FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Cannot read Manufacturing Protection public key with closed i.MX8MM

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cannot read Manufacturing Protection public key with closed i.MX8MM

‎04-15-2024 05:55 AM
189 Views
Sampo
Contributor I

Hello, I have tried using manufacturing protection with i.MX8MM. I have followed the instructions in AN13222. I have enabled the following features in U-Boot:

CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_CAAM_MFG_PROT = y
CONFIG_IMX_SECO_MFG_PROT = n

I have also added the following to the CSF file, between [Authenticate CSF] and [Install Key]:

[Unlock]
Engine = CAAM
Features = MFG

After this, the commands "mfgprot pubk" and "mfgprot sign" work, but since the device is not closed, the result is not valid.

Then I close the device. Secure boot works. But when I try to get the manufacturing protection public key, I get the following error (with some debugs enabled):

u-boot=> mfgprot pubk
Generating Manufacturing Protection Public Key
SEC Dequeue timed out
Error in public key generation -2
exit not allowed from main input shell.

The command "mfgprot sign" still works.

Labels (1)
0 Kudos
Reply
2 Replies

‎04-15-2024 06:00 PM
169 Views
AldoG
NXP TechSupport
NXP TechSupport

Hello,

Did you follow section 3.2 Private key persistence
This step is to ensure that the private key is available to software after the device boots. The Manufacturing Protection private key is cleared during the boot unless the signature (CSF) contains the Unlock command, informing the HAB/AHAB to leave the key. The 'Unlock' command is added to the CSF description file.

Since unless the private key is preserved during the boot, none of the Manufacturing Protection features are functional.

Best regards/Saludos,
Aldo.

0 Kudos
Reply

‎04-15-2024 10:17 PM
158 Views
Sampo
Contributor I

Yes, I have followed those instructions. Just to be sure, here is the template of our CSF file:

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "CST_SRK"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "CST_CSF_CERT"

[Authenticate CSF]

[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID

[Unlock]
# Leave manufacturing protection key
Engine = CAAM
Features = MFG

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "CST_IMG_CERT"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7e0fc0 0x1a000 0x2a600 "flash.bin"

0 Kudos
Reply