- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: HABv4 CST size of encripted data
HABv4 CST size of encripted data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
HABv4 CST size of encripted data
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am trying to sign and encrypt imx6`s linux + initramfs image by cst. cst crashes during data encryption.
I also tried to play with len of encrypted data, it worked till some kind of limit:
cfs script which does not work:
# The syntax for this file is documented in the HAB Code-Signing Tool
# User's Guide which is included in the CST package distributed by NXP
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM[Install SRK]
File = "./SRK_table.bin"
Source index = 0[Install CSFK]
File = "./security/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "./security/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"[Authenticate Data]
Verification index = 2
Blocks = 312844288 10854400 0x20 "zImage.initramfs.signed"[Authenticate Data]
Verification index = 2
Blocks = 301990144 0x100 0x20 "zImage.initramfs.signed"[Authenticate Data]
Verification index = 2
Blocks = 0x12000000 0x0 0x40 "zImage.initramfs.signed"[Install Secret Key]
Verification index = 0
Target index = 0
Key = "./security/dek.bin"
Key Length = 256
Blob address = 301989632[Decrypt Data]
Verification index = 0
Mac Bytes = 16
Blocks = 301989952 0x40 192 "zImage.initramfs.signed", \
301990176 288 10854112 "zImage.initramfs.signed"
csf script which still works:
# The syntax for this file is documented in the HAB Code-Signing Tool
# User's Guide which is included in the CST package distributed by NXP
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM[Install SRK]
File = "./SRK_table.bin"
Source index = 0[Install CSFK]
File = "./security/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "./security/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"[Authenticate Data]
Verification index = 2
Blocks = 312844288 10854400 0x20 "zImage.initramfs.signed"[Authenticate Data]
Verification index = 2
Blocks = 301990144 0x100 0x20 "zImage.initramfs.signed"[Authenticate Data]
Verification index = 2
Blocks = 0x12000000 0x0 0x40 "zImage.initramfs.signed"[Install Secret Key]
Verification index = 0
Target index = 0
Key = "./security/dek.bin"
Key Length = 256
Blob address = 301989632[Decrypt Data]
Verification index = 0
Mac Bytes = 16
Blocks = 301989952 0x40 192 "zImage.initramfs.signed", \
301990176 288 8300000 "zImage.initramfs.signed"
cst version is :
~/work/mel11-imx6/workspace/build/tmp/work/nitrogen6x_mel-mel-linux-gnueabi/linux-mel/4.14.78-nitrogen6x-mel+gitAUTOINC+b87a171d5c-r0/recipe-sysroot-native/usr/bin/cst -v
Code Signing Tool release version 3.1.0
Could you please guide how to fix the issue?
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
It is recommended to use DM-Crypt for filesystem:
"AN12714 i.MX Encrypted Storage Using CAAM Secure Keys"
https://www.nxp.com/docs/en/application-note/AN12714.pdf
Have a great day,
Yuri
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Yuri.
Thank you for your comment regarding DM-Crypt. However Valentin was asking about signing and encrypting the kernel and initramfs, rather than rootfs. According to our tests, Code Signing Tool starts crashing depending on the size of zImage.
Regarding an application note you've linked. I have checked the source code. Two obvious problems from the first glance. It seems the 5 year old bug with DM-Crypt and CAAM still is not fixed. Instead DM-crypt is changed to be broken for all other crypto drivers. Next, the 0001-full-disk-encryption-using-caam-secure-key.patch patch makes dm-crypt accept keys with different key types, however later the code assumes that it can use user_key_payload for each and every key it got (which is far from being true). It works for a demo, but I would not use this code in the production software.
--
With best wishes
Dmtiry
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, dmitry_eremin-solenikov@mentor.com
Customers can apply to the Proservice to adapt DM-crypt for their requirements.
Regards,
Yuri.
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
the following Community discussion may help:
https://community.nxp.com/message/1086197
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Yuri,
is ulimit -S -s the only solution or there is fixed version of CST?
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
CST sources are provided in the package. Customers can recompile it as needed.
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Yuri,
Thanks a lot, you are right but we have requirements from our customer:
1 Linux image should be signed and encrypted.
2 Rootfs should be encrypted and IMA/EVM should be used to check integrity
To satisfy 2 we need have small initramfs which setups DM-crypt/Luks and IMA/EVM.
More over it seems like issue depending on size of encrypted data. So nobody say that kernel image should be less than some limit.
Anyway have you ever tried encrypted rootfs with CAAM and CAAM`s secure key ? It would be nice if you can share your experience. From our current project it looks like not such straight forward as expected.
