Example code on blob generation and usage on i.MX6UL platform

hongdong_chu · ‎08-25-2016

Attached is example code on blob generation and usage on i.MX6UL platform.
It shows how to generate blob in secure memory, store blob in non-volatile memory, restore key from blob and use in cryptographic algorithm, the code is based on fsl-arm-yocto-bsp-imx-4.1.15-1.0.0_ga release.

Original Attachment has been moved to: test_caam_keyblob.zip

tadeuszgozdek · ‎07-15-2019

Hi,

if someone still looking for sample code for endcode/decode keys using CAAM (with Master key)

just try an attached (modified) code.

This module desn't stay in RAM by causing error (ENOMEM) intentionally.

Module parameter encrypt=1 mens: get data from dek.txt encrypt and save to blob.bin

Module parameter encrypt=0 mens: get data from blob.bin decrypt and show as a text.

It uses 32 bytes for a key.

#insmod alg_test.ko encrypt=1
[ 7368.080346] Read password file: /data2/dek.txt
[ 7368.081182] Security module: sec-v4.0 OK
[ 7368.081697] Encrypt & write password
[ 7368.082386] Causing error to remove module
insmod: failed to load alg_test.ko: Out of memory <== It's OK

1|root@tsr2_bl12080:/data2 # insmod alg_test.ko encrypt=0
[ 7370.370662] Read encrypted password file: /data2/blob.bin
[ 7370.371568] Security module: sec-v4.0 OK
[ 7370.372083] Decrypt password
[ 7370.372579] To jest tekst do zaszyfrowania p <== decrypted content of blob.bin
[ 7370.373490] Causing error to remove module
insmod: failed to load alg_test.ko: Out of memory

ayoubzaki · ‎09-12-2017

I tested the first example code, the recovered key that is used in the encryption example is empty : key:00000000000000000000000000000000

My iMX6 device is open, is it diffrent on closed device ?

xiaodong_zhang · ‎12-01-2016

Eric had modified the example code to show how to generate blob for user space dek, the use case is:

The alg_test.c is compiled to kernel module alg_test.ko.
Assume that dek is generated in user space application and stored to rootfs, in the example, it is a 128-bit key and stored to dek.bin in rootfs/home/root.
insmod alg_test.ko, it reads dek.bin from rootfs/home/root, generate dek blob, and store the blob to rootfs/home/root/blob, the blob is encrypted with device-specific OTPMK.
rmmod alg_test.ko
From user space, dek.bin can be removed for safety.

6. Next time to use dek, it can be recovered from rootfs/home/root/blob. The recovery code is not included in attached example, customer can implement it in similar way according to example code in test_caam_keyblob.zip.

jason_rsmgnu · ‎06-22-2017

Hello,Xiaodong,

Can you give me some example, how can I recovery the dek from the /home/root/blob file,

I can not recovery the key,use these function,when I reboot the SOC:

sm_keystore_slot_export()

sm_keystore_slot_import()

sm_keystore_slot_read()

hongdong_chu · ‎08-25-2016

drivers\crypto\caam\sm_test.c in BSP release only includes blob export and import.

Example code includes blob export and import, store blob to rootfs, restore key from blob and use in cryptographic algorithm.

It is also shows how to call CAAM AES algorithm in Linux kernel.

BiyongSUN · ‎08-25-2016

thanks a lot for your explaination.

BiyongSUN · ‎08-25-2016

What is the difference agaist the sm_test in drivers\crypto\caam\sm_test.c by BSP release?

Example code on blob generation and usage on i.MX6UL platform

Example code on blob generation and usage on i.MX6UL platform

i.MX6UL

Linux

Yocto Project