I am trying to get Manufacturing Protection working with i.MX8MM. I am using U-boot 2022.04. I have followed the instructions in AN13222. First I have added these to the U-Boot configuration:
CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_CAAM_MFG_PROT = y
CONFIG_IMX_SECO_MFG_PROT = n
Then I have enabled secure boot and added these to the CSF file:
[Unlock]
Engine = CAAM
Features = MFG
Then I get the public key:
u-boot=> mfgprot pubk
Public key:
<RETRACTED>
Then I encrypt a dummy message:
u-boot=> mfgprot sign 0x43000000 4
Signing message with Manufacturing Protection Private Key
Message: FF FF FF FF
Message Representative Digest(SHA-256):
0E0E8DB6D2F0FF5650223850BF9086ED18FFD5C074DB6607730C5C770321A4A3
Signature:
C:
DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d:
6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483
Then on an Ubuntu, I download and compile the mp-verification-tool from here: https://github.com/nxp-imx-support/imx_sec_apps/tree/master/mp-verification-tool
I run verify, but it does not work:
./verify -m ffffffff -k 04<RETRACTED> -c DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F -d 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483
Public Key: 04<RETRACTED>
Public key verified
Message digest:
SHA-256: 890ed82cf09f2224
Signature:
c: DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d: 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483
EC Signature: Invalid
What could be wrong?
Note: secure boot is enabled but the device is not closed. I do not wish to close the device yet, but could this be the cause of the problem?
已解决! 转到解答。
Hello,
As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.
Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.
Did you verified that HAB successfully authenticates the signed image?
Best regards.
I finally closed the device, and went to try this again. However, I observed a new problem. Now the command "mfgprot pubk" does not appear to work:
u-boot=> mfgprot pubk
exit not allowed from main input shell.
Before closing the device, the command worked without any problems. What could be wrong?
Ok, it was not clear to me that the device has to actually be closed. We're still testing things like key revocation, so that is why we have not closed the device. But once we do, I'll try again. Thanks.
Hello,
As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.
Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.
Did you verified that HAB successfully authenticates the signed image?
Best regards.