- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: CAAM & dmsetup:using tk(cbc(aes))-essiv:sha256
CAAM & dmsetup:using tk(cbc(aes))-essiv:sha256
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Is it possible to use cbc(aes)-essiv encryption with tagged keys?
What was I doing?
I'm working with CAAM on iMX6UL. During tests, I prepared three images on my host machine. They were encrypted with the same symmetric key but with different ciphers:
- ecb(aes)
- cbc(aes)-plain
- cbc(aes)-essiv:sha256.
Later, I created the black key from my symmetric key and mounted images on a device. ecb(aes) & cbc(aes)-plain images work well. But cbc(aes)-essiv:sha256 triggers 5-10 seconds freeze, and later mount operation fails.
Mounting the image using my symmetric key directly (without caam-keygen & keyctl) works well. So, I'm sure that the image is prepared correctly.
But I'm unsure if it is possible to use cbc(aes)-essiv with tagged keys? Is this method supported?
Examples:
1. This is how I executed dmsetup on a host during the image preparation.
dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:cbc(aes)-essiv:sha256 782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A 0 /dev/loop0 0 1 sector_size:512"
2. This is how I configured dmsetup on a device to use tagged keys:
dmsetup -v create encrypted --table "0 16384 crypt capi:tk(cbc(aes))-essiv:sha256 :52:logon:mountkey: 0 /dev/loop5 0 1 sector_size:512"
Here I added tk prefix before cbc. And specify key name from keyctl. This method causes errors on the mount.
[ 2833.734136] udevd[2649]: conflicting device node '/dev/mapper/encrypted' found, link to '/dev/dm-5' will not be created
[ 2840.665864] EXT2-fs (dm-5): error: ext2_check_descriptors: Block bitmap for group 0 not in group (block 3863103938)!
[ 2840.665889] EXT2-fs (dm-5): group descriptors corrupted
3. This is how I configured dmsetup to use symmetric key directly:
dmsetup -v create encrypted --table "0 16384 crypt capi:cbc(aes)-essiv:sha256 782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A 0 /dev/loop5 0 1 sector_size:512
In that case, everything works fine.
Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Harvey021
Thanks for your answer
I could mount an encrypted partition created locally on a device (without exporting/importing images/keys from a host). In this case, everything works fine. That is enough to conclude cipher is working. And I made a mistake in earlier stages, like preparation or manual importing/exporting data.
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried to modify the device mapper node (conflicting device node '/dev/mapper/encrypted' found) with another device node name?
Best regards
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Harvey021
Thanks for your answer
I could mount an encrypted partition created locally on a device (without exporting/importing images/keys from a host). In this case, everything works fine. That is enough to conclude cipher is working. And I made a mistake in earlier stages, like preparation or manual importing/exporting data.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Did you really get tk(cbc(aes)-essiv:sha256 to work?
I couldn't get it to work. After some investigation, it seem that the sha256 is computed on the back key, which is different after every boot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, @souellet
In my case, the cbc(aes)-essiv worked only until the next reboot. So that matches your results. I just stopped to dig deeper because aes-cbc was enough.
PS: Also, I didn't try essiv on a locked board.
