crypto af_alg blackkey demo

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

crypto af_alg blackkey demo

crypto af_alg blackkey demo

Since LF_v5.10.52-2.1.0 crypto_af_alg blackkey demo “caam-decrypt” becomes default in release. You can try it with binary demo release image.

The demo is using black key to decrypt data.

This document goes more detail based on BSP release document

i.MX Linux® User's Guide, Rev. LF5.10.52_2.1.0, 15 October 2021
10.6 crypto_af_alg application support

 

HW: i.MX8MM EVK
SW: LF_v5.10.52-2.1.0_images_IMX8MMEVK binary demo image


PC side:

1. generate key and iv by openssl

echo 12345 | openssl enc -aes-256-cbc -k - -P -md sha1 -pbkdf2
salt=1982686A7BACEE4D
key=D84041EC14BB28543E8545BEB094FE643B5BC1345C31CD576BC708A1559FBD2D
iv =F950CACE80F76F0AC00D9C8762B3A5C9

2. encrption by openssl

echo "For test caam-decrypt" | openssl enc -e -aes-256-cbc -in - -out test.txt.enc -K D84041EC14BB28543E8545BEB094FE643B5BC1345C31CD576BC708A1559FBD2D -iv F950CACE80F76F0AC00D9C8762B3A5C9

3. decryption by openssl

openssl enc -d -aes-256-cbc -in test.txt.enc -out - -K D84041EC14BB28543E8545BEB094FE643B5BC1345C31CD576BC708A1559FBD2D -iv F950CACE80F76F0AC00D9C8762B3A5C9


4. convert key and iv to plian txt for caam-decrypt.
echo F950CACE80F76F0AC00D9C8762B3A5C9| xxd -r -p > fromopenssl.iv.txt
echo D84041EC14BB28543E8545BEB094FE643B5BC1345C31CD576BC708A1559FBD2D| xxd -r -p > fromopenssl.key.txt


5. prepare data for caam-decrypt
cat fromopenssl.iv.txt test.txt.enc > data.caam-decrypt.enc

note:
the format for with blackkey

AES Encrypted file format
16 Octets - Initialization Vector (IV) is an input to encryption algorithm.
nn Octets - Encrypted message (for AES-256-CBC, it must be multiple of 16)

6. send fromopenssl.key.txt and data.caam-decrypt.enc to the board

on i.MX8MM evk board

1. generate blackkey blob
caam-keygen create blackkey ecb -t $(cat fromopenssl.key.txt)

2. delete fromopenssl.key.txt

3. test decryption by caam-decrypt with blackkey

caam-decrypt /data/caam/blackkey.bb AES-256-CBC data.caam-decrypt.enc data.caam-decrypt.dec
root@imx8mmevk:/# cat data.caam-decrypt.dec
For test caam-decrypt

 

Attachments
Comments

Hi @BiyongSUN ,

I'm trying to use the crypto_af_alg with CAAM and black keys.

I followed the demo on the pdf successfully: I can encrypt the sample string on the PC with openssl and have it decrypted on the board (the only difference is the additional padding at the end, as shown in the pdf).

Then, I tried the application with a real case: a big encrypted file (about 100MB) like an update image. I encrypted it with openssl and I tried to decrypt it on the board, but the caam-decrypt hangs on the "read" contained in skcipher_crypt() function.

I supposed that the problem was the fact that the entire buffer of 100MB was sent to the kernel, that cannot handle it entirely. Then, I tried to modify the code to send the big buffer in smaller chunks (like 1kb) but without success: the file is decoded but contains some corrupted data (seems at the end or start of each data block) and then is unusable.

Could you please tell me how to fix the code (or better, fix directly the code) to allow the demo application working with big files additionally of small ones?

I'm working with a 5.10.52 kernel.

Thanks in advance, regards

1. The demo key value is how to use the black key. 

     If no using black key working but using black key not working.

    Please submit ticket to i.MX community. My colleagues will take care of the issue. 

     Here is knowledge base. 

2. 100M file is too big. It is better to DM-Crypt, which is also enhanced by caam black key. 

3. All of those already in the BSP release document. IMXLUG i.MX Linux User's Guide(IMX_LINUX_USERS_GUIDE.pdf)

Hi @BiyongSUN ,

Thank you for your answer. Just to clarify:

1. the demo is working as expected, but only on small encrypted files

2. ok, but dm-crypt needs a loop device to mount the file as a device. Anyway, I finally managed to use the tool modifying its source code.
For everyone interested, I split my file in chunks of 64KB and I do a for loop on the sendmsg()-read() part, sending for each step (except the first one) the last 16 bytes of encrypted data as IV, as requested by the AES-CBC algorithm.
It's an hack, it would be better to rely on zero-copy interface (vmsplice()/splice() functions)

 

I know what you mentioned, the problem is for big files such as your test 100M big. 

You could not split it. There is rules you should follow. 

https://www.aescrypt.com/aes_file_format.html

Try without CAAM black key, if it can work with 100M big file to narrow down this issue. 

It is Linux af alg standard programming issue or CAAM black key issue, we should know. 

Report to imx process community. My colleagues will address this issue. Here is knowledge base. 

i.mx (nxp.com)

 

 

I'm currently integrating encryption functionality into my app. I intend to encrypt a string in the Linux runtime using a secure key, then save this encrypted data to non-volatile memory. Upon the next reboot, I need to retrieve and decrypt this string within the U-Boot environment.

I've been closely following the instructions from your demo, but during my tests in the Linux environment, I've encountered an issue: the decryption isn't yielding the correct result. There are no error messages in the logs; it's just that the output isn't what's expected.

