HABv4 CST size of encripted data

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HABv4 CST size of encripted data

1,250 Views
valentinsitdiko
Contributor II

Hello, I am trying to sign and encrypt imx6`s linux + initramfs image by cst. cst crashes during data encryption.

I also tried to play with len of encrypted data, it worked till some kind of limit:

cfs script which does not work:

# The syntax for this file is documented in the HAB Code-Signing Tool
# User's Guide which is included in the CST package distributed by NXP
[Header]
    Version = 4.1
    Hash Algorithm = sha256
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS
    Engine = CAAM

[Install SRK]
    File = "./SRK_table.bin"
    Source index = 0

[Install CSFK]
    File = "./security/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
    Verification index = 0
    Target index = 2
    File = "./security/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
    Verification index = 2
    Blocks = 312844288 10854400 0x20 "zImage.initramfs.signed"

[Authenticate Data]
    Verification index = 2
    Blocks = 301990144 0x100 0x20 "zImage.initramfs.signed"

[Authenticate Data]
    Verification index = 2
    Blocks = 0x12000000 0x0 0x40 "zImage.initramfs.signed"

[Install Secret Key]
    Verification index = 0
    Target index = 0
    Key = "./security/dek.bin"
    Key Length = 256
    Blob address = 301989632

[Decrypt Data]
    Verification index = 0
    Mac Bytes = 16
    Blocks = 301989952 0x40 192 "zImage.initramfs.signed", \
             301990176 288 10854112 "zImage.initramfs.signed"

csf script which still works:

# The syntax for this file is documented in the HAB Code-Signing Tool
# User's Guide which is included in the CST package distributed by NXP
[Header]
    Version = 4.1
    Hash Algorithm = sha256
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS
    Engine = CAAM

[Install SRK]
    File = "./SRK_table.bin"
    Source index = 0

[Install CSFK]
    File = "./security/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
    Verification index = 0
    Target index = 2
    File = "./security/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
    Verification index = 2
    Blocks = 312844288 10854400 0x20 "zImage.initramfs.signed"

[Authenticate Data]
    Verification index = 2
    Blocks = 301990144 0x100 0x20 "zImage.initramfs.signed"

[Authenticate Data]
    Verification index = 2
    Blocks = 0x12000000 0x0 0x40 "zImage.initramfs.signed"

[Install Secret Key]
    Verification index = 0
    Target index = 0
    Key = "./security/dek.bin"
    Key Length = 256
    Blob address = 301989632

[Decrypt Data]
    Verification index = 0
    Mac Bytes = 16
    Blocks = 301989952 0x40 192 "zImage.initramfs.signed", \
             301990176 288 8300000 "zImage.initramfs.signed"

cst version is :

~/work/mel11-imx6/workspace/build/tmp/work/nitrogen6x_mel-mel-linux-gnueabi/linux-mel/4.14.78-nitrogen6x-mel+gitAUTOINC+b87a171d5c-r0/recipe-sysroot-native/usr/bin/cst -v
Code Signing Tool release version 3.1.0

Could you please guide how to fix the issue?

Labels (4)
0 Kudos
7 Replies

1,102 Views
Yuri
NXP Employee
NXP Employee

Hello,

  It is recommended to use DM-Crypt for filesystem:

"AN12714 i.MX Encrypted Storage Using CAAM Secure Keys"

https://www.nxp.com/docs/en/application-note/AN12714.pdf 


Have a great day,
Yuri

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos

1,102 Views
dmitry_eremin-s
Contributor I

Hello Yuri.

Thank you for your comment regarding DM-Crypt. However Valentin was asking about signing and encrypting the kernel and initramfs, rather than rootfs. According to our tests, Code Signing Tool starts crashing depending on the