En/Decryption of data on iMX6 board

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

En/Decryption of data on iMX6 board

跳至解决方案
8,331 次查看
rashmi
Contributor III

Hi,

How do I set up a CAAM  to en/decrypt a data on a iMX6 SABRE board? Are there any sample application available?

I have gone through Security Reference manual which gives me low level information, does not seem of too much help to me.

Thanks

1 解答
4,886 次查看
Yuri
NXP Employee
NXP Employee

The Platform SDK (after cross-compiling) provides executable images (.elf, .bin), that should be run on a target board (say, on i.MX6 SDP).

Please to run .elf on the SDP, using a JTAG debugger.

在原帖中查看解决方案

0 项奖励
回复
23 回复数
4,449 次查看
XXiao1z
Contributor III

I'm using repo with fsl-community-bsp-platform, how can I find the specific BSP release(e.g. 3.10.9-1.0.0 alpha BSP)? or am I missing something? all I saw is 1.4 release, 1.5 release at github and I did not find any tag for the BSP you mentioned. do you mean just the kernel release? I'm confused.

Thanks,

0 项奖励
回复
4,449 次查看
Yuri
NXP Employee
NXP Employee

The 3.10.9 release is not issued yet.

0 项奖励
回复
4,452 次查看
Yuri
NXP Employee
NXP Employee

You may look at the Platform SDK - it contains an example regarding blob using.

"The i.MX6 Platform SDK is located on Freescale Web.

The code can be found at sdk/drvers/caam.  Keep in mind that in order to generate a blob with the CAAM OTPMK a secure boot with HAB

in closed config [...], otherwise in open config the blob will be created using the known CAAM default master key.

The platform SDK code is useful for generating a blob for a single chip but is not useful in a production environment.

The platform SDK code:

1. Configures CAAM appropriately in order to generate a key blob

2. Writes a fixed data encryption key (DEK) to a CAAM memory partition - same partition used by HAB

3. Configures the CAAM memory partition as CAAM read only

4. Generates the blob with CAAM

5. Re-allocate CAAM memory parition - erases original DEK

6. Decapsultates the blob to obtain the original DEK in CAAM read only memory partition

7. Perform a self test with the decapsulated DEK to ensure the DEK was properly restored"

4,452 次查看
rashmi
Contributor III

Hi Yuri,

I tried building the sdk to test the caam module with the command  ./tools/build_sdk with test=caam. But found no useful information on "./output/mx6dq/sdk_unit_test/sabre_ai_rev_a" folder. can you please suggest me on how to understand the output upon testing caam driver using sdk.

Thanks,

Rashmi. 

0 项奖励
回复
4,452 次查看
Yuri
NXP Employee
NXP Employee

You wrote " found no useful information on "./output/mx6dq/sdk_unit_test/sabre_ai_rev_a" folder".

Do You mean that there are no .elf, .bin, .map files in the output directory ? 

Are there errors reported during build process ?

0 项奖励
回复
4,452 次查看
rashmi
Contributor III

Hi Yuri,

No errors, have got .elf .bin .map files in output directory. But throught this files how can I ensure whether CAAM is tested on board or not.

Thanks,

Rashmi

0 项奖励
回复
4,887 次查看
Yuri
NXP Employee
NXP Employee

The Platform SDK (after cross-compiling) provides executable images (.elf, .bin), that should be run on a target board (say, on i.MX6 SDP).

Please to run .elf on the SDP, using a JTAG debugger.

0 项奖励
回复
4,449 次查看
rashmi
Contributor III

Thanks for the reply Yuri.

Can you also brief me on how to execute those src .C files available on imx6_platform_SDk/sdk/drivers/caam. Can I use those C files to encrypt and decrypt my data.

Thanks ,

Rashmi

0 项奖励
回复
4,449 次查看
Yuri
NXP Employee
NXP Employee

Source .c files may be used as example. It is needed to analyze them, using CAAM description in the Security Reference Manual for i.MX6.

