https://community.nxp.com/t5/i-MX-Processors/i-MX8MP-HAB-encrypted-storage-using-CAAM/m-p/1637035#M204508 <P>Thank you for explanation.&nbsp;</P> Thu, 20 Apr 2023 08:36:51 GMT JiriCh 2023-04-20T08:36:51Z https://community.nxp.com/t5/i-MX-Processors/i-MX8MP-HAB-encrypted-storage-using-CAAM/m-p/1636214#M204444 <P>Hello,</P><P>I am using i.MX8MP processor with eMMC for persistent storage. I want to use secure boot (HAB) and create encrypted storage on eMMC using CAAM secure keys. eMMC is partitioned. I use one partition to store keys generated by caam-keygen and other partition (/dev/mmcblk2p7) is for the encrypted storage. I first created the encrypted storage on partition /dev/mmcblk2p7 using the steps descripted in AN12714. It works fine. I created a script that is called by Linux on my behalf at boot. The script imports key from blob, add it to the key retention service and mount the file system at /fsencrypted.</P><P>However, when I enabled HAB,&nbsp; I got the following errors at Linux boot.&nbsp;</P><LI-CODE lang="c">&lt;13&gt;Jan 1 00:00:00 rc: Mounting enrypted storage on /dev/mmcblk2p7 [ 7.771096] caam_jr 30903000.jr: Failed to execute blob decap descriptor [ 7.779322] caam_jr 30903000.jr: Blob decapsulation failed: -74 &lt;13&gt;Jan 1 00:00:00 rc: &lt;13&gt;Jan 1 00:00:00 rc: CAAM keygen usage: caam-keygen [options] &lt;13&gt;Jan 1 00:00:00 rc: Options: &lt;13&gt;Jan 1 00:00:00 rc: create &lt;key_name&gt; &lt;key_enc&gt; &lt;key_mode&gt; &lt;key_val&gt; &lt;text_type&gt; &lt;13&gt;Jan 1 00:00:00 rc: &lt;key_name&gt; the name of the file that will contain the black key. &lt;13&gt;Jan 1 00:00:00 rc: A file with the same name, but with .bb extension, will contain the black blob. &lt;13&gt;Jan 1 00:00:00 rc: &lt;key_enc&gt; can be ecb or ccm &lt;13&gt;Jan 1 00:00:00 rc: &lt;key_mode&gt; can be -s or -t. &lt;13&gt;Jan 1 00:00:00 rc: -s generate a black key from random with the size given in the next argument &lt;13&gt;Jan 1 00:00:00 rc: -t generate a black key from a plaintext given in the next argument &lt;13&gt;Jan 1 00:00:00 rc: &lt;key_val&gt; the size or the plaintext based on the previous argument (&lt;key_mode&gt;) &lt;13&gt;Jan 1 00:00:00 rc: &lt;text_type&gt; can be -h or -p (default argument is -p) &lt;13&gt;Jan 1 00:00:00 rc: -h generate a black key from the hex text that is provided in previous argument &lt;13&gt;Jan 1 00:00:00 rc: -p generate a black key from the plain text that is provided in previous argument &lt;13&gt;Jan 1 00:00:00 rc: import &lt;blob_name&gt; &lt;key_name&gt; &lt;13&gt;Jan 1 00:00:00 rc: &lt;blob_name&gt; the absolute path of the file that contains the blob &lt;13&gt;Jan 1 00:00:00 rc: &lt;key_name&gt; the name of the file that will contain the black key. [ 7.915905] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204672 [ 7.924042] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204673 [ 7.932172] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204674 [ 7.940292] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204675 [ 7.948466] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204676 [ 7.956639] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204677 [ 7.964793] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204678 [ 7.972971] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204679 [ 7.982432] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204672 [ 7.990562] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204673 [ 7.998853] Buffer I/O error on dev dm-0, logical block 25584, async page read [ 8.026440] EXT4-fs (dm-0): unable to read superblock &lt;13&gt;Jan 1 00:00:00 rc: mount: /fsencrypted: can't read superblock on /dev/mapper/encrypted. &lt;13&gt;Jan 1 00:00:00 rc: error: exit code 32</LI-CODE><P>&nbsp;</P><P>I figured out that I have to re-create the encrypted storage again (steps from AN12714) to get it working. However that removes my data stored on the partition.&nbsp;</P><P>To avoid these issues, seems I first have to enable HAB and then create encrypted storage.&nbsp;</P><P>My question is WHY? What happens with encrypted storage when I enable HAB? Do I do something wrong?</P><P>Thank you,</P><P>Jiri</P> Wed, 19 Apr 2023 11:29:44 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX8MP-HAB-encrypted-storage-using-CAAM/m-p/1636214#M204444 JiriCh 2023-04-19T11:29:44Z https://community.nxp.com/t5/i-MX-Processors/i-MX8MP-HAB-encrypted-storage-using-CAAM/m-p/1636896#M204493 <DIV><DIV><SPAN>It's quite likely due to the fact that CAAM uses a "test key" while in open configuration (ie. before you close the device for fully enabling High Assurance Boot).</SPAN></DIV><BR /><DIV><SPAN>Once you close the device CAAM starts using the "real key" (ie. the OTPMK, a one time programmable master key, which is unique to each chip) and thus: anything encrypted with the test key becomes inaccessible.</SPAN></DIV><BR /><DIV><SPAN>See: <A href="https://community.nxp.com/t5/i-MX-Processors/i-MX-device-specific-black-key-blob/m-p/1380868/highlight/true#M183901" target="_blank">https://community.nxp.com/t5/i-MX-Processors/i-MX-device-specific-black-key-blob/m-p/1380868/highlight/true#M183901</A></SPAN></DIV></DIV> Thu, 20 Apr 2023 05:13:26 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX8MP-HAB-encrypted-storage-using-CAAM/m-p/1636896#M204493 jrantanen 2023-04-20T05:13:26Z https://community.nxp.com/t5/i-MX-Processors/i-MX8MP-HAB-encrypted-storage-using-CAAM/m-p/1637035#M204508 <P>Thank you for explanation.&nbsp;</P> Thu, 20 Apr 2023 08:36:51 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX8MP-HAB-encrypted-storage-using-CAAM/m-p/1637035#M204508 JiriCh 2023-04-20T08:36:51Z