Hi,
How do I set up a CAAM to en/decrypt a data on a iMX6 SABRE board? Are there any sample application available?
I have gone through Security Reference manual which gives me low level information, does not seem of too much help to me.
Thanks
解決済! 解決策の投稿を見る。
The Platform SDK (after cross-compiling) provides executable images (.elf, .bin), that should be run on a target board (say, on i.MX6 SDP).
Please to run .elf on the SDP, using a JTAG debugger.
I'm using repo with fsl-community-bsp-platform, how can I find the specific BSP release(e.g. 3.10.9-1.0.0 alpha BSP)? or am I missing something? all I saw is 1.4 release, 1.5 release at github and I did not find any tag for the BSP you mentioned. do you mean just the kernel release? I'm confused.
Thanks,
The 3.10.9 release is not issued yet.
You may look at the Platform SDK - it contains an example regarding blob using.
"The i.MX6 Platform SDK is located on Freescale Web.
The code can be found at sdk/drvers/caam. Keep in mind that in order to generate a blob with the CAAM OTPMK a secure boot with HAB
in closed config [...], otherwise in open config the blob will be created using the known CAAM default master key.
The platform SDK code is useful for generating a blob for a single chip but is not useful in a production environment.
The platform SDK code:
1. Configures CAAM appropriately in order to generate a key blob
2. Writes a fixed data encryption key (DEK) to a CAAM memory partition - same partition used by HAB
3. Configures the CAAM memory partition as CAAM read only
4. Generates the blob with CAAM
5. Re-allocate CAAM memory parition - erases original DEK
6. Decapsultates the blob to obtain the original DEK in CAAM read only memory partition
7. Perform a self test with the decapsulated DEK to ensure the DEK was properly restored"
Hi Yuri,
I tried building the sdk to test the caam module with the command ./tools/build_sdk with test=caam. But found no useful information on "./output/mx6dq/sdk_unit_test/sabre_ai_rev_a" folder. can you please suggest me on how to understand the output upon testing caam driver using sdk.
Thanks,
Rashmi.
You wrote " found no useful information on "./output/mx6dq/sdk_unit_test/sabre_ai_rev_a" folder".
Do You mean that there are no .elf, .bin, .map files in the output directory ?
Are there errors reported during build process ?
Hi Yuri,
No errors, have got .elf .bin .map files in output directory. But throught this files how can I ensure whether CAAM is tested on board or not.
Thanks,
Rashmi
The Platform SDK (after cross-compiling) provides executable images (.elf, .bin), that should be run on a target board (say, on i.MX6 SDP).
Please to run .elf on the SDP, using a JTAG debugger.
Thanks for the reply Yuri.
Can you also brief me on how to execute those src .C files available on imx6_platform_SDk/sdk/drivers/caam. Can I use those C files to encrypt and decrypt my data.
Thanks ,
Rashmi
Source .c files may be used as example. It is needed to analyze them, using CAAM description in the Security Reference Manual for i.MX6.
You may download the security manual from our website (link below). You will
need to login in order to do this.
https://www.freescale.com/webapp/Download?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE&fpsp=1&WT_TYPE=Reference%20Manuals&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation&Parent_nodeId=1337694700967726419044&Parent_pageType=product&Parent_nodeId=1337694700967726419044&Parent_pageType=product
Hi Yuri,
I am using AF_ALG family for userspace interface for Kernel cryptoAPI. But when i try to test it using the command "openssl speed -evp aes-256 -cbc -engine af_alg -elapsed" i get the error as:
root@imx6qsabrelite:~# openssl speed -e aes-256-cbc -engine af_alg -elapsed
Error configuring OpenSSL
716629200:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:
716629200:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=openssl_engines, retcode=-1
root@imx6qsabrelite:~#
Please, Can you suggest me on how to fix these error.
Thanks,
Rashmi.
Hi Rashmi,
I have the exact same error. I downloaded the af_alg code that was attached in this community website by Dipen Patel. I compiled it on my iMX6. But when I tested with the above openssl command. I get the exact same error. Could you please tell me your fix so that it can help all of us?
thanks a ton in advance!
