Example code on blob generation and usage on i.MX6UL platform

cancel
Showing results for 
Search instead for 
Did you mean: 

Example code on blob generation and usage on i.MX6UL platform

4,678 Views
NXP Employee
NXP Employee

Attached is example code on blob generation and usage on i.MX6UL platform.
It shows how to generate blob in secure memory, store blob in non-volatile memory, restore key from blob and use in cryptographic algorithm, the code is based on fsl-arm-yocto-bsp-imx-4.1.15-1.0.0_ga release.

Original Attachment has been moved to: test_caam_keyblob.zip

Labels (3)
7 Replies

74 Views
Contributor IV

Hi,

if someone still looking for sample code for endcode/decode keys using CAAM (with Master key)

just try an attached (modified) code.

This module desn't stay in RAM by causing error (ENOMEM) intentionally.

Module parameter encrypt=1 mens: get data from dek.txt encrypt and save to blob.bin

Module parameter encrypt=0 mens: get data from blob.bin decrypt and show as a text.

It uses 32 bytes for a key.

#insmod alg_test.ko encrypt=1
[ 7368.080346] Read password file: /data2/dek.txt
[ 7368.081182] Security module: sec-v4.0 OK
[ 7368.081697] Encrypt & write password
[ 7368.082386] Causing error to remove module
insmod: failed to load alg_test.ko: Out of memory <== It's OK


1|root@tsr2_bl12080:/data2 # insmod alg_test.ko encrypt=0
[ 7370.370662] Read encrypted password file: /data2/blob.bin
[ 7370.371568] Security module: sec-v4.0 OK
[ 7370.372083] Decrypt password
[ 7370.372579] To jest tekst do zaszyfrowania p <== decrypted content of blob.bin
[ 7370.373490] Causing error to remove module
insmod: failed to load alg_test.ko: Out of memory

0 Kudos

74 Views
Contributor I

I tested the first example code, the recovered key that is used in the encryption example is empty : key:00000000000000000000000000000000

My iMX6 device is open, is it diffrent on closed device ?

0 Kudos

74 Views
NXP Employee
NXP Employee

Eric had modified the example code to show how to generate blob for user space dek, the use case is:

  1. The alg_test.c is compiled to kernel module alg_test.ko.
  2. Assume that dek is generated in user space application and stored to rootfs, in the example, it is a 128-bit key and stored to dek.bin in rootfs/home/root.
  3. insmod alg_test.ko, it reads dek.bin from rootfs/home/root, generate dek blob, and store the blob to rootfs/home/root/blob, the blob is encrypted with device-specific OTPMK.
  4. rmmod alg_test.ko
  5. From user space, dek.bin can be removed for safety.

6. Next time to use dek, it can be recovered from rootfs/home/root/blob. The recovery code is not included in attached example, customer can implement it in similar way according to example code in test_caam_keyblob.zip.

0 Kudos

74 Views
Contributor II

Hello,Xiaodong,

Can you give me some example, how can I  recovery the dek from the /home/root/blob  file,

 

I can not recovery the key,use these function,when I reboot the SOC:

sm_keystore_slot_export()

sm_keystore_slot_import()

sm_keystore_slot_read()

0 Kudos

74 Views
NXP Employee
NXP Employee

drivers\crypto\caam\sm_test.c in BSP release only includes blob export and import.

Example code includes blob export and import, store blob to rootfs, restore key from blob and use in cryptographic algorithm.

It is also shows how to call CAAM AES algorithm in Linux kernel.

0 Kudos

74 Views
NXP Employee
NXP Employee

thanks a lot for your explaination.

0 Kudos

74 Views
NXP Employee
NXP Employee

What is the difference agaist the sm_test in drivers\crypto\caam\sm_test.c by BSP release?

0 Kudos