Unable to Load CAAM Trusted Key Blob After Reboot on i.MX6UL (Kernel 6.6.23) – trusted_caam Lacks Lo

marotis · ‎06-19-2025

I'm working on an i.MX6UL-based secure storage use case using dm-crypt (LUKS2) and CAAM-backed trusted keys. I successfully generate a sealed key with:

keyctl add trusted trusted_caam_key "new 32 caam sealed-key /etc/caam_keys/caam_trusted.blob" @u

I store the sealed blob (caam_trusted.blob) and use the CAAM-managed key (derived from keyctl pipe ...) to encrypt a LUKS2 volume, which works perfectly before reboot.

However, after rebooting, when I try to reload the trusted key with:

keyctl add trusted trusted_caam_key "load /etc/caam_keys/caam_trusted.blob" @u

add_key: Invalid argument

add_key: Operation not permitted

This indicates that the trusted_caam key type does not support the load operation, which is essential for persistent secure key use cases (e.g. automatically unlocking a LUKS/dm-crypt volume during boot via an initramfs).

Problem Summary:
1.CAAM trusted key can be created and sealed successfully.

2.Sealed blob is stored and persisted to disk.

3.After reboot, loading it back with keyctl add trusted ... "load ..." fails, preventing decryption.

**This breaks persistent CAAM-backed key use cases such as:

fscrypt

dm-crypt/LUKS

Secure bootkey storage

****** What I'm Looking For:********************************************************************
1. Does NXP provide a patch or updated driver to support trusted_caam blob loading ("load ..." operation) in Linux kernel 6.6.x or upstream?

2.If not available yet, is there a recommended approach or roadmap to enable blob loading for trusted_caam in newer kernels?

3.Any official guidance or sample implementation for patching the kernel to support this?

***System Information:**************************************************************************
Platform: i.MX6UL

Linux Kernel: 6.6.23 (custom build)

CAAM Support: Enabled and working

Trusted Key Framework: Enabled

trusted_caam driver: Present (but lacks blob load support)

Harvey021 · ‎06-22-2025

Hi,

I've replied back to you in other ticket from you. Let's communicate there for further question.

Regards

Harvey

marotis · ‎06-23-2025

Hello NXP Community,

Thank you for the earlier suggestion on using dm-crypt + DCP + OTP key for encryption. I have successfully implemented that and verified its operation.

However, my original goal was to enable fscrypt encryption using CAAM-backed trusted keys on an i.MX6UL platform with Linux kernel 6.6.23.

My Requirements:
Use CAAM hardware for key generation and protection.
Store encryption keys as sealed trusted blobs (not raw files).
Enable per-directory encryption via fscrypt using these secure keys.
Restore and use these keys persistently after reboot (e.g., via keyctl add trusted ... "load <blob>").

.Current Setup:
SoC: i.MX6UL with CAAM

Kernel: Linux 6.6.23

CAAM and trusted key support enabled (CONFIG_TRUSTED_KEYS, CONFIG_TRUSTED_CAAM)

I can create and seal CAAM-trusted keys using:
keyctl add trusted trusted_caam_key "new 32 caam sealed-key /etc/caam_keys/blob" @u
However, attempting to reload sealed key blobs fails:

keyctl add trusted trusted_caam_key "load /etc/caam_keys/blob" @u
--> add_key: Invalid argument

Questions:
Is there any official patch or plan to support the load operation for CAAM-trusted keys in recent kernels (6.6+)?

Is there a version of caam_trusted_blob.c officially maintained by NXP that enables sealed key loading?

Has this been supported in any NXP reference BSP or LTS kernel (e.g., 5.15 or earlier)?

If not, is there a recommended way to persist and reuse CAAM-sealed keys with fscrypt across reboots?

Goal:
Achieve secure and persistent fscrypt integration using CAAM as the hardware root of trust — not relying on raw key files in the filesystem, and ensuring that trusted keys survive reboots securely.

Any guidance or updated support for this feature in current NXP platforms would be extremely valuable.

Thanks in advance,
Maroti

Harvey021 · ‎06-25-2025

Replied back to you in other ticket from you.

Regards

Harvey

Unable to Load CAAM Trusted Key Blob After Reboot on i.MX6UL (Kernel 6.6.23) – trusted_caam Lacks Lo

Unable to Load CAAM Trusted Key Blob After Reboot on i.MX6UL (Kernel 6.6.23) – trusted_caam Lacks Lo

Security(Edgelock | secure boot | OTP)