I'm trying to use the CAAM on an ls1012a for blob decapsulation. I have the secure boot setup and working, including the OTPMK and SRK fuses burned. In U-boot I'm able to blob encap and blob decap. Using the caam_jr module I'm able to encap and decap successfully from Linux.
The problem is that for some reason I can't decap blobs in Linux that were encapsulated in U-boot and vice versa. I used U-boot as a reference to build the job descriptor in Linux-land and I have verified that it is identical, except the pointer addresses to the DMA memory locations of the actual blob data, key modifier and output buffer.
I'm getting a CAAM jobring error of 0x20000c1a, which looks like an ICV check failure, but the same blob decapsulates just fine in U-boot, so I'm not sure what is different about it. Is there anything I can look into to find out why I'm getting this error?
I found the answer to my problem, which I'll document here in case anyone else runs into the same thing.
The background is that with the kernel module I'm using I had to byte swap the job descriptor commands (which I'd already figured out), but it turns out I needed to 4-byte byteswap the key modifier as well. The blob itself did not need to be byteswapped.
Since the key modifier was being byteswapped (and as a result didn't match what the other environment had) it makes perfect sense that it was failing the ICV check.
It was the inconsistency in byteswapping one input, but not the other, that had me tripped up. As of now I'm able to encapsulate and decapsulate across U-boot and Linux.