Hello,
I'm following the i.MX Linux Users Guide document and trying to implement CAAM black blob functionality. The guide refers to the caam-keygen utility, which doesn't seem to be included in the community BSP. I found this utility instead here.
If I compile and run on the processor, I get the following error:
Unable to open device /dev/caam-keygen
Otherwise, I get successful results for all the checks listed in the guide:
# grep -B1 -A2 tk /proc/crypto
name : tk(ecb(aes))
driver : tk-ecb-aes-caam
module : kernel
priority : 1
--
name : tk(cbc(aes))
driver : tk-cbc-aes-caam
module : kernel
priority : 1
# dmsetup targets
crypt v1.19.0
striped v1.6.0
linear v1.4.0
error v1.5.0
Processor is IMX8MM. I'm using Yocto dunfell (boundary devices BSP). I have added all of the packages recommended in the guide docs and I believe all kernel configuration parameters are enabled correctly.
# zcat /proc/config.gz | grep CAAM
CONFIG_CRYPTO_DEV_FSL_CAAM_DMA=y
CONFIG_CRYPTO_DEV_FSL_CAAM_COMMON=y
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG=y
CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC_COUNT_THLD=255
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC_TIME_THLD=2048
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_SLOTSIZE=7
# CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_JR_UIO=y
Solved! Go to Solution.
I, too, am building a boundary devices bsp, though I was on kernel 5.4.70. After some back and forth with them, they showed me how to source the latest boundary-imx (AKA linux-boundary) kernel from 5.4.80 which includes the /dev/caam-keygen node. This isn't yet included in the official dunfell release.
Here's the recipe - changes to latest dunfell release are bold.
# Adapted from linux-imx.inc, copyright (C) 2013, 2014 O.S. Systems Software LTDA
# Released under the MIT license (see COPYING.MIT for the terms)
require recipes-kernel/linux/linux-imx.inc
SUMMARY = "Linux kernel for Boundary Devices boards"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
LINUX_VERSION = "5.4.80"
SRC_URI = "git://github.com/boundarydevices/linux-imx6.git;branch=${SRCBRANCH} \
"
LOCALVERSION = "-2.2.0-ga+yocto"
SRCBRANCH = "boundary-imx_5.4.x_2.2.0"
SRCREV = "38b03360c36c606656c65d9128d3cd29ea0ce6d6"
DEPENDS += "lzop-native bc-native"
COMPATIBLE_MACHINE = "(nitrogen6x|nitrogen6x-lite|nitrogen6sx|nitrogen7|nitrogen8m|nitrogen8mm|nitrogen8mn)"
KBUILD_DEFCONFIG ?= "boundary_defconfig"
S = "${WORKDIR}/git"
"../sources/meta-freescale-3rdparty/recipes-kernel/linux/linux-boundary_5.4.bb" 24L, 780C
Hello,
I am also facing the same problem on an iMX6D platform:
~# caam-keygen create randomkey ecb -s 16
Unable to open device /dev/caam-keygen
Running the following kernel version on the target from boundaydevices:
# uname -r
4.14.98-2.0.0_ga+yocto+gde875982909f
with the following configs:
# zcat /proc/config.gz | grep -i caam
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
# CONFIG_CRYPTO_DEV_FSL_CAAM_INTC is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_SLOTSIZE=7
# CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST is not set
# CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO is not set
# CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y
However, I do not have the ./dev/caam-keygen node as mentioned in the docs:
# cd /; find -name "caam-keygen"
./usr/bin/caam-keygen
Your feedback is appreciated!
Regards,
a_1359
I, too, am building a boundary devices bsp, though I was on kernel 5.4.70. After some back and forth with them, they showed me how to source the latest boundary-imx (AKA linux-boundary) kernel from 5.4.80 which includes the /dev/caam-keygen node. This isn't yet included in the official dunfell release.
Here's the recipe - changes to latest dunfell release are bold.
# Adapted from linux-imx.inc, copyright (C) 2013, 2014 O.S. Systems Software LTDA
# Released under the MIT license (see COPYING.MIT for the terms)
require recipes-kernel/linux/linux-imx.inc
SUMMARY = "Linux kernel for Boundary Devices boards"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
LINUX_VERSION = "5.4.80"
SRC_URI = "git://github.com/boundarydevices/linux-imx6.git;branch=${SRCBRANCH} \
"
LOCALVERSION = "-2.2.0-ga+yocto"
SRCBRANCH = "boundary-imx_5.4.x_2.2.0"
SRCREV = "38b03360c36c606656c65d9128d3cd29ea0ce6d6"
DEPENDS += "lzop-native bc-native"
COMPATIBLE_MACHINE = "(nitrogen6x|nitrogen6x-lite|nitrogen6sx|nitrogen7|nitrogen8m|nitrogen8mm|nitrogen8mn)"
KBUILD_DEFCONFIG ?= "boundary_defconfig"
S = "${WORKDIR}/git"
"../sources/meta-freescale-3rdparty/recipes-kernel/linux/linux-boundary_5.4.bb" 24L, 780C
@kile964
Hello,
Use AN12714 (i.MX Encrypted Storage Using CAAM Secure Keys):
https://www.nxp.com/docs/en/application-note/AN12714.pdf
Also: AN12554 (Demo Application to Generate Red/Black Blobs Using CAAM
and Encrypt/Decrypt Data)
https://www.nxp.com/docs/en/application-note/AN12554.pdf
The recent app note - hope - will be updated soon.
Regards,
Yuri.
Hi Yuri,
Can you help me understand what provides /dev/caam-keygen ? I'm working with the same kernel version (5.4.47) as AN12714 with seemingly the same list of packages.
Thank you.
@Yuri
could you please let me know why my message is deleted in this post?
I have got it working right now! but really wondering how my post including only and only pure technical stuff should be deleted in this post.
I believe that in NXP community forum people should treat each other with mutual respect.
I am disappointed about this but happy that I have got it working on my platform without any support in just couple of hours:
Regards,
a_1359
Hi,
Which kernel version you are using on your target?
The link of the keyctl_caam that you have posted i.e. https://source.codeaurora.org/external/imx/keyctl_caam/?h=imx_5.4.47_2.2.0 is on 5.4.47 branch!
Problems can happen due to the Linux kernel API mismatches, I mean the kernel that you are running and the kernel that keyctl_caam has been written for.
If this is the case, then it would be wise to compile the keyctl_caam from a branch that matches your Linux kernel version. However, I am not sure that this can be the problem!
The other point is that there is apparently just one single branch on the keyctl_caam i.e. 5.4.47. So it seems this should not be the problem.
I am facing the same problem on i.MX6D. I am running kernel 4.14.98 from boundarydevices.
# caam-keygen create randomkey ecb -s 16
Unable to open device /dev/caam-keygen
# cd /; find -name "caam-keygen"
./usr/bin/caam-keygen
And the doc says:
root@imx8mmevk:~# cd /; find -name "caam-keygen"
./usr/bin/caam-keygen
./dev/caam-keygen
./sys/class/misc/caam-keygen
./sys/devices/virtual/misc/caam-keygen
Obviously, I am missing ./dev/caam-keygen node! but why ?!
Regards,
a_1359