Linux with CAAM tagged keys on LS1012A

jkg0123 · ‎02-29-2024

I am try to use keyctrl-caam to create an encrypted partition using CAAM tagged keys on an LS1012A in trusted boot Yocto Linux.

I am following the basic steps found in:
https://github.com/nxp-imx/keyctl_caam

The caam tk crypto drivers appear to exist:

 $ cat /proc/crypto | grep caam | grep tk
driver : tk-ecb-aes-caam
driver : tk-cbc-aes-caam

The crypt driver also appears to exist:

$ dmsetup targets
multipath v1.14.0
crypt v1.24.0
striped v1.6.0
linear v1.4.0
error v1.5.0

caam-keygen also appears in dmesg:

[ 1.919481] caam algorithms registered in /proc/crypto
[ 1.925056] caam 1700000.crypto: caam pkc algorithms registered in /proc/crypto
[ 1.932443] caam 1700000.crypto: rng crypto API alg registered prng-caam
[ 1.939197] caam 1700000.crypto: registering rng-caam
[ 1.944753] Device caam-keygen registered

Here is what I get:

$ keyctl new_session
985998483
$ caam-keygen create randomkey ecb -s 16
$ cat /data/caam/randomkey | keyctl padd logon logkey: @s
448794338
$ keyctl list @s
1 key in keyring:
448794338: --alsw-v 0 0 logon: logkey:
$ losetup /dev/loop0 encrypted.img
[ 51.020105] loop0: detected capacity change from 0 to 65536
$ dmsetup -v create encrypted --table "0 65536 crypt capi:tk(cbc(aes))-plain :32:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"
[ 68.772780] device-mapper: table: 253:0: crypt: Error decoding and setting key (-EINVAL)
[ 68.781011] device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl on encrypted (253:0) failed: Invalid argument

Is there something I am missing? Is this supposed to work on an LS1012A in trusted mode (0xD)?

yipingwang · ‎03-06-2024

1. Can I know which SDK you are using?
2. Do you enable secure boot in LS1012a?

jkg0123 · ‎03-07-2024

1. I am using Yocto Project Poky 4.2.2 with Linux Kernel version 6.1.36, secure-boot-qoriq from meta-qoriq 1.0 and keyctl-caam from 6b80882e3d at git://github.com/nxp-imx/keyctl_caam.git.

2. I followed the instructions from NXP AN5281. The chip is booting Linux with secure boot with SSM_STATE Trusted.

$ devmem2 0x1e90014
/dev/mem opened.
Memory mapped at address 0xffffba085000.
Read at address 0x01E90014 (0xffffba085014): 0x00AD0080

This looks like the SSM_STATE is in '0xD', Trusted mode. Does the CAAM need SSM_STATE to be '0xF'?

yipingwang · ‎03-07-2024

I just got confirmation from the AE team.

keyctl_caam/ caam_keygen is for i.Mx platforms only.

LS platforms doesn't support keyctl_caam.

jkg0123 · ‎03-08-2024

Is there another way to use the tk-ecb-aes-caam and tk-cbc-aes-caam drivers on the LS platform?

The drivers seem to be loading:

$ cat /proc/crypto | grep tk
name : tk(ecb(aes))
driver : tk-ecb-aes-caam
name : tk(cbc(aes))
driver : tk-cbc-aes-caam

Or are these just not expected to work/broken on the LS platform?

yipingwang · ‎03-13-2024

Ask customer check secret key length generated by caam-keygen,
root@localhost:~# ls /data/caam/ -l
total 8
-rw-r--r-- 1 root root 36 Jul 21 19:03 randomkey
-rw-r--r-- 1 root root 96 Jul 21 19:03 randomkey.bb
root@localhost:~#

Let custoemr try below command with logkey length "36",
dmsetup -v create encrypted --table "0 65536 crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"

jkg0123 · ‎03-26-2024

The key looks like it gets added but isn't useable by device mapper. I tried with both 32 and 36 length keys with the same result.

Result on command line:

device-mapper: reload ioctl on encrypted (252:0) failed: Invalid argument

In dmesg:

device-mapper: table: 252:0: crypt: Error decoding and setting key (-EINVAL)
device-mapper: ioctl: error adding target to table

yipingwang · ‎03-05-2024

Discussing with the SE team.