I'm starting to think there might be a compatibility issue with the caam-decrypt version I'm using, which may not be aligning with the caam-driver or the version of OpenSSL crypto_engine (1.1.1n)."

branch: lf-5.10.y_1.0.0 : repo: https://github.com/nxp-imx/keyctl_caam

branch: master : repo: https://github.com/nxp-imx/crypto_af_alg 

Can I find out if the version of keygen is compatible with the version of caam-decrypt? It's important to note that when all my applications are on the latest branch, there's an error with the socket during the setopt operation.

Test script

```bash

root@OpenWrt:/# cat test_blackkey.sh
# !/bin/bash

rm -rf data.caam-decrypt.*
rm -rf test.txt.enc

IV=2E4FFC0164837F78EEB9310DCD69B3C1
KEY=2079F76D8E3D3F78BDB656B2C290D6B8D6D07E9DD1BF6F93D5F965DEFA04FBC5

echo "HEllo For test caam-decrypt" | openssl enc -e -aes-256-cbc -in - -out test.txt.enc \
-K ${KEY}\
-iv ${IV}

echo "[INFO] test.txt.enc is"
hexdump -C test.txt.enc

cat fromopenssl.iv.txt test.txt.enc > data.caam-decrypt.enc

openssl enc -d -aes-256-cbc -in test.txt.enc -out - -K ${KEY} -iv ${IV}

echo ""

echo "[INFO] fromopenssl.key.txt"
hexdump -C fromopenssl.key.txt

echo "[INFO] fromopenssl.iv.txt"
hexdump -C fromopenssl.iv.txt

cat fromopenssl.iv.txt test.txt.enc > data.caam-decrypt.enc
echo "[INFO] the enc file is"
hexdump -C data.caam-decrypt.enc

rm -rf /data/caam/blackkey.bb
rm -rf /data/caam/blackkey

echo "[INFO] caam-keygen to gen black key from $(cat fromopenssl.key.txt)"
caam-keygen create blackkey ecb -t $(cat fromopenssl.key.txt)
echo "[INFO] the black key blob is:"
hexdump -C /data/caam/blackkey.bb
echo "[INFO] the black key is"
hexdump -C /data/caam/blackkey

echo "[INFO] try to caam-decrypt:"
caam-decrypt /data/caam/blackkey.bb AES-256-CBC data.caam-decrypt.enc data.caam-decrypt.dec

echo "[INFO] the dec file is:"
hexdump -C data.caam-decrypt.dec

echo ""

```

 


Test Log:
```

[INFO] test.txt.enc is
00000000 ee 41 45 73 28 f5 5e d5 7e 1a b2 b6 84 61 ae cb |.AEs(.^.~....a..|
00000010 b5 40 05 af c1 da ec 96 a6 1e 09 b1 e4 31 94 cc |.@...........1..|
00000020
HEllo For test caam-decrypt

[INFO] fromopenssl.key.txt
00000000 20 79 f7 6d 8e 3d 3f 78 bd b6 56 b2 c2 90 d6 b8 | y.m.=?x..V.....|
00000010 d6 d0 7e 9d d1 bf 6f 93 d5 f9 65 de fa 04 fb c5 |..~...o...e.....|
00000020
[INFO] fromopenssl.iv.txt
00000000 2e 4f fc 01 64 83 7f 78 ee b9 31 0d cd 69 b3 c1 |.O..d..x..1..i..|
00000010
[INFO] the enc file is
00000000 2e 4f fc 01 64 83 7f 78 ee b9 31 0d cd 69 b3 c1 |.O..d..x..1..i..|
00000010 ee 41 45 73 28 f5 5e d5 7e 1a b2 b6 84 61 ae cb |.AEs(.^.~....a..|
00000020 b5 40 05 af c1 da ec 96 a6 1e 09 b1 e4 31 94 cc |.@...........1..|
00000030
[INFO] caam-keygen to gen black key from y�m�=?x�����V��
[INFO] the black key blob is:
00000000 4f 67 61 54 00 00 00 00 01 00 00 00 20 00 00 00 |OgaT........ ...|
00000010 5c 00 00 00 8f 7f 20 f2 e6 d2 20 40 4d 1c 17 88 |\..... ... @M...|
00000020 eb 79 b6 81 dd 5f bd 9c d9 10 54 8a e1 88 0c 70 |.y..._....T....p|
00000030 d4 74 7a 9f ad 7f 37 29 6d eb 88 01 31 78 b5 45 |.tz...7)m...1x.E|
00000040 38 71 68 1d a1 79 c1 6e 68 c4 54 7b 71 96 a3 ef |8qh..y.nh.T{q...|
00000050 24 d3 f5 8b 08 e2 ed ca 63 ba fe 7a 7d c6 e6 61 |$.......c..z}..a|
00000060 91 53 4c c3 00 00 00 00 81 8d 00 00 00 00 00 10 |.SL.............|
00000070
[INFO] the black key is
00000000 4f 67 61 54 00 00 00 00 01 00 00 00 20 00 00 00 |OgaT........ ...|
00000010 20 00 00 00 88 46 08 6d 2c b2 9b e6 f6 d8 d5 bb | ....F.m,.......|
00000020 12 aa aa b4 86 77 8c f4 1a fd 56 0c 94 e0 a5 3d |.....w....V....=|
00000030 32 16 10 24 |2..$|
00000034
[INFO] try to caam-decrypt:
[INFO] the dec file is:
00000000 35 94 0e 83 b7 36 a7 45 8b 64 f9 44 f1 85 9a 45 |5....6.E.d.D...E|
00000010 f0 2c 14 69 5a ee 88 a5 7f dc 0c c3 fd 27 35 d1 |.,.iZ........'5.|
00000020

```

 

 

No ratings
Version history
Last update:
‎11-25-2021 08:41 PM
Updated by: