ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Converting a CAAM key generated with caam_tk driver into a black key/black blob

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Converting a CAAM key generated with caam_tk driver into a black key/black blob

‎11-10-2022 06:47 AM
765件の閲覧回数
BenjaminPiepiora
Contributor I

Hi all,

we are migrating our old firmware based on Linux Kernel 4.14 to 5.15. As it can be seen in the AN12714 rev 0 and AN12714 rev 2 notes, the way how to generate keys with/for the CAAM has changed.

 

The 4.14 way was something like

keyctl add caam_tk seckey "new ecb 16" @s

which generated a key in the format

:hex:85c121ef4834be7621c86fa6d3db638cee5dc4efaad8a0240f64bf8...

 

With 5.15 you are now using

caam-keygen create randomkey ecb -s 16

which generates two binary files: key + key.bb

 

As far as I tested it, you cannot load the "old" key with keyctl running on the new kernel, due to missing caam_tk drivers.

So how should this be dealt with?
Can I implement the caam_tk driver in the new firmware with kernel 5.15?
Can I convert the old key into the binary format?
Is there another way of loading the old key in the new firmware?

Any help is appreciated!
Thanks, Benjamin

0 件の賞賛
返信
5 返答(返信)

‎12-04-2023 03:08 PM
527件の閲覧回数
lisandropm
Contributor II

Hi! Same problem here, and no, we can't regenerate it. We need a way to convert the old black blob to the new format

0 件の賞賛
返信

‎12-04-2023 05:06 PM
514件の閲覧回数
lisandropm
Contributor II

Or even "just read it". If somehow the old key can still be read into keyctl (the old method does not seems to work anymore) that would be more than enough.

0 件の賞賛
返信

‎12-05-2023 02:31 AM
505件の閲覧回数
BenjaminPiepiora
Contributor I

Hi @lisandropm,

we solved this issue in another way:

1. We start the old system and mount the encrypted partition with the old key (keyctl).

2. We create a encrypted container on an unencrypted partition and copy all relevant data to the container.

3. We update the device, start it and overwrite the existing encrypted partition with a new key (caam-keygen).

4. We copy all data from the container to the new encrypted partition

This process has some drawbacks, esp. when you don't have enough space. But it seems to be a save way to transition from the old keyctl to the new caam-keygen.

Best Regards

Benjamin

 

0 件の賞賛
返信

‎12-05-2023 05:40 AM
475件の閲覧回数
lisandropm
Contributor II

Thanks! Sadly that's what we are trying to avoid, we have a HUGE space issue.

0 件の賞賛
返信

‎11-18-2022 12:01 AM
734件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Hi @BenjaminPiepiora 

It's a known issue that they are not compatible.

Can you try to generate it in new BSP?

 

Best regards

Harvey

 

0 件の賞賛
返信