reverted.
The closest config option I was able to find was "CONFIG_EFI_SECURE_BOOT". However, when we set that to "CONFIG_EFI_SECURE_BOOT=y", and flashed the HAB signed uboot to the board, the verification of manufacturing protection signed messages returns the same "EC Signature: Invalid" error.
Any thoughts on what to try next?
Cheers and Thanks!
Bob
Hi @bobjenkins
I hope you are doing well.
As per the attached snapshot few configurations are enable for manufacturing protection verification.
You are using IMX8MM board, So you will have to add all this configuration in imx8mm_evk_defconfig file.
Thanks & Regards
Hey @Sanket_Parekh,
I added those config options to the "imx8mm_evk_defconfig" file, recompiled uboot, re-signed with HAB and flashed it to the board. I'm still getting "EC Signature: Invalid" verifying a message signed with e.g., "mfgprot sign 0xbe000000 4".
Cheers and Thanks!
Bob
Hi @bobjenkins ,
Dear NXP Support,
Please help us in understanding what we did wrong with issuing the "AN13222.pdf"
We have performed two test:
1) TEE_LOAD_ADDR = "0xbe000000"
attached log: compulab-imx8mm-TEE_LOAD_ADDR-0xbe000000.log
2) TEE_LOAD_ADDR = "0x56000000"
attached log:compulab-imx8mm-TEE_LOAD_ADDR-0x56000000.lgo
We’d appreciate it if you could help in solving the issue.
Regards,
Valentin.
Hi @valentinraevsky,
[Unlock]
Engine = CAAM
Features = MFG
Thanks & Regards
Sanket Parekh
Hi @Sanket_Parekh,
Thanks for your reply. The csf_spl/csf_fit have this block. Unfortunately, it does not work.
Files used for signing:
https://github.com/compulab-yokneam/cst-tools/blob/master/imx8/hab/csf_spl.in
https://github.com/compulab-yokneam/cst-tools/blob/master/imx8/hab/csf_fit.in
Regards,
Valentin.
Hi @vraevsky
Can you please try the below mentioned command?
./verify -m 11BADA55 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A
Thanks & Regards
Sanket Parekh
It doesn't work. Replies with the same result:
./verify -m 11BADA55 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A
Public Key: 04<REDACTED_MF_PUBLIC_KEY>
Public key verified
Message digest:
SHA-256: 31e972db714a19b6
Signature:
c: 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d: 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A
EC Signature: Invalid