I'm working on a secure manufacturing and test process for i.MX8M devices with HAB in closed mode.
For returned products or production testing, I want to boot a custom test image (e.g., functional test or recovery U-Boot). To limit security exposure and avoid managing one global signing key, I’m considering generating a unique signing key per device based on its CPU UID (read from OCOTP).
The idea is:
Derive a signing key from the device's UID using HMAC or similar
Use that key to sign a test boot image (for U-Boot or SPL)
Program the device’s SRK or CSF with the matching public key
Allow only that device to boot its own test image
Questions:
Is this technically allowed by the HAB/SRK design?
Can the SRK or CSF be made unique per device based on the UID?
Are there practical limits to doing per-device signed boot images (e.g., provisioning effort, ROM support)?
I’m not looking to weaken security — I just want to avoid using one global key for test image signing. Each test image would be valid for one device only, and this approach would offload security ownership to the customer.
Thanks in advance!
