- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- I.MX6 Cryptographic Acceleration
I.MX6 Cryptographic Acceleration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The I.MX6 is described as offering cryptographic acceleration in the CAAM. However, as far as I can see, there is no documentation avaialble to support this. Does anybody know what the capabilities are, and how we can access them?
Cheers
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi John,
As Yuri has mentioned above the i.MX 6 Security reference manual contains all the information on CAAM and it's capabilities. This is a moderated document but should not require an NDA. Please contact your local Freescale FAE to obtain access to this document.
At a high level the CAAM is a DMA master supporting the following capabilities:
Secure memory feature with HW enforced access control
Cryptographic authentication
* Hashing algorithms
* MD5
* SHA-1
* SHA-224
* SHA-256
* Message authentication codes (MAC)
* HMAC-all hashing algorithms
* AES-CMAC
* AES-XCBC-MAC
* Auto padding
* ICV checking
Authenticated encryption algorithms
* AES-CCM (counter with CBC-MAC)
Symmetric key block ciphers
* AES (128-bit, 192-bit or 256-bit keys)
* DES (64-bit keys, including key parity)
* 3DES (128-bit or 192-bit keys, including key parity)
Cipher modes
* ECB, CBC, CFB, OFB for all block ciphers
* CTR for AES
Symmetric key stream ciphers
* ArcFour (alleged RC4 with 40 - 128 bit keys)
* Random-number generation
* Entropy is generated via an independent free running ring oscillator
* Oscillator is off when not generating entropy; for lower-power consumption
* NIST-compliant, pseudo random-number generator seeded using hardware generated entropy
The Freescale Linux BSP contains a CAAM driver to make use of the above features. The use of CAAM is via the Linux CryptoAPI. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.
Regards,
-Rod
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi John,
As Yuri has mentioned above the i.MX 6 Security reference manual contains all the information on CAAM and it's capabilities. This is a moderated document but should not require an NDA. Please contact your local Freescale FAE to obtain access to this document.
At a high level the CAAM is a DMA master supporting the following capabilities:
Secure memory feature with HW enforced access control
Cryptographic authentication
* Hashing algorithms
* MD5
* SHA-1
* SHA-224
* SHA-256
* Message authentication codes (MAC)
* HMAC-all hashing algorithms
* AES-CMAC
* AES-XCBC-MAC
* Auto padding
* ICV checking
Authenticated encryption algorithms
* AES-CCM (counter with CBC-MAC)
Symmetric key block ciphers
* AES (128-bit, 192-bit or 256-bit keys)
* DES (64-bit keys, including key parity)
* 3DES (128-bit or 192-bit keys, including key parity)
Cipher modes
* ECB, CBC, CFB, OFB for all block ciphers
* CTR for AES
Symmetric key stream ciphers
* ArcFour (alleged RC4 with 40 - 128 bit keys)
* Random-number generation
* Entropy is generated via an independent free running ring oscillator
* Oscillator is off when not generating entropy; for lower-power consumption
* NIST-compliant, pseudo random-number generator seeded using hardware generated entropy
The Freescale Linux BSP contains a CAAM driver to make use of the above features. The use of CAAM is via the Linux CryptoAPI. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.
Regards,
-Rod
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should there be aes-ccm support in the caam driver? At least for the public linux-imx git repos and mainline linux kernel I can see support for most algorithms but no ccm(aes) support. For example the nx driver registers support for ccm(aes) but he caam does not.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support for CCM other capabilities will be added in future releases of the CAAM driver.
-Rod
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I include the 'caam' argument in the bootargs I see that the caam driver gets registered with the kernel on startup. But I'm still unable to use it with 'openssl speed -engine cryptodev'. Also the 'openssl engine' shows no caam/cryptodev engine installed. I'm using L3.0.35_1.1.0 version. Any idea?
Thanks,
-Ben
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As for current BSP CAAM support :
The driver is integrated to the standard Linux cryptographic services interface
known as the Linux Crypto API (or Linux Scatterlist API). All current features
of CAAM, that the driver supports, are via the Linux Crypto API.
Basically Open SSL is able to use a crypto hardware though NetKey API ,
which in turn can use Linux scatterlist crypto API. As for the cryptodev, /dev/crypto
today does not use hardware features of the CAAM, it is just a software implementation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yura,
are you saying that IPSec will use CAAM driver as long as I include 'caam' in the bootargs?
And for openssl to take advantage of CAAM, do I need to rebuild it? I'm using rootfs from Freescale i.MX6 BSP L3.0.35_1.1.0. Any idea how to configure openssl for it?
Thanks,
-Ben
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> ... are you saying that IPSec will use CAAM driver as long as I include 'caam' in the bootargs?
Yes, assuming the kernel is configured properly.
Network support --->
Network option --->
<*> PF_KEY sockets
<*> IP: AH transformation
<*> IP: ESP transformation
<*> IP: IPComp transformation
<*> IP: IPsec transport mode
<*> IP: IPsec tunnel mode
> And for openssl to take advantage of CAAM do I need to rebuild it?
> Any idea how to configure openssl for it?
While not officially supported in the BSP, there are userspace interface implementations
that enable offloading OpenSSL requests to the built-in kernel crypto API, and thus the
CAAM h/w via its respective driver. While the kernel officially supports the AF_ALG socket
interface, various third-party cryptodev implementations are also available.
Here are some links to a couple of starting points:
http://carnivore.it/2011/04/23/openssl_-_af_alg
http://home.gna.org/cryptodev-linux/
http://ocf-linux.sourceforge.net/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by bootargs ? Where do you put caam ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my kernel command line, populated via uboot bootargs:
console=ttymxc0,115200 video=mxcfb1:dev=ldb,LDB-XGA,if=RGB666 ldb=dul1 root=/dev/mmcblk1p1 rootwait rw caam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had no idea this was possible, thanks for the tip !!
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Linux kernel contains various users of the Scatterlist CryptoAPI, including its IPSec implementation, sometimes referred to as the NETKEY stack.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where can I find the latest CAAM patches that address the issue reported by the callstack above?
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like IPSEC with i.MX6 CAAM was not tested yet. IPSEC + CAAM is working for QorIQ.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not tested?! It was included in the Linux kernel BSP, so better be tested. How do you guys expect to sell this to customers? Is there some other protocol besides IPSec that it was perhaps tested with?
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, let's create special SR to check it more carefully
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yuri, can you advice us when we should expect Freescale to resolve the issue with the CAAM driver for i.MX6 Linux BSP.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So there is a problem with the driver ? I've created a SR too but I have not had an answer yet.
I've tried the af_alg way but without success.
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I've created a SR ...
What is SR number ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SR# 1-1025928941
I have an answer now, thanks.
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While not officially supported in the SDK, there are userspace interface implementations,
that enable offloading OpenSSL requests to the built-in kernel crypto API, and thus the CAAM
h/w via its respective driver. As known, the AF_ALG family provides the user-space interface
for the kernel crypto API. While a kernel (2.6.38 and later) supports the AF_ALG socket interface,
various third-party cryptodev implementations are also available.
Here are some links to a couple of starting points:
http://carnivore.it/2011/04/23/openssl_-_af_alg
http://home.gna.org/cryptodev-linux/
http://ocf-linux.sourceforge.net/
The enclosed is implementaion from Dipen Patel.
https://community.freescale.com/message/342822#342822
