FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Device Mapper using CAAM

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Device Mapper using CAAM

‎02-25-2025 09:47 AM
759 Views
P3r3gr1nus
Contributor II

Hello, I am trying to implement device mapper using CAAM. 
After configured the kernel adding all the required config options (AN12714 appendix A) and build it with the required tools (CORE_IMAGE_EXTRA_INSTALL+="coreutils keyutils lvm2 e2fsprogs-mke2fs util-linux"), I followed the Usage section (3.2) of the AN12714.

In /proc/crypto I have the tagged key registered:

name         : tk(cbc(aes))
driver       : tk-cbc-aes-caam
module       : kernel
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : yes
blocksize    : 16
min keysize  : 36
max keysize  : 164
ivsize       : 16
chunksize    : 16
walksize     : 16

 

"dmsetup targets" returns:

crypt v1.24.0
multipath v1.14.0
striped v1.6.0
linear v1.4.0
error v1.5.0

I also added the logon key into the keyring but when I try to create a new device mapper:

dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/loop0) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"

 

I get the "Error decoding and setting key" error:

[18500.454877] device-mapper: table: 252:0: crypt: Error decoding and setting key (-EINVAL)
[18500.463005] device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl on encrypted (252:0) failed: Invalid argument
Command failed.

 

If I register don't use the tk-cbc-aes key everything works: 

dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/loop0) crypt aes-xts-plain64 e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/loop0 0"

 

 

 

Reply
3 Replies

‎02-26-2025 08:51 AM
726 Views
P3r3gr1nus
Contributor II

Following the IMX User Guide addressed by ddresser , I found that the encryption with the red key works but in order to use the black key sotred in the keyring you need to have the secure boot as stated here:

10.5.3.1 DM-Crypt with Trusted keys backed by CAAM
The key de-capsulated from Red-Blob is different for different CAAM states:
• If System is booted in secure boot with Chain-of-trust established, CAAM state is secure state.
• If system is booted in non-secure (or compromised) state, CAAM state is non-secure state.
Note:
Data that was written in secure state using the trusted key, is not read back from non-trusted or compromised
system.

This is the reason of the error message. 

Reply

‎02-25-2025 03:23 PM
744 Views
ddresser
Contributor III

I found this section useful on this page:

10.5.3 DM-Crypt using CAAM backed keys

https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf

 

Reply

‎02-25-2025 07:46 PM
735 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hello,

That is correct to follow up the Linux User Guide. The AN12714 is old and actually should be deprecated.

 

Regards

Harvey

Reply