- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
Hi Team,
@Harvey021
I am trying to retrieve the manufacturing Protection Public key on my IMX8DX chip, however I always get 0x0 as public key. I have tried supplying 96 and 97 bytes buffer, (even greater values too), but no luck. My chip is in OEM closed LC state.
I tried reading the MPECC register to see if the key exists. I get 0x0 as the value, so it means the key is still there.
Can you please provide any insights on how to retrieve this key? I am using OP-TEE OS to fetch this key and I use caam_calloc_align_buf() along with setting the sc_rm_set_memreg_permissions() to full permission for the allocated memory to SECO partition
Feels like SECO cannot write to this location or it requires some extra step to get the key. Can you please guide me?
Thanks in advance.
Chandni
已解决! 转到解答。
Hello,
You are correct, I missed that one completely, please accept my apologize for the confusion, have you tried using uboot?
To use the Manufacturing Protection, additional U-Boot tools are needed. Make sure to enable the following features:
Defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_SECO_MFG_PROT = y
The U-boot command is "mfgprot pubk". The output is the Manufacturing Protection public key.
Best regards/Saludos,
Aldo.
Hi Aldo,
Thanks for your reply. Here are my observations:
From AN13222: "The Unlock command is not necessary for the I.MX 8X/8DXL devices because the MP private key is preserved
when the secure boot is enabled."
Also when i try the unlock command, i keep getting: "Invalid command: AuthenticateCSF is illegal for given target". Looking at the CST user's guide says: "Unlock and Authenticate CSF" are only HAB commands, so it does not work. I am using AHAB target
Also i am reading MPECC register, the MP_ZERO bit is 0x0, which means key has non-zero value. Have i understood it wrong?
Do i need any signed message to enable/unlock it?
Regards,
Chandni
Hello,
You are correct, I missed that one completely, please accept my apologize for the confusion, have you tried using uboot?
To use the Manufacturing Protection, additional U-Boot tools are needed. Make sure to enable the following features:
Defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y
CONFIG_FSL_MFGPROT=y
CONFIG_IMX_SECO_MFG_PROT = y
The U-boot command is "mfgprot pubk". The output is the Manufacturing Protection public key.
Best regards/Saludos,
Aldo.
Hello,
Did you follow section 3.2 Private key persistence of the AN13222.
This step is to ensure that the private key is available to software after the device boots. The Manufacturing Protection private key is cleared during the boot unless the signature (CSF) contains the Unlock command, informing the HAB/AHAB to leave the key. The 'Unlock' command is added to the CSF description file.
Since unless the private key is preserved during the boot, none of the Manufacturing Protection features are functional.
Best regards/Saludos,
Aldo.