You may download the security manual from our website (link below). You will

need to login in order to do this.

https://www.freescale.com/webapp/Download?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE&fpsp=1&WT_TYPE=Reference%20Manuals&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&Parent_nodeId=1337694700967726419044&Parent_pageType=product&Parent_nodeId=1337694700967726419044&Parent_pageType=product

0 项奖励
回复
4,449 次查看
rashmi
Contributor III

Hi Yuri,

I am using AF_ALG family for userspace interface for Kernel cryptoAPI. But when i try to test it using the command "openssl speed -evp aes-256 -cbc -engine af_alg -elapsed" i get the error as:

root@imx6qsabrelite:~# openssl speed -e aes-256-cbc -engine af_alg -elapsed
Error configuring OpenSSL
716629200:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:
716629200:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=openssl_engines, retcode=-1     
root@imx6qsabrelite:~#


Please, Can you suggest me on how to fix these error.


Thanks,

Rashmi.

0 项奖励
回复
4,449 次查看
terateller
Contributor II

Hi Rashmi,

I have the exact same error. I downloaded the af_alg code that was attached in this community website by Dipen Patel. I compiled it on my iMX6. But when I tested with the above openssl command. I get the exact same error. Could you please tell me your fix so that it can help all of us?

thanks a ton in advance!

Tera

0 项奖励
回复
4,449 次查看
rashmi
Contributor III

Hi Tera,

Link to configure AF_ALG in openssl:

http://src.carnivore.it/users/common/af_alg/about/

Regards,

Rashmi

4,452 次查看
terateller
Contributor II

Hi Rashmi,

Hello All,

Thank you for the link. I followed it. The only difference is when I replace the original openssl.cnf with the one of the af_alg as mentioned in the link above, I get the error that Rashmi had:

Error configuring OpenSSL
716629200:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:
716629200:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=openssl_engines, retcode=-1


But when I retained the original openssl.cnf but already changed the kernel config with all the flags mentioned and after copying the libaf_alg.so in the correct openssl engine directory, I see that the engine af_alg gets set. I did a quick speed test but surprisingly saw that the speed was the same as before(without af_alg). So now I am puzzled whether my CAAM is being used at all by the af_alg :smileysad:

Anyone can throw some light? How can I check if my CAAM is being called by the af_alg? I had set "caam" in my bootargs. I also see it if I type /proc/crypto:

name     : sha1
driver   : sha1-caam
module   : kernel
priority : 3000
refcnt   : 1
selftest : passed
type     : ahash
async    : yes
blocksize: 64

digestsize   : 20

name     : ecb(aes)
driver   : ecb-aes-caam
module   : kernel
priority : 3000
refcnt   : 1
selftest : passed
type     : ablkcipher
async    : yes
blocksize: 16

min keysize  : 16

max keysize  : 32

ivsize   : 16
geniv    : eseqiv

name     : cbc(aes)
driver   : cbc-aes-caam
module   : kernel
priority : 3000
refcnt   : 1
selftest : passed
type     : ablkcipher
async    : yes
blocksize: 16

min keysize  : 16

max keysize  : 32

ivsize   : 16
geniv    : eseqiv

Speed test:

openssl speed -evp aes-128-cbc

Doing aes-128-cbc for 3s on 16 size blocks: 3004381 aes-128-cbc's in 3.00s

Doing aes-128-cbc for 3s on 64 size blocks: 849813 aes-128-cbc's in 3.00s

Doing aes-128-cbc for 3s on 256 size blocks: 220358 aes-128-cbc's in 3.00s

Doing aes-128-cbc for 3s on 1024 size blocks: 55605 aes-128-cbc's in 3.00s

Doing aes-128-cbc for 3s on 8192 size blocks: 6969 aes-128-cbc's in 3.00s

OpenSSL 1.0.0e 6 Sep 2011

built on: Tue Feb 19 00:08:00 UTC 2013

options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr)

compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall

The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-128-cbc      16023.37k    18129.34k    18803.88k    18979.84k    19030.02k

With af_alg:

openssl speed -evp aes-128-cbc -e

engine "af_alg" set.

