- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- QorIQ处理平台
- :
- Layerscape
- :
- Re: Enabling CAAM RSA Hardware Offload via User-Space (AF_ALG) on LS1046ARDB
Enabling CAAM RSA Hardware Offload via User-Space (AF_ALG) on LS1046ARDB
Enabling CAAM RSA Hardware Offload via User-Space (AF_ALG) on LS1046ARDB
4 周之前
357 次查看
figure-it-out
Contributor II
Overview
I am attempting to offload RSA operations to the integrated CAAM (Security Engine 5.4) on an LS1046ARDB platform. While symmetric hardware acceleration is functional, I am unable to access asymmetric (RSA) capabilities from user-space via OpenSSL.
System Environment
Hardware: LS1046ARDB (LS1046A Quad-core ARM Cortex-A72).
Software: Custom Linux based on LSDK 25.06 (Kernel 5.x/6.x).
Interface Goal: OpenSSL 3.x using the AF_ALG interface (avoiding DPDK and legacy cryptodev-linux).
Current Progress & Verification
The kernel appears to recognize the PKC (Public Key Cryptography) unit, as shown in dmesg:
caam 1700000.crypto: caam pkc algorithms registered in /proc/crypto driver : rsa-caam is present in /proc/crypto
The Roadblocks
1. Kernel Configuration (Kconfig) Issues
I am unable to enable CONFIG_CRYPTO_USER_API_AKCIPHER=y.
It does not appear in menuconfig.
Manual entry in .config is overwritten during the build process.
Requirement: What are the exact hidden dependencies (selects/depends on) required to expose the Asymmetric Key Cipher User API?
2. Driver & Hardware Specifics
Is CONFIG_CRYPTO_DEV_FSL_CAAM_PKC the definitive driver for LS1046A RSA offloading, and are there known regressions in recent LSDK versions for this SoC?
Are there mandatory Device Tree (DTS) nodes or properties required for the PKC unit specifically, beyond the standard CAAM and Job Ring nodes?
3. OpenSSL 3.x Integration
How should OpenSSL 3.x be configured to utilize rsa-caam via AF_ALG?
I am looking for a working openssl.conf snippet or initialization steps that bridge the OpenSSL Provider/Engine to the CAAM asymmetric backend without relying on the DPDK stack.
Summary of Questions
Which Kconfig symbols must be enabled to make CONFIG_CRYPTO_USER_API_AKCIPHER selectable?
Are there specific DTS requirements for the CAAM PKC module on the LS1046A?
What is the recommended path for OpenSSL 3.x to consume rsa-caam (AF_ALG vs. a specific NXP Provider)?
LSDK version 25.06
2 回复数
1 周之前
157 次查看
yipingwang
NXP TechSupport
I just got confirmation from the AE team.
Currently Linux kennel doesn't support asymmetric API via AF_ALG.
https://www.kernel.org/doc/html/latest/crypto/userspace-if.html
The kernel crypto API is accessible from user space. Currently, the following ciphers are accessible:
Message digest including keyed message digest (HMAC, CMAC)
Symmetric ciphers
AEAD ciphers
Random Number Generators
1 周之前
152 次查看
figure-it-out
Contributor II
Thanks for the confirmation regarding AF_ALG. Since the kernel's akcipher interface is currently restricted, I am looking for the officially recommended alternative to offload RSA to the rsa-caam driver.
cryptodev-linux: Is the /dev/crypto interface via cryptodev-linux still the standard path for RSA offloading in LSDK 25.06?
OpenSSL Provider/Engine: Does NXP provide a native OpenSSL 3.x Provider for LS1046A that communicates with the CAAM Job Rings directly (bypassing AF_ALG)?
Performance: If using cryptodev, are there known bottlenecks compared to a direct engine implementation?
My goal is to achieve RSA-2048/4096 offloading from user-space OpenSSL by any supported means.
