- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Manufacturing Protection with i.MX8MM: verify not working
Manufacturing Protection with i.MX8MM: verify not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to get Manufacturing Protection working with i.MX8MM. I am using U-boot 2022.04. I have followed the instructions in AN13222. First I have added these to the U-Boot configuration:
CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_CAAM_MFG_PROT = y
CONFIG_IMX_SECO_MFG_PROT = n
Then I have enabled secure boot and added these to the CSF file:
[Unlock]
Engine = CAAM
Features = MFG
Then I get the public key:
u-boot=> mfgprot pubk
Public key:
<RETRACTED>
Then I encrypt a dummy message:
u-boot=> mfgprot sign 0x43000000 4
Signing message with Manufacturing Protection Private Key
Message: FF FF FF FF
Message Representative Digest(SHA-256):
0E0E8DB6D2F0FF5650223850BF9086ED18FFD5C074DB6607730C5C770321A4A3
Signature:
C:
DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d:
6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483
Then on an Ubuntu, I download and compile the mp-verification-tool from here: https://github.com/nxp-imx-support/imx_sec_apps/tree/master/mp-verification-tool
I run verify, but it does not work:
./verify -m ffffffff -k 04<RETRACTED> -c DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F -d 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483
Public Key: 04<RETRACTED>
Public key verified
Message digest:
SHA-256: 890ed82cf09f2224
Signature:
c: DE40C5FAE2C2B724AAC6FE11337D2FB29A2C639E02F61DB216FBA215E205BE1F
d: 6F0A6B6FD9E01F0F28E8EE98FA5051F637E6D367CB0DED637AD73ECB80B2F483
EC Signature: Invalid
What could be wrong?
Note: secure boot is enabled but the device is not closed. I do not wish to close the device yet, but could this be the cause of the problem?
Solved! Go to Solution.
JorgeCas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.
Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.
Did you verified that HAB successfully authenticates the signed image?
Best regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I finally closed the device, and went to try this again. However, I observed a new problem. Now the command "mfgprot pubk" does not appear to work:
u-boot=> mfgprot pubk
exit not allowed from main input shell.
Before closing the device, the command worked without any problems. What could be wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, it was not clear to me that the device has to actually be closed. We're still testing things like key revocation, so that is why we have not closed the device. But once we do, I'll try again. Thanks.
JorgeCas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
As is mentioned on AN13222 the first step to use the Manufacturing Protection is enable the secure boot feature.
Once device successfully boots a signed image without generating any HAB events, it should be safe to close the device and is the last step in the process to enable secure boot.
Did you verified that HAB successfully authenticates the signed image?
Best regards.
