i.MX ProcessorsのトピックRe: Trusty RPMB Key question

Trusty RPMB Key question

zhongyue_li — Wed, 03 Apr 2019 10:16:17 GMT

Dear NXP engineers,

I am from China Hirain company, now i am working on security features on IMX8 with android auto P OS.

I am trying to check RPMB key in trusty trustzone OS, however, it is failed in geting kbox via API "caam_get_keybox()".

struct keyslot_package* kbox = caam_get_keybox();    if (strncmp(kbox->magic, KEYPACK_MAGIC, 4)) {
       TLOGE("Invalid magic\n");
 return;
     }

the kbox->magic is null, so rpmb_keyblob cannot be get from caam keybox.

could you help check the reason why the kbox-> magic is null?
it seems there is something wrong with caam features on IMX8 android auto chipset.

However, i still want to know the common RPMB key concept on IMX7 or earlier chipset with CAAM featus.
for example, how is the RPMB key stored in the CAAM Keybox?

Re: Trusty RPMB Key question

b36401 — Thu, 04 Apr 2019 05:06:57 GMT

Actually i.MX8 series is not launched yet and are not supported by our team (web support).

Sorry for the inconvenience.

Re: Trusty RPMB Key question

zhongyue_li — Thu, 04 Apr 2019 07:43:27 GMT

Dear Victor,

Thanks for your reply.

I know you cannot give us support on I.MX8 series.

However, our company already make a NDA with nxp,

we need check the security architecture in advance, and to design the android security as well in advance.

So could you give me some support for I.MX common concept?

Could you tell me which part will store the RPMB secure key to CAAM Secure RAM KeyBox?

Thanks a lot.

Re: Trusty RPMB Key question

chenguoyin — Tue, 09 Apr 2019 07:58:47 GMT

You need to fuse the RPMB key to your emmc with fastboot cmds. You can find the instructions to do that in our release user guide. Once you have fused, you cannot change it. So be careful to do that

Two ways are provided to set the RPMB key.

Manually specify a 256-bit key and program it

Firstly, a file contains the key need to be generated. In the default key file “rpmb_key_test.bin”, all 256 bits are zero. It can be generated with below commands:

$ touch rpmb_key.bin

$ echo –n “RPMB” > rpmb_key.bin

$ echo –n -e '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' >> rpmb_key.bin

The '\xHH' means eight-bit character whose value is the hexadecimal value 'HH'. You can replace above "00" with the key you want to set.

Then, program the key with the file just generated

Make the board enter fastboot mode, then execute below commands on host side:

$ fastboot stage rpmb_key.bin

$ fastboot oem set-rpmb-key

Program a random key

Make the board enter fastboot mode, execute below commands on host side:
$ fastboot oem set-rpmb-random-key

After RPMB key programed with either of the two ways, reboot the board, the RPMB service in Trusty OS will be initialized successfully.

The preceding two ways will program the key to eMMC fuse, a key blob will be generated base on the key value and the blob will be saved for TEE to use. In default condition, this key blob is saved in the 16383rd block of BOOT1 partition in eMMC for i.MX8QuadMax and i.MX8QuadXPlus. The BOOT1 partition size of eMMC on i.MX8QuadMax and i.MX8QuadXPlus is 8MB, we can find that the key blob is in the last block in BOOT1 partition. To prevent key blob from been tampered when the system is running, BOO1 partition will be set with power-on write protection when the board boot up.