CAAM Black Blob Implementation on i.MX8

kile964 · ‎12-09-2020

Hello,

I'm following the i.MX Linux Users Guide document and trying to implement CAAM black blob functionality. The guide refers to the caam-keygen utility, which doesn't seem to be included in the community BSP. I found this utility instead here.

If I compile and run on the processor, I get the following error:

Unable to open device /dev/caam-keygen

Otherwise, I get successful results for all the checks listed in the guide:

# grep -B1 -A2 tk /proc/crypto
name : tk(ecb(aes))
driver : tk-ecb-aes-caam
module : kernel
priority : 1
--

name : tk(cbc(aes))
driver : tk-cbc-aes-caam
module : kernel
priority : 1

# dmsetup targets
crypt v1.19.0
striped v1.6.0
linear v1.4.0
error v1.5.0

Processor is IMX8MM. I'm using Yocto dunfell (boundary devices BSP). I have added all of the packages recommended in the guide docs and I believe all kernel configuration parameters are enabled correctly.

 # zcat /proc/config.gz | grep CAAM
CONFIG_CRYPTO_DEV_FSL_CAAM_DMA=y
CONFIG_CRYPTO_DEV_FSL_CAAM_COMMON=y
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG=y
CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC_COUNT_THLD=255
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC_TIME_THLD=2048
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_SLOTSIZE=7
# CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_JR_UIO=y

kile964 · ‎12-14-2020

I, too, am building a boundary devices bsp, though I was on kernel 5.4.70. After some back and forth with them, they showed me how to source the latest boundary-imx (AKA linux-boundary) kernel from 5.4.80 which includes the /dev/caam-keygen node. This isn't yet included in the official dunfell release.

Here's the recipe - changes to latest dunfell release are bold.

# Adapted from linux-imx.inc, copyright (C) 2013, 2014 O.S. Systems Software LTDA
# Released under the MIT license (see COPYING.MIT for the terms)

require recipes-kernel/linux/linux-imx.inc

SUMMARY = "Linux kernel for Boundary Devices boards"

LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"

LINUX_VERSION = "5.4.80"

SRC_URI = "git://github.com/boundarydevices/linux-imx6.git;branch=${SRCBRANCH} \
"

LOCALVERSION = "-2.2.0-ga+yocto"
SRCBRANCH = "boundary-imx_5.4.x_2.2.0"
SRCREV = "38b03360c36c606656c65d9128d3cd29ea0ce6d6"
DEPENDS += "lzop-native bc-native"
COMPATIBLE_MACHINE = "(nitrogen6x|nitrogen6x-lite|nitrogen6sx|nitrogen7|nitrogen8m|nitrogen8mm|nitrogen8mn)"

KBUILD_DEFCONFIG ?= "boundary_defconfig"

S = "${WORKDIR}/git"

"../sources/meta-freescale-3rdparty/recipes-kernel/linux/linux-boundary_5.4.bb" 24L, 780C

View solution in original post

a_1359 · ‎12-10-2020

@Yuri

Hello,

I am also facing the same problem on an iMX6D platform:

~# caam-keygen create randomkey ecb -s 16
Unable to open device /dev/caam-keygen

Running the following kernel version on the target from boundaydevices:

# uname -r
4.14.98-2.0.0_ga+yocto+gde875982909f

with the following configs:

# zcat /proc/config.gz | grep -i caam                                                                                        
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
# CONFIG_CRYPTO_DEV_FSL_CAAM_INTC is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_SLOTSIZE=7
# CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST is not set
# CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO is not set
# CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y

However, I do not have the ./dev/caam-keygen node as mentioned in the docs:

# cd /; find -name "caam-keygen" 
./usr/bin/caam-keygen

Your feedback is appreciated!

Regards,

a_1359

kile964 · ‎12-14-2020

I, too, am building a boundary devices bsp, though I was on kernel 5.4.70. After some back and forth with them, they showed me how to source the latest boundary-imx (AKA linux-boundary) kernel from 5.4.80 which includes the /dev/caam-keygen node. This isn't yet included in the official dunfell release.

Here's the recipe - changes to latest dunfell release are bold.

# Adapted from linux-imx.inc, copyright (C) 2013, 2014 O.S. Systems Software LTDA
# Released under the MIT license (see COPYING.MIT for the terms)

require recipes-kernel/linux/linux-imx.inc

SUMMARY = "Linux kernel for Boundary Devices boards"

LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"

LINUX_VERSION = "5.4.80"

SRC_URI = "git://github.com/boundarydevices/linux-imx6.git;branch=${SRCBRANCH} \
"

LOCALVERSION = "-2.2.0-ga+yocto"
SRCBRANCH = "boundary-imx_5.4.x_2.2.0"
SRCREV = "38b03360c36c606656c65d9128d3cd29ea0ce6d6"
DEPENDS += "lzop-native bc-native"
COMPATIBLE_MACHINE = "(nitrogen6x|nitrogen6x-lite|nitrogen6sx|nitrogen7|nitrogen8m|nitrogen8mm|nitrogen8mn)"

KBUILD_DEFCONFIG ?= "boundary_defconfig"

S = "${WORKDIR}/git"

"../sources/meta-freescale-3rdparty/recipes-kernel/linux/linux-boundary_5.4.bb" 24L, 780C

Yuri · ‎12-10-2020

@kile964
Hello,

Use AN12714 (i.MX Encrypted Storage Using CAAM Secure Keys):

https://www.nxp.com/docs/en/application-note/AN12714.pdf

Also: AN12554 (Demo Application to Generate Red/Black Blobs Using CAAM
and Encrypt/Decrypt Data)

https://www.nxp.com/docs/en/application-note/AN12554.pdf

The recent app note - hope - will be updated soon.

Regards,
Yuri.

kile964 · ‎12-10-2020

Hi Yuri,

Can you help me understand what provides /dev/caam-keygen ? I'm working with the same kernel version (5.4.47) as AN12714 with seemingly the same list of packages.

Thank you.

a_1359 · ‎12-10-2020

@Yuri

could you please let me know why my message is deleted in this post?

I have got it working right now! but really wondering how my post including only and only pure technical stuff should be deleted in this post.
I believe that in NXP community forum people should treat each other with mutual respect.
I am disappointed about this but happy that I have got it working on my platform without any support in just couple of hours:

Regards,

a_1359

a_1359 · ‎12-10-2020

Hi,

Which kernel version you are using on your target?

The link of the keyctl_caam that you have posted i.e. https://source.codeaurora.org/external/imx/keyctl_caam/?h=imx_5.4.47_2.2.0 is on 5.4.47 branch!

Problems can happen due to the Linux kernel API mismatches, I mean the kernel that you are running and the kernel that keyctl_caam has been written for.

If this is the case, then it would be wise to compile the keyctl_caam from a branch that matches your Linux kernel version. However, I am not sure that this can be the problem!

The other point is that there is apparently just one single branch on the keyctl_caam i.e. 5.4.47. So it seems this should not be the problem.

I am facing the same problem on i.MX6D. I am running kernel 4.14.98 from boundarydevices.

# caam-keygen create randomkey ecb -s 16
Unable to open device /dev/caam-keygen

# cd /; find -name "caam-keygen"
./usr/bin/caam-keygen

And the doc says:

root@imx8mmevk:~# cd /; find -name "caam-keygen"

./usr/bin/caam-keygen

./dev/caam-keygen

./sys/class/misc/caam-keygen

./sys/devices/virtual/misc/caam-keygen

Obviously, I am missing ./dev/caam-keygen node! but why ?!

Regards,

a_1359