iMX6 (CAAM, TrustZone) Hardware Security Blocks Use.

fmajeric · ‎02-24-2015

Dear all,

I'm more an hardware engineer. So I 've relatively few skill in programming.

Nonetheless, I know basic things into main programming language. (C, Python, Java...)

I'm interesting by the iMX6 processor. In particular by some security features.

In order to test theses features, I would like to implement little C programs which use

hardware :

(1) CAAM

(2) TrustZone/TEE.

Previously, I bought a cheap development board : RIoTBoard with an iMX6solo embedded precessor.

The problem is the community is no large as the Freescale iMX community is.

Moreover, the Freescale community is often based on Freescale boards.

So for the moment it's a pain for me to make simple use of device features.

The u-boot/kernel are not complete.
The Freescale Flashing Tools are not really adapted when I want to do something different than provided by RIoTboard.
Support is tiny for this board.

For example I would like to use /drivers/crypto/caam/sm_test.c. When I compile the Kernel, they are no *.ko generated. It miss some files (caam.c for example). The iMX6 SDK is no suitable for my board...

I'm looking for a development board with OS, drivers, tools, SDK in order to develop my C program comfortably.

In particular drivers for (1). I want just test some encryption features and secure memory storage features.

For example one of my C program should just use AES-128-CAAM encryption :

I just would like give a plaintext, a key and get back my cipher text. Without using open-ssl or other software. Just using CAAM API encryption function.
An other program do the same previous process but put the ciphered into secure storage.
And so on...

Does anybody have some suggestion, code ready , preferred board ?

Do you know some product which can answer to my needs ?

Which board is the most convenient for my purpose ?

Please could you help me,

Regards,

Fabien :smileyconfused:

Yuri · ‎04-21-2015

it makes sense to port to recent Freescale BSP(s), which supports the CryptoDev interface :

"Using the Freescale CryptoDev security driver causes the system to run much faster than without it.
The CAAM drivers are accelerated through the CryptoDev interface. The openssl command can be used
to show the system speed without [and with - Yuri] CryptoDev".

Regards,

Yuri.

View solution in original post

KursadOney · ‎02-24-2015

If you enable caam in your kernel (usually via caam=1 in your command line), you can use /dev/crypto or AF_ALG. These are independent of the i.mx architecture so any example you find should work. See this post for more information: Re: I.MX6 Cryptographic Acceleration

AFAIK TrustZone is not quite supported in linux so that will be a tough one. The secure storage is only supported in kernel space (so far). The FSL kernel source has sm_test.c with some examples but it would require a decent knowledge of reading and modifying kernel code to customize.

fmajeric · ‎02-24-2015

Hi Kursad,

Thank you for your answer. Ok for the TrustZone Point & Secure Storage.

But just some questions about CAAM use.

You explain : "(usually via caam=1 in your command line)".

After reading Re: I.MX6 Cryptographic Acceleration, I haven't seen "caam=1" but just : add "caam" at bootargs
Is it a right method ?

> printenv bootargs

> bootargs=console=ttymxc1,115200 nosmp video=mxcfb0:dev=hdmi,1280x720M@60,bpp=32 video=mxcfb1:off fbmem=10M caam

Or I have to write :

> bootargs=console=ttymxc1,115200 nosmp video=mxcfb0:dev=hdmi,1280x720M@60,bpp=32 video=mxcfb1:off fbmem=10M caam=1

Concerning /dev/crypto or Af_alg, it is used by openssl. But are they other way to use CAAM crypto acceleration without using openssl ?

For example just including a librairy (which library ?) :

#include "caam.h"

#include <stdio.h>

int message = 0x0123456789ABCDEF;

int key = 0x11112222333344445555;

int *ciphered;

int encryption_mode;

int main(void)

{

encryption_mode = 1;

rep = caam_aes_128(message, key, ciphered);

if(rep != -1)

{

printf("Message %d\nKey: %d\n Ciphered: %d\n", message, key, ciphered);

}

else:

{

printf("error\n");

}

return 0;

}

Thank you.

Yuri · ‎02-24-2015

You may try using "API Interface Level" (via the tcrypt), described below.

http://www.freescale.com/infocenter/topic/i.MX6QLXRM/3914832.html

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

swapnilpendhare · ‎10-14-2015

You may try using "API Interface Level" (via the tcrypt), described below.

http://www.freescale.com/infocenter/topic/i.MX6QLXRM/3914832.html

Have a great day,
Yuri

:Link provided in above post is not accessible. Does it come under NDA? How can i get this information ?

