- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
Hi,
The objective is to generate digitally signed data which can be only signed and verified using CAAM ( i.e. hardware dependent, similar to HAB using OTPMK )
We are trying to explore CAAM Hardware's SIGNATURE command to digitally sign any data using CAAM's TDSK. We have following queries.
- Can we sign user data using CAAM, other than secure boot ?
- If yes, are there any specific signing mechanism available in CAAM. like RSA?
- Can We Generate Public, Private key pair from CAAM to generate signed data?
- Is it possible to use TDSK and SIGNATURE command of CAAM to sign user data.
- We tried it on both secure and non secure board.
- In secure mode, CAAM does not allow to set trusted descriptor request.
- In Non-secure mode, it allows but fails while loading signature command with invalid descriptor error.
CAAM supports many Hash hardware accelerators, Can these be used while creating/verifying digital signatures of a document?
Thanks for your support,
Regards,
Swapnil
已解决! 转到解答。
> We understand that HMAC is used to digitally signed data.
> Hence we have to run combination of operation, key and other
> commands instead of signature command for the same.
> it this correct?
[Platon] Yes.
> If yes, please suggest the correct sequence of descriptors for signing data.
>
[Platon] Refer to Linux kernel source, file drivers/crypto/caam/caamhash.c
for hash and HMAC JD build routines.
>Does it mean, the digital signing can work on both secure and non
>secure boards?
[Platon] Yes.
>HMAC uses IPAD/OPAD in its algorithm. Are these values when generated
>in different boards going to be the same?
[Platon] IPAD and OPAD values are specified in the respective HMAC
specification. They can be forced to custom values, but typically
it's not necessary.
> How do we verify the signed data on different systems ?
>
[Platon] Study the material at the link below for HMAC basics:
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
>If answer for question 4 is NO, then for verification do we need to
>pass these need IPAD/OPAD along with key and signed data to verify
>the signature across boards.
[Platon] See above.
Have a great day,
Platon
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
>Can we sign user data using CAAM, other than secure boot ?
[Platon] Yes, but you cannot use OTPMK for that. OTPMK is used _only_ to encrypt the blob key. Note that
HAB does not use it, either.
>If yes, are there any specific signing mechanism available in CAAM. like RSA?
[Platon] There are no specific mechanisms. Generic HMAC descriptors should be used. Note,
CAAM on i.MX processors has no public key accelerator. If you prefer asymmetric key signaltures
(distinguish from HMAC), you should implement it in software. Initial data hash for RSA can be accelerated
with generic CAAM hash JDs
>Can We Generate Public, Private key pair from CAAM to generate signed data?
[Platon] See above. There is no asymmetric key crypto operations accelerator.
>Is it possible to use TDSK and SIGNATURE command of CAAM to sign user data
[Platon] No. TDSK together with related commends are only used to sign Job Descriptors,
not user data.
Have a great day,
Platon
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi,
Thanks for your input.
I have some specific queries on your reply.
- We understand that HMAC is used to digitally signed data. Hence we have to run combination of operation, key and other commands instead of signature command for the same. it this correct?
- If yes, please suggest the correct sequence of descriptors for signing data.
- Does it mean, the digital signing can work on both secure and non secure boards?
- HMAC uses IPAD/OPAD in its algorithm.Are these values when generated in different boards going to be the same ?
- How do we verify the signed data on different systems ?
If answer for question 4 is NO, then for verification do we need to pass these need IPAD/OPAD along with key and signed data to verify the signature across boards.
Thanks in advance.
Regards,
Swapnil Pendhare.
> We understand that HMAC is used to digitally signed data.
> Hence we have to run combination of operation, key and other
> commands instead of signature command for the same.
> it this correct?
[Platon] Yes.
> If yes, please suggest the correct sequence of descriptors for signing data.
>
[Platon] Refer to Linux kernel source, file drivers/crypto/caam/caamhash.c
for hash and HMAC JD build routines.
>Does it mean, the digital signing can work on both secure and non
>secure boards?
[Platon] Yes.
>HMAC uses IPAD/OPAD in its algorithm. Are these values when generated
>in different boards going to be the same?
[Platon] IPAD and OPAD values are specified in the respective HMAC
specification. They can be forced to custom values, but typically
it's not necessary.
> How do we verify the signed data on different systems ?
>
[Platon] Study the material at the link below for HMAC basics:
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
>If answer for question 4 is NO, then for verification do we need to
>pass these need IPAD/OPAD along with key and signed data to verify
>the signature across boards.
[Platon] See above.
Have a great day,
Platon
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
