帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Converting a CAAM key generated with caam_tk driver into a black key/black blob

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Converting a CAAM key generated with caam_tk driver into a black key/black blob

‎11-10-2022 06:47 AM
747 次查看
BenjaminPiepiora
Contributor I

Hi all,

we are migrating our old firmware based on Linux Kernel 4.14 to 5.15. As it can be seen in the AN12714 rev 0 and AN12714 rev 2 notes, the way how to generate keys with/for the CAAM has changed.

 

The 4.14 way was something like

keyctl add caam_tk seckey "new ecb 16" @s

which generated a key in the format

:hex:85c121ef4834be7621c86fa6d3db638cee5dc4efaad8a0240f64bf8...

 

With 5.15 you are now using

caam-keygen create randomkey ecb -s 16

which generates two binary files: key + key.bb

 

As far as I tested it, you cannot load the "old" key with keyctl running on the new kernel, due to missing caam_tk drivers.

So how should this be dealt with?
Can I implement the caam_tk driver in the new firmware with kernel 5.15?
Can I convert the old key into the binary format?
Is there another way of loading the old key in the new firmware?

Any help is appreciated!
Thanks, Benjamin

0 项奖励
回复
5 回复数

‎12-04-2023 03:08 PM
509 次查看
lisandropm
Contributor II

Hi! Same problem here, and no, we can't regenerate it. We need a way to convert the old black blob to the new format

0 项奖励
回复

‎12-04-2023 05:06 PM
496 次查看
lisandropm
Contributor II

Or even "just read it". If somehow the old key can still be read into keyctl (the old method does not seems to work anymore) that would be more than enough.

0 项奖励
回复

‎12-05-2023 02:31 AM
487 次查看
BenjaminPiepiora
Contributor I

Hi @lisandropm,

we solved this issue in another way:

1. We start the old system and mount the encrypted partition with the old key (keyctl).

2. We create a encrypted container on an unencrypted partition and copy all relevant data to the container.

3. We update the device, start it and overwrite the existing encrypted partition with a new key (caam-keygen).

4. We copy all data from the container to the new encrypted partition

This process has some drawbacks, esp. when you don't have enough space. But it seems to be a save way to transition from the old keyctl to the new caam-keygen.

Best Regards

Benjamin

 

0 项奖励
回复

‎12-05-2023 05:40 AM
457 次查看
lisandropm
Contributor II

Thanks! Sadly that's what we are trying to avoid, we have a HUGE space issue.

0 项奖励
回复

‎11-18-2022 12:01 AM
716 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @BenjaminPiepiora 

It's a known issue that they are not compatible.

Can you try to generate it in new BSP?

 

Best regards

Harvey

 

0 项奖励
回复