Unable to verify some MP messages

jaymonkman · ‎02-08-2021

This is on an i.MX7D, related to manufacturing protection

I have a message that when I sign it, I'm unable to verify it. The message is 220 bytes long. If I truncate it to 219 bytes or extend it to 221 bytes and sign it, I can verify the signature. If I try a different 220 byte message, that works also. The behavior I'm seeing seems to related to the particular data I'm trying to sign.

For signing, I'm using u-boot's mfgprot command. For verification, I'm using a tool I wrote. If you need the source, I can provide it.

I've include the output of signing the message as 219, 220, and 221 bytes long. I've also included the output of my verification tool. As you can see, the hashes reported by u-boot match the ones I calculated during verification.

Edited to add:

It's giving me some invalid HTML error, so I'm just attaching the data as a text file.

Yuri · ‎03-17-2021

@jaymonkman
Hello,

I received the information, that the issue was solved.

The problem was an issue with the verification tool where strlen() was being misused.

Regards,
Yuri.

View solution in original post

jaymonkman · ‎02-19-2021

We're seeing about 20-25% of the messages that we sign fail to verify.

On one of the messages, I've tried truncating to different sizes and some pass, some fail. The original message is 165 bytes long, I tried every size down to 1 byte and 17 of the messages fail verification. It's consistent - if a particular message fails to verify and I sign it again, the new signature will also fail to verify.

Yuri · ‎03-17-2021

@jaymonkman
Hello,

I received the information, that the issue was solved.

The problem was an issue with the verification tool where strlen() was being misused.

Regards,
Yuri.