Thanks,

Yuri · ‎10-18-2015

Hello,

Please use section 52.5 (API Interface Level) of the "i.MX_Linux_Reference_Manual.pdf".

http://www.freescale.com/webapp/Download?colCode=L3.14.38_6UL_LINUX_DOCS

Regards,

Yuri.

fmajeric · ‎03-02-2015

Hi Yuri,

Thank you for your answer but the "new" problem is I can't compile "sm_test.c" module and I can"t "insmod" and "modprobe" the "tcrypt.ko" module...

To describe the context :

I’m working on a RIoTboard with an iMX6solo embedded.

The source code are from here : http://www.element14.com/community/docs/DOC-68442/l/riotboard-bsp-images-and-tools-download--android...

i.e. :

- BSP Linux ubuntu v3.0.35 : http://downloads.element14.com/downloads/riotboard/Linux/image_SVN2487.zip?COM=RIoTboard

- Mfg Tool : http://downloads.element14.com/downloads/riotboard/Linux/tools_SVN2652.zip?COM=RIoTboard

- Compiler tools from : $git clone git://github.com/embest-tech/fsl-linaro-toolchain.git

I tried to compile “sm_test.c” with this Makefile :

#

# Makefile for Freescale iMX6solo modules

#

export ARCH=arm

export CROSS_COMPILE=/home/fmajeric/Bureau/Board/Riotboard/Sources/fsl-linaro-toolchain-master/bin/arm-fsl-linux-gnueabi-

#

obj-m := sm_test.o

KDIR := /home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0

PWD := $(shell pwd)

all:

$(MAKE) -C $(KDIR) M=$(PWD) modules

clean:

$(MAKE) -C $(KDIR) M=$(PWD) clean

But the compiler return me this error :

fmajeric@fmajeric-VirtualBox:~/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam$ make

make -C /home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0 M=/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam modules

make[1]: Entering directory '/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0'

CC [M] /home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.o

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c: In function 'caam_sm_example_init':

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c:174:17: error: dereferencing pointer to incomplete type

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c: In function '__inittest':

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c:800:1: warning: return from incompatible pointer type [enabled by default]

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c: In function '__exittest':

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c:801:1: error: 'caam_sm_example_shutdow' undeclared (first use in this function)

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c:801:1: note: each undeclared identifier is reported only once for each function it appears in

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c: At top level:

/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.c:801:1: error: 'cleanup_module' aliased to undefined symbol 'caam_sm_example_shutdow'

scripts/Makefile.build:311: recipe for target '/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.o' failed

make[2]: *** [/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam/sm_test.o] Error 1

Makefile:1360: recipe for target '_module_/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam' failed

make[1]: *** [_module_/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam] Error 2

make[1]: Leaving directory '/home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0'

Makefile:13: recipe for target 'all' failed

make: *** [all] Error 2

fmajeric@fmajeric-VirtualBox:~/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0/drivers/crypto/caam$

Also I tried to compile “tcrypt.c” with this Makefile:

#

# Makefile for Freescale iMX6solo modules

#

export ARCH=arm

export CROSS_COMPILE=/home/fmajeric/Bureau/Board/Riotboard/Sources/fsl-linaro-toolchain-master/bin/arm-fsl-linux-gnueabi-

#

obj-m := tcrypt.o

KDIR := /home/fmajeric/Bureau/Board/Riotboard/Sources/linux-imx/linux-imx-embest_imx_3.0.35_4.0.0

PWD := $(shell pwd)

all:

$(MAKE) -C $(KDIR) M=$(PWD) modules

clean:

$(MAKE) -C $(KDIR) M=$(PWD) clean

And it succeed.

I copy the file “tcrypt.ko” on my board.

Try a insmod and I have this error :

