hsm_import_key returns with 0xF0 (Bad Signature)

HH_Mov · ‎09-04-2025

During the "import key" of a custom generated keyblob, the response is: 0xF0

SAB reports (Invalid TLV signature)

SAB Error: SAB CMD [0x4f] Resp [0xf029] - Unknown error code

The used signature calculation is based on the OEM_IMPORT_CMAC_SK key, using the sample code from point 6 in "OEM Key import test flow".

Question 1: How can I verify if it is actually the signature going wrong and not e.g. using an invalid/incorrect OEM_IMPORT_CMAC_SK ?

There is an example tlv buffer in the documentation on page 219, but the used OEM_IMPORT_WRAP_SK, OEM_IMPORT_CMAC_SK (and the used imported key) are not provided, so I cannot verify this.

Question 2: If the OEM_IMPORT_CMAC_SK is wrong/mismatching on Peer and FW, how to debug?

HH_Mov · ‎10-12-2025

Issue was fixed. The problem was related to an incorrect fuse_version specified in the yaml file.
Why it was not 0 but 2 is not completely clear but it solved this issue

View solution in original post

HH_Mov · ‎10-12-2025

Issue was fixed. The problem was related to an incorrect fuse_version specified in the yaml file.
Why it was not 0 but 2 is not completely clear but it solved this issue

Harvey021 · ‎09-08-2025

There is demo related to the key import for your reference.

hope the ele-apps can help. also, the one smw-apps

Regards

Harvey

HH_Mov · ‎09-11-2025

Hello @Harvey021 ,

Thanks for the example, the imx-ele-apps/key-import, helped me verify my implementation, verifying the following are correct:

- NXP product manufact key agreement
- shared secret
- OEM_IMPORT_MK_SK
- OEM_IMPORT_WRAP_SK
- OEM_IMPORT_CMAC_SK

However performing the key-exchange (with the example SW) on an OEM_Closed device crashes the system:

sh run_test_on_board.sh
nxp_prod_ka_puk.bin exists.
oem_public_key.pem exists.
signed_msg.bin exists.
Hello, World! Sep 11 2025:14:50:25 77be1e7
Signed Message: 736 bytes
00e002890200000000000000b[  281.271513] fsl-se-fw se-fw2: Rx-Msg(0xe1470206): Fatal abort received  by hsm1.

Running the same test (with the example SW) on an OEM_Open device results in a invalid signature message:

    hsm_open_session success
    hsm_open_key_store_service success
    hsm_open_key_management_service success

    SAB Error: SAB CMD [0x47] Resp [0x1829] - Invalid Signature in SIGNED message.

    hsm_key_exchange failed err:0xfe
    Key exchange failed: 254

For info, the SRK hash reported by the signed message generation (running the command.sh on host side) for KEY_EXCHANGE_REQ matches the SRKH obtained from the HSM.

1. Is there an expected difference between an OEM_Open and OEM_Closed device ?

2. Why would the signature be reported invalid in the example ?

Harvey021 · ‎09-15-2025

Hello @HH_Mov

For the 1st question, we'll further check with Internal R&D and get back to you.

For the 2nd question, we cannot reproduce the issue with the provided demo app. If possible, we can have a meeting with you to review your operations.

Regards

Harvey

HH_Mov · ‎09-17-2025

Hello Harvey,

Thanks for your reply. To validate our steps a colleague also tried the steps from the example and came to the same issues.

I would like to have a meeting to see if we can tackle this issue, maybe it is better to continue this via e-mail ?

Thnx

Harvey021 · ‎09-18-2025

Hello @HH_Mov

With checking internal team, a meeting would be more effective in solving this problem. Please let us know from there.

Regards

Harvey