Doing aes-128-cbc for 3s on 16 size blocks: 2998763 aes-128-cbc's in 3.00s

Doing aes-128-cbc for 3s on 64 size blocks: 849813 aes-128-cbc's in 3.00s

Doing aes-128-cbc for 3s on 256 size blocks: 220357 aes-128-cbc's in 3.00s

Doing aes-128-cbc for 3s on 1024 size blocks: 55605 aes-128-cbc's in 3.00s

Doing aes-128-cbc for 3s on 8192 size blocks: 6970 aes-128-cbc's in 3.00s

OpenSSL 1.0.0e 6 Sep 2011

built on: Tue Feb 19 00:08:00 UTC 2013

options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr)

compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall

The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-128-cbc      15993.40k    18129.34k    18803.80k    18979.84k    19032.75k

Thanks in advance.

Tera

0 项奖励
回复
4,449 次查看
rashmi
Contributor III

Hi Tera,

You can use cat /proc/interrupts command and look for caam_jobr row entries values getting incremented on each run (if af_alg engine is used). If the values are incremented then CAAM is used.

Regards,

Rashmi.

0 项奖励
回复
4,452 次查看
rashmi
Contributor III

Hi Yuri,

Above issue is been resolved. We have setup the CAAM and tried the AF_ALG userspace interface to implement the same.But I am seeing the output as below with openssl command.

root@imx6qsabrelite:~# openssl speed -evp aes-128-cbc -engine af_alg -elapsed
engine "af_alg" set.
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 2892 aes-128-cbc's in 2.98s
Doing aes-128-cbc for 3s on 64 size blocks: 2840 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 2816 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2668 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 2031 aes-128-cbc's in 3.00s
OpenSSL 1.0.1e 11 Feb 2013
built on: Fri Oct 18 22:13:21 IST 2013
options:bn(64,32) rc4(ptr,int) des(idx,risc1,2,long) aes(partial) idea(int) blowfish(idx)
compiler: arm-poky-linux-gnueabi-gcc  -march=armv7-a -mthumb-interwork -mfloat-abi=hard -mfpu=neon -mtune=cortex-a9 --sysroot=/home/developer/Y
octo-1.5/build/tmp/sysroots/imx6qsabrelite -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN     -DTERMI
O  -O2 -pipe -g -feliminate-unused-debug-types -Wall -Wa,--noexecstack -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes 1024 bytes   8192 bytes
aes-128-cbc 15.53k       60.59k 240.30k      910.68k     5545.98k


I would like to know does the command "openssl speed -evp aes-128-cbc -engine af_alg -elapsed" has used CAAM for encryption?

How do I make sure whether CAAM is implemented?


Thanks,

Rashmi.

0 项奖励
回复
4,452 次查看
rashmi
Contributor III

Dear Yuri,

I see the above output using openssl commands. But i'm not able to understand what does "Doing aes-128-cbc for 3s on 8192 size blocks: 2031 aes-128-cbc's in 3.00s" means, I have tried searching for the information but I got no information. If you could brief me on this result explains would be of great help to me.

Thanks,

Rashmi.

0 项奖励
回复
4,452 次查看
Yuri
NXP Employee
NXP Employee

The phrase "Doing aes-128-cbc for 3s on 8192 size blocks: 2031 aes-128-cbc's in 3.00s" means,

that "aes-128-cbc" algorithm was used with data blocks of 8K and the speed of this operation

is 2031 ops per 3 sec. That is : ~[700 (aes-128-cbc) ops] / sec, when using 8K data blocks.

0 项奖励
回复
4,452 次查看
Yuri
NXP Employee
NXP Employee

I think it makes sense check cpu usage using command "top"; if CAAM is working, cpu usage is ~several %. 

0 项奖励
回复
4,452 次查看
LaurenPost
NXP Employee
NXP Employee

We will provide CAAM support on mx6 through openssl in our 3.10.17-1.0.0 beta release coming out early next year.      We are using cryptodev through openssl to access the CAAM support.

4,452 次查看
XXiao1z
Contributor III

what does "3.10.17-1.0.0 beta release" mean? is this LTIB release number, Yocto release number, or OpenSSL release number, or android release number? I could not make sense out of any of these numbers.

thanks,

0 项奖励
回复