帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Manufacturing Protection with i.MX8MM: verify not working

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Manufacturing Protection with i.MX8MM: verify not working

跳至解决方案
‎03-20-2024 01:27 AM
544 次查看
Sampo
Contributor III

I am trying to get Manufacturing Protection working with i.MX8MM. I am using U-boot 2022.04. I have followed the instructions in AN13222. First I have added these to the U-Boot configuration:
CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_CAAM_MFG_PROT = y
CONFIG_IMX_SECO_MFG_PROT = n

Then I have enabled secure boot and added these to the CSF file:
[Unlock]
Engine = CAAM
Features = MFG

Then I get the public key:
u-boot=> mfgprot pubk
Public key:
<RETRACTED>

Then I encrypt a dummy message:

u-boot=> mfgprot sign 0x43000000 4

Signing message with Manufacturing Protection Private Key
Message: FF FF FF FF
Message Representative Digest(SHA-256):
0E0E8DB6D2F0FF5650223850BF9086ED18FFD5C074DB6607730C5C770321A4A3
Signature:
C:
DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d:
6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

Then on an Ubuntu, I download and compile the mp-verification-tool from here: https://github.com/nxp-imx-support/imx_sec_apps/tree/master/mp-verification-tool

I run verify, but it does not work:

./verify -m ffffffff -k 04<RETRACTED> -c DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F -d 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

Public Key: 04<RETRACTED>
Public key verified

Message digest:
SHA-256: 890ed82cf09f2224
Signature:
c: DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d: 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

EC Signature: Invalid

What could be wrong?

Note: secure boot is enabled but the device is not closed. I do not wish to close the device yet, but could this be the cause of the problem?

标签 (1)
0 项奖励
回复
1 解答

跳至解决方案
‎03-22-2024 02:52 PM
508 次查看
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.

Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.

Did you verified that HAB successfully authenticates the signed image?

Best regards.

在原帖中查看解决方案

0 项奖励
回复
3 回复数

跳至解决方案
‎04-05-2024 01:13 AM
438 次查看
Sampo
Contributor III

I finally closed the device, and went to try this again. However, I observed a new problem. Now the command "mfgprot pubk" does not appear to work:

u-boot=> mfgprot pubk
exit not allowed from main input shell.

Before closing the device, the command worked without any problems. What could be wrong?

0 项奖励
回复

跳至解决方案
‎03-25-2024 11:01 PM
469 次查看
Sampo
Contributor III

Ok, it was not clear to me that the device has to actually be closed. We're still testing things like key revocation, so that is why we have not closed the device. But once we do, I'll try again. Thanks.

0 项奖励
回复

跳至解决方案
‎03-22-2024 02:52 PM
509 次查看
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.

Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.

Did you verified that HAB successfully authenticates the signed image?

Best regards.

0 项奖励
回复