帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

hsm_import_key returns with 0xF0 (Bad Signature)

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

hsm_import_key returns with 0xF0 (Bad Signature)

3 周之前
314 次查看
HH_Mov
Contributor III

During the "import key" of a custom generated keyblob, the response is: 0xF0

SAB reports (Invalid TLV signature)

SAB Error: SAB CMD [0x4f] Resp [0xf029] - Unknown error code

 

The used signature calculation is based on the OEM_IMPORT_CMAC_SK key, using the sample code from point 6 in "OEM Key import test flow".

 

Question 1: How can I verify if it is actually the signature going wrong and not e.g. using an invalid/incorrect OEM_IMPORT_CMAC_SK ?

There is an example tlv buffer in the documentation on page 219, but the used OEM_IMPORT_WRAP_SK, OEM_IMPORT_CMAC_SK (and the used imported key) are not provided, so I cannot verify this.

Question 2: If the OEM_IMPORT_CMAC_SK is wrong/mismatching on Peer and FW, how to debug?

0 项奖励
回复
5 回复数

3 周之前
266 次查看
Harvey021
NXP TechSupport
NXP TechSupport

There is demo related to the key import for your reference.

hope the ele-apps can help. also, the one smw-apps 

 

Regards

Harvey

0 项奖励
回复

2 周之前
234 次查看
HH_Mov
Contributor III

Hello @Harvey021 ,

Thanks for the example, the imx-ele-apps/key-import, helped me verify my implementation, verifying the following are correct:

- NXP product manufact key agreement
- shared secret
- OEM_IMPORT_MK_SK
- OEM_IMPORT_WRAP_SK
- OEM_IMPORT_CMAC_SK

However performing the key-exchange (with the example SW) on an OEM_Closed device crashes the system:

sh run_test_on_board.sh
nxp_prod_ka_puk.bin exists.
oem_public_key.pem exists.
signed_msg.bin exists.
Hello, World! Sep 11 2025:14:50:25 77be1e7
Signed Message: 736 bytes
00e002890200000000000000b[  281.271513] fsl-se-fw se-fw2: Rx-Msg(0xe1470206): Fatal abort received  by hsm1.

 

Running the same test (with the example SW) on an OEM_Open device results in a invalid signature message:

    hsm_open_session success
    hsm_open_key_store_service success
    hsm_open_key_management_service success

    SAB Error: SAB CMD [0x47] Resp [0x1829] - Invalid Signature in SIGNED message.

    hsm_key_exchange failed err:0xfe
    Key exchange failed: 254

 

For info, the SRK hash reported by the signed message generation (running the command.sh on host side) for KEY_EXCHANGE_REQ matches the SRKH obtained from the HSM.

1. Is there an expected difference between an OEM_Open and OEM_Closed device ?

2. Why would the signature be reported invalid in the example ?

 

 

0 项奖励
回复

2 周之前
188 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hello @HH_Mov 

 

For the 1st question, we'll further check with Internal R&D and get back to you.

For the 2nd question, we cannot reproduce the issue with the provided demo app. If possible, we can have a meeting with you to review your operations.

 

Regards

Harvey

0 项奖励
回复

2 周之前
155 次查看
HH_Mov
Contributor III

Hello Harvey,

Thanks for your reply. To validate our steps a colleague also tried the steps from the example and came to the same issues.

I would like to have a meeting to see if we can tackle this issue, maybe it is better to continue this via e-mail ?

Thnx

0 项奖励
回复

1 周之前
107 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hello @HH_Mov 

With checking internal team, a meeting would be more effective in solving this problem. Please let us know from there.

 

Regards

Harvey

0 项奖励
回复