Using CAAM for blob decapsulation in Linux (ls1012a)

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Using CAAM for blob decapsulation in Linux (ls1012a)

1,490件の閲覧回数
joe_nunes
Contributor I

I'm trying to use the CAAM on an ls1012a for blob decapsulation.  I have the secure boot setup and working, including the OTPMK and SRK fuses burned.  In U-boot I'm able to blob encap and blob decap.  Using the caam_jr module I'm able to encap and decap successfully from Linux.

The problem is that for some reason I can't decap blobs in Linux that were encapsulated in U-boot and vice versa.  I used U-boot as a reference to build the job descriptor in Linux-land and I have verified that it is identical, except the pointer addresses to the DMA memory locations of the actual blob data, key modifier and output buffer.

I'm getting a CAAM jobring error of 0x20000c1a, which looks like an ICV check failure, but the same blob decapsulates just fine in U-boot, so I'm not sure what is different about it.  Is there anything I can look into to find out why I'm getting this error?

Thanks!

0 件の賞賛
返信
2 返答(返信)

825件の閲覧回数
bschaefer
Contributor I

@joe_nunes Hello joe, do you happen to be able to share some details on how you used caam_jr to perform blob encap / decap? We are running linux kernel version 4.19, and any of the support in kernel or userspace doesn't seem easily portable (either solutions depend on newer kernel versions that support tagged keys, or i.MX specific solutions using SNVS).


0 件の賞賛
返信

1,365件の閲覧回数
joe_nunes
Contributor I

I found the answer to my problem, which I'll document here in case anyone else runs into the same thing.

The background is that with the kernel module I'm using I had to byte swap the job descriptor commands (which I'd already figured out), but it turns out I needed to 4-byte byteswap the key modifier as well.  The blob itself did not need to be byteswapped.

Since the key modifier was being byteswapped (and as a result didn't match what the other environment had) it makes perfect sense that it was failing the ICV check.

It was the inconsistency in byteswapping one input, but not the other, that had me tripped up.  As of now I'm able to encapsulate and decapsulate across U-boot and Linux.

Cheers!

0 件の賞賛
返信