Tera
Hi Tera,
Link to configure AF_ALG in openssl:
http://src.carnivore.it/users/common/af_alg/about/
Regards,
Rashmi
Hi Rashmi,
Hello All,
Thank you for the link. I followed it. The only difference is when I replace the original openssl.cnf with the one of the af_alg as mentioned in the link above, I get the error that Rashmi had:
Error configuring OpenSSL
716629200:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:
716629200:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=openssl_engines, retcode=-1
But when I retained the original openssl.cnf but already changed the kernel config with all the flags mentioned and after copying the libaf_alg.so in the correct openssl engine directory, I see that the engine af_alg gets set. I did a quick speed test but surprisingly saw that the speed was the same as before(without af_alg). So now I am puzzled whether my CAAM is being used at all by the af_alg :smileysad:
Anyone can throw some light? How can I check if my CAAM is being called by the af_alg? I had set "caam" in my bootargs. I also see it if I type /proc/crypto:
name | : sha1 |
driver | : sha1-caam |
module | : kernel |
priority | : 3000 |
refcnt | : 1 |
selftest | : passed |
type | : ahash |
async | : yes |
blocksize | : 64 |
digestsize : 20
name | : ecb(aes) |
driver | : ecb-aes-caam |
module | : kernel |
priority | : 3000 |
refcnt | : 1 |
selftest | : passed |
type | : ablkcipher |
async | : yes |
blocksize | : 16 |
min keysize : 16
max keysize : 32
ivsize | : 16 |
geniv | : eseqiv |
name | : cbc(aes) |
driver | : cbc-aes-caam |
module | : kernel |
priority | : 3000 |
refcnt | : 1 |
selftest | : passed |
type | : ablkcipher |
async | : yes |
blocksize | : 16 |
min keysize : 16
max keysize : 32
ivsize | : 16 |
geniv | : eseqiv |
Speed test:
openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 3004381 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 849813 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 220358 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 55605 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 6969 aes-128-cbc's in 3.00s
OpenSSL 1.0.0e 6 Sep 2011
built on: Tue Feb 19 00:08:00 UTC 2013
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 16023.37k 18129.34k 18803.88k 18979.84k 19030.02k
With af_alg:
openssl speed -evp aes-128-cbc -e
engine "af_alg" set.
Doing aes-128-cbc for 3s on 16 size blocks: 2998763 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 849813 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 220357 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 55605 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 6970 aes-128-cbc's in 3.00s
OpenSSL 1.0.0e 6 Sep 2011
built on: Tue Feb 19 00:08:00 UTC 2013
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 15993.40k 18129.34k 18803.80k 18979.84k 19032.75k
Thanks in advance.
Tera
Hi Tera,
You can use cat /proc/interrupts command and look for caam_jobr row entries values getting incremented on each run (if af_alg engine is used). If the values are incremented then CAAM is used.
Regards,
Rashmi.
Hi Yuri,
Above issue is been resolved. We have setup the CAAM and tried the AF_ALG userspace interface to implement the same.But I am seeing the output as below with openssl command.
root@imx6qsabrelite:~# openssl speed -evp aes-128-cbc -engine af_alg -elapsed
engine "af_alg" set.
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 2892 aes-128-cbc's in 2.98s
Doing aes-128-cbc for 3s on 64 size blocks: 2840 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 2816 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2668 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 2031 aes-128-cbc's in 3.00s
OpenSSL 1.0.1e 11 Feb 2013
built on: Fri Oct 18 22:13:21 IST 2013
options:bn(64,32) rc4(ptr,int) des(idx,risc1,2,long) aes(partial) idea(int) blowfish(idx)
compiler: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork -mfloat-abi=hard -mfpu=neon -mtune=cortex-a9 --sysroot=/home/developer/Y
octo-1.5/build/tmp/sysroots/imx6qsabrelite -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMI
O -O2 -pipe -g -feliminate-unused-debug-types -Wall -Wa,--noexecstack -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 15.53k 60.59k 240.30k 910.68k 5545.98k
I would like to know does the command "openssl speed -evp aes-128-cbc -engine af_alg -elapsed" has used CAAM for encryption?
How do I make sure whether CAAM is implemented?
Thanks,
Rashmi.
Dear Yuri,
I see the above output using openssl commands. But i'm not able to understand what does "Doing aes-128-cbc for 3s on 8192 size blocks: 2031 aes-128-cbc's in 3.00s" means, I have tried searching for the information but I got no information. If you could brief me on this result explains would be of great help to me.
Thanks,
Rashmi.
The phrase "Doing aes-128-cbc for 3s on 8192 size blocks: 2031 aes-128-cbc's in 3.00s" means,
that "aes-128-cbc" algorithm was used with data blocks of 8K and the speed of this operation
is 2031 ops per 3 sec. That is : ~[700 (aes-128-cbc) ops] / sec, when using 8K data blocks.
I think it makes sense check cpu usage using command "top"; if CAAM is working, cpu usage is ~several %.
We will provide CAAM support on mx6 through openssl in our 3.10.17-1.0.0 beta release coming out early next year. We are using cryptodev through openssl to access the CAAM support.
what does "3.10.17-1.0.0 beta release" mean? is this LTIB release number, Yocto release number, or OpenSSL release number, or android release number? I could not make sense out of any of these numbers.
thanks,