https://community.nxp.com/t5/i-MX-Processors/imx93-dm-crypt-options/m-p/2178075#M241052 <P>Hi,&nbsp;</P> <P><SPAN data-teams="true">Please referencing our latest BSP release: 6.12.34_2.1.0 to see if there are any issues. First, the salt is encapsulated in a trusted blob. Second, the key is exported from the ELE to OCRAM with the salt, and is only used within the TEE.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-teams="true">Regards</SPAN></P> <P><SPAN data-teams="true">Harvey</SPAN></P> Tue, 30 Sep 2025 09:28:35 GMT Harvey021 2025-09-30T09:28:35Z https://community.nxp.com/t5/i-MX-Processors/imx93-dm-crypt-options/m-p/2175753#M240944 <P>Hi,</P><P>We are setting up dm-crypt on imx93 and have been having stability issues with the cbc-aes-tee driver, which we still hope NXP are looking at.</P><P>When looking at the keytypes and encryption algorithms, I tried understanding the different options. As I understand it:</P><P>1. Using user key and cbc-aes-ce. Key is completely unprotected and available in plain text in user space. Encryption is handled in kernel. Not a viable option.</P><P>2. Using TEE-backed trusted key and cbc-aes-ce. Key is protected and only available encrypted in user space. Key is unsealed in kernel by calling OP-TEE. Encryption is handled in kernel. Key is open to DRAM bus sniffing and kernel attacks.</P><P>3. Using user key and cbc-aes-tee. Key in keyring is completely unprotected and available in plain text in user space. However, this key is only used as a salt for the actual key derived in OP-TEE so it does not matter(?). Derived key is only ever stored in OCRAM. Encryption is handled in OP-TEE.</P><P>4. Using TEE-backed trusted key and cbc-aes-tee. Key is protected and only available encrypted in user space. Key is unsealed in kernel by calling OP-TEE. However, this key is still only used as a salt for the actual key derived in OP-TEE so now it is unnecessarily protected in keyring as well(?). Derived key is only ever stored in OCRAM. Encryption is handled in OP-TEE.</P><P>In Rev. LF6.12.3_1.0.0 of Linux User Guide a user key is used, and in Rev. LF6.12.20_2.0.0 a trusted key is used (chapter 10.5.5), that's why I started thing about the difference. Is my understanding of the options listed above correct?</P><P>Thinking about the security implications of option 2 versus 3 or 4 is seems the main difference is that the key might be open to DRAM sniffing attacks or kernel attacks? The on-disk storage of the key is still encrypted and secure?</P><P>&nbsp;</P> Thu, 25 Sep 2025 10:53:57 GMT https://community.nxp.com/t5/i-MX-Processors/imx93-dm-crypt-options/m-p/2175753#M240944 electro1 2025-09-25T10:53:57Z https://community.nxp.com/t5/i-MX-Processors/imx93-dm-crypt-options/m-p/2178075#M241052 <P>Hi,&nbsp;</P> <P><SPAN data-teams="true">Please referencing our latest BSP release: 6.12.34_2.1.0 to see if there are any issues. First, the salt is encapsulated in a trusted blob. Second, the key is exported from the ELE to OCRAM with the salt, and is only used within the TEE.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-teams="true">Regards</SPAN></P> <P><SPAN data-teams="true">Harvey</SPAN></P> Tue, 30 Sep 2025 09:28:35 GMT https://community.nxp.com/t5/i-MX-Processors/imx93-dm-crypt-options/m-p/2178075#M241052 Harvey021 2025-09-30T09:28:35Z