I'm looking to store some sensitive data on the i.MX 8M Mini EVK and have a question regarding usage of the CAAM and OP-TEE.
I've found the example projects here: imx_sec_apps - i.MX Security Application Examples and have been looking at application note AN12554 (https://www.nxp.com/docs/en/application-note/AN12554.pdf) for CAAM key blobs and on the OP-TEE side I have been looking at the enhanced OpenSSL project in the repository I mentioned and application note AN12632 (https://www.nxp.com/docs/en/application-note/AN12632.pdf). After reading these and playing around with the code, it seems that I could use either of these methods to accomplish my goal of storing some sensitive data. My question is could I do this using the CAAM key blobs or OP-TEE? The OP-TEE path is simpler it seems and I could simply store the keys in the trusted application and provide an API in the client application to retrieve the data when I need it. I suppose the CAAM method might provide a little more security perhaps?
The other implementation would be to use OP-TEE and the CAAM to perform all cryptographic functions in the secure world and only provide a minimal API on the client side to access any needed functions/data. This seems to be more similar to the enhanced OpenSSL application note.
Am I understanding this correctly? Also, are there any examples that apply to Linux kernel 5.4?
Generally Your understanding is correct. Optee may be considered as software approach,
but CAAM provides hardware one. The demo examples are not fully tested, but show how to
integrate different stacks of software to use with i.MX reference boards and our BSP release.