root@linaro-ubuntu-desktop:/home/linaro/Dev# ls

tcrypt.ko

root@linaro-ubuntu-desktop:/home/linaro/Dev# lsmod

Module Size Used by

vivante 943 1

drm 137754 2 vivante

root@linaro-ubuntu-desktop:/home/linaro/Dev# insmod tcrypt.ko

alg: hash: Failed to load transform for md4: -2

alg: skcipher: Failed to load transform for ecb(blowfish): -2

alg: skcipher: Failed to load transform for cbc(blowfish): -2

alg: skcipher: Failed to load transform for ecb(twofish): -2

alg: skcipher: Failed to load transform for cbc(twofish): -2

alg: skcipher: Failed to load transform for ecb(serpent): -2

alg: hash: Failed to load transform for sha384: -2

alg: hash: Failed to load transform for sha512: -2

alg: skcipher: Failed to load transform for ecb(cast5): -2

alg: skcipher: Failed to load transform for ecb(cast6): -2

alg: hash: Failed to load transform for crc32c: -2

alg: skcipher: Failed to load transform for ecb(tea): -2

alg: skcipher: Failed to load transform for ecb(xtea): -2

alg: skcipher: Failed to load transform for ecb(khazad): -2

alg: hash: Failed to load transform for wp512: -2

alg: hash: Failed to load transform for wp384: -2

alg: hash: Failed to load transform for wp256: -2

alg: skcipher: Failed to load transform for ecb(tnepres): -2

alg: skcipher: Failed to load transform for ecb(anubis): -2

alg: skcipher: Failed to load transform for cbc(anubis): -2

alg: hash: Failed to load transform for tgr192: -2

alg: hash: Failed to load transform for tgr160: -2

alg: hash: Failed to load transform for tgr128: -2

alg: skcipher: Failed to load transform for ecb(xeta): -2

alg: skcipher: Failed to load transform for pcbc(fcrypt): -2

alg: skcipher: Failed to load transform for ecb(camellia): -2

alg: skcipher: Failed to load transform for cbc(camellia): -2

alg: skcipher: Failed to load transform for salsa20: -2

alg: hash: Failed to load transform for rmd128: -2

alg: hash: Failed to load transform for rmd160: -2

alg: hash: Failed to load transform for rmd256: -2

alg: hash: Failed to load transform for rmd320: -2

alg: skcipher: Failed to load transform for ecb(seed): -2

alg: pcomp: Failed to load transform for zlib: -2

alg: hash: Failed to load transform for hmac(sha384): -2

alg: hash: Failed to load transform for hmac(sha512): -2

alg: hash: Failed to load transform for xcbc(aes): -2

alg: hash: Failed to load transform for hmac(rmd128): -2

alg: hash: Failed to load transform for hmac(rmd160): -2

alg: hash: Failed to load transform for vmac(aes): -2

alg: cprng: Failed to load transform for ansi_cprng: -2

tcrypt: one or more tests failed!

insmod: error inserting 'tcrypt.ko': -1 Attempting to link in too many shared libraries

Moreover during the u-boot session I’ve set “caam” in bootargs.

So I don’t understand what is wrong.

I think the problem is my kernel version... (3.0.35_4.0.0)

Please have you some U-boot/Linux sources running with "tcrypt.ko" and "sm_test.ko" on my RIoTboard ?

Best regards,

Fabien.

Yuri · ‎04-21-2015

it makes sense to port to recent Freescale BSP(s), which supports the CryptoDev interface :

"Using the Freescale CryptoDev security driver causes the system to run much faster than without it.
The CAAM drivers are accelerated through the CryptoDev interface. The openssl command can be used
to show the system speed without [and with - Yuri] CryptoDev".

Regards,

Yuri.

fmajeric · ‎04-21-2015

haha :smileylaugh:

I've made better, I changed the board !

I've invested into a Sabre-SD with an iMX6soloX embeded.

Thanks this Freescale board, I can use all Freescale tools (SDK, updated BSP, patches, etc...)

RIoTboard is usefull for some multimedia application but for specific hardware purpose, it's better to use manufacturer tools with adapted support.

Thank you for all you help.

Regards,

Fabien.

fmajeric · ‎02-25-2015

Thank you Yuri.

I'm in travel for the moment but I'll try it as soon as I'm back.

See you,

Fabien.

KursadOney · ‎02-24-2015

Either caam=1 or just caam should work. Just "caam" is the more proper way though.

Why would you want to use caam without /dev/crypto or AF_ALG? I don't think there is another way. caam is a lower layer than linux's crypto API so it doesn't expose any interface directly to the user space.

See the AF_ALG example in the link I posted for a full example.

fmajeric · ‎03-02-2015

Hi Kursad,

thank you for your answer.

I've ever try to use the CAAM with AF_ALG through OPENSSL.

I succeed but the problem is OPENSSL is a software layer more between hardware CAAM and my C program.

Below Yuri Muhin given me a solution. I will try it.

Have a nice day.

Fabien.

iMX6 (CAAM, TrustZone) Hardware Security Blocks Use.

iMX6 (CAAM, TrustZone) Hardware Security Blocks Use.

i.MX6_All