i.MX ProcessorsのトピックRe: Device Mapper using CAAM

Device Mapper using CAAM

P3r3gr1nus — Tue, 25 Feb 2025 16:47:23 GMT

Hello, I am trying to implement device mapper using CAAM.
After configured the kernel adding all the required config options (AN12714 appendix A) and build it with the required tools (CORE_IMAGE_EXTRA_INSTALL+="coreutils keyutils lvm2 e2fsprogs-mke2fs util-linux"), I followed the Usage section (3.2) of the AN12714.

In /proc/crypto I have the tagged key registered:

name : tk(cbc(aes)) driver : tk-cbc-aes-caam module : kernel priority : 3000 refcnt : 1 selftest : passed internal : no type : skcipher async : yes blocksize : 16 min keysize : 36 max keysize : 164 ivsize : 16 chunksize : 16 walksize : 16

"dmsetup targets" returns:

crypt v1.24.0
multipath v1.14.0
striped v1.6.0
linear v1.4.0
error v1.5.0

I also added the logon key into the keyring but when I try to create a new device mapper:

dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/loop0) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"

I get the "Error decoding and setting key" error:

[18500.454877] device-mapper: table: 252:0: crypt: Error decoding and setting key (-EINVAL)
[18500.463005] device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl on encrypted (252:0) failed: Invalid argument
Command failed.

If I register don't use the tk-cbc-aes key everything works:

dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/loop0) crypt aes-xts-plain64 e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/loop0 0"

Re: Device Mapper using CAAM

ddresser — Tue, 25 Feb 2025 22:23:33 GMT

I found this section useful on this page:

10.5.3 DM-Crypt using CAAM backed keys

https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf

Re: Device Mapper using CAAM

Harvey021 — Wed, 26 Feb 2025 02:49:42 GMT

Hello,

That is correct to follow up the Linux User Guide. The AN12714 is old and actually should be deprecated.

Regards

Harvey

Re: Device Mapper using CAAM

P3r3gr1nus — Wed, 26 Feb 2025 15:51:42 GMT

Following the IMX User Guide addressed by ddresser , I found that the encryption with the red key works but in order to use the black key sotred in the keyring you need to have the secure boot as stated here:

10.5.3.1 DM-Crypt with Trusted keys backed by CAAM
The key de-capsulated from Red-Blob is different for different CAAM states:
• If System is booted in secure boot with Chain-of-trust established, CAAM state is secure state.
• If system is booted in non-secure (or compromised) state, CAAM state is non-secure state.
Note:
Data that was written in secure state using the trusted key, is not read back from non-trusted or compromised
system.

This is the reason of the error message.