FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Manufacturing Protection with i.MX8MM: verify not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Manufacturing Protection with i.MX8MM: verify not working

Jump to solution
‎03-20-2024 01:27 AM
1,663 Views
Sampo
Contributor III

I am trying to get Manufacturing Protection working with i.MX8MM. I am using U-boot 2022.04. I have followed the instructions in AN13222. First I have added these to the U-Boot configuration:
CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_CAAM_MFG_PROT = y
CONFIG_IMX_SECO_MFG_PROT = n

Then I have enabled secure boot and added these to the CSF file:
[Unlock]
Engine = CAAM
Features = MFG

Then I get the public key:
u-boot=> mfgprot pubk
Public key:
<RETRACTED>

Then I encrypt a dummy message:

u-boot=> mfgprot sign 0x43000000 4

Signing message with Manufacturing Protection Private Key
Message: FF FF FF FF
Message Representative Digest(SHA-256):
0E0E8DB6D2F0FF5650223850BF9086ED18FFD5C074DB6607730C5C770321A4A3
Signature:
C:
DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d:
6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

Then on an Ubuntu, I download and compile the mp-verification-tool from here: https://github.com/nxp-imx-support/imx_sec_apps/tree/master/mp-verification-tool

I run verify, but it does not work:

./verify -m ffffffff -k 04<RETRACTED> -c DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F -d 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

Public Key: 04<RETRACTED>
Public key verified

Message digest:
SHA-256: 890ed82cf09f2224
Signature:
c: DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d: 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483

EC Signature: Invalid

What could be wrong?

Note: secure boot is enabled but the device is not closed. I do not wish to close the device yet, but could this be the cause of the problem?

Labels (1)
0 Kudos
Reply
1 Solution

Jump to solution
‎03-22-2024 02:52 PM
1,627 Views
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.

Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.

Did you verified that HAB successfully authenticates the signed image?

Best regards.

View solution in original post

0 Kudos
Reply
3 Replies

Jump to solution
‎04-05-2024 01:13 AM
1,557 Views
Sampo
Contributor III

I finally closed the device, and went to try this again. However, I observed a new problem. Now the command "mfgprot pubk" does not appear to work:

u-boot=> mfgprot pubk
exit not allowed from main input shell.

Before closing the device, the command worked without any problems. What could be wrong?

0 Kudos
Reply

Jump to solution
‎03-25-2024 11:01 PM
1,588 Views
Sampo
Contributor III

Ok, it was not clear to me that the device has to actually be closed. We're still testing things like key revocation, so that is why we have not closed the device. But once we do, I'll try again. Thanks.

0 Kudos
Reply

Jump to solution
‎03-22-2024 02:52 PM
1,628 Views
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.

Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.

Did you verified that HAB successfully authenticates the signed image?

Best regards.

0 Kudos
Reply