I am try to use keyctrl-caam to create an encrypted partition using CAAM tagged keys on an LS1012A in trusted boot Yocto Linux.
I am following the basic steps found in:
https://github.com/nxp-imx/keyctl_caam
The caam tk crypto drivers appear to exist:
$ cat /proc/crypto | grep caam | grep tk
driver : tk-ecb-aes-caam
driver : tk-cbc-aes-caam
The crypt driver also appears to exist:
$ dmsetup targets
multipath v1.14.0
crypt v1.24.0
striped v1.6.0
linear v1.4.0
error v1.5.0
caam-keygen also appears in dmesg:
[ 1.919481] caam algorithms registered in /proc/crypto
[ 1.925056] caam 1700000.crypto: caam pkc algorithms registered in /proc/crypto
[ 1.932443] caam 1700000.crypto: rng crypto API alg registered prng-caam
[ 1.939197] caam 1700000.crypto: registering rng-caam
[ 1.944753] Device caam-keygen registered
Here is what I get:
$ keyctl new_session
985998483
$ caam-keygen create randomkey ecb -s 16
$ cat /data/caam/randomkey | keyctl padd logon logkey: @s
448794338
$ keyctl list @s
1 key in keyring:
448794338: --alsw-v 0 0 logon: logkey:
$ losetup /dev/loop0 encrypted.img
[ 51.020105] loop0: detected capacity change from 0 to 65536
$ dmsetup -v create encrypted --table "0 65536 crypt capi:tk(cbc(aes))-plain :32:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"
[ 68.772780] device-mapper: table: 253:0: crypt: Error decoding and setting key (-EINVAL)
[ 68.781011] device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl on encrypted (253:0) failed: Invalid argument
Is there something I am missing? Is this supposed to work on an LS1012A in trusted mode (0xD)?
1. Can I know which SDK you are using?
2. Do you enable secure boot in LS1012a?
1. I am using Yocto Project Poky 4.2.2 with Linux Kernel version 6.1.36, secure-boot-qoriq from meta-qoriq 1.0 and keyctl-caam from 6b80882e3d at git://github.com/nxp-imx/keyctl_caam.git.
2. I followed the instructions from NXP AN5281. The chip is booting Linux with secure boot with SSM_STATE Trusted.
$ devmem2 0x1e90014
/dev/mem opened.
Memory mapped at address 0xffffba085000.
Read at address 0x01E90014 (0xffffba085014): 0x00AD0080
This looks like the SSM_STATE is in '0xD', Trusted mode. Does the CAAM need SSM_STATE to be '0xF'?
I just got confirmation from the AE team.
keyctl_caam/ caam_keygen is for i.Mx platforms only.
LS platforms doesn't support keyctl_caam.
Is there another way to use the tk-ecb-aes-caam and tk-cbc-aes-caam drivers on the LS platform?
The drivers seem to be loading:
$ cat /proc/crypto | grep tk
name : tk(ecb(aes))
driver : tk-ecb-aes-caam
name : tk(cbc(aes))
driver : tk-cbc-aes-caam
Or are these just not expected to work/broken on the LS platform?
Ask customer check secret key length generated by caam-keygen,
root@localhost:~# ls /data/caam/ -l
total 8
-rw-r--r-- 1 root root 36 Jul 21 19:03 randomkey
-rw-r--r-- 1 root root 96 Jul 21 19:03 randomkey.bb
root@localhost:~#
Let custoemr try below command with logkey length "36",
dmsetup -v create encrypted --table "0 65536 crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"
The key looks like it gets added but isn't useable by device mapper. I tried with both 32 and 36 length keys with the same result.
Result on command line:
device-mapper: reload ioctl on encrypted (252:0) failed: Invalid argument
In dmesg:
device-mapper: table: 252:0: crypt: Error decoding and setting key (-EINVAL)
device-mapper: ioctl: error adding target to table
Discussing with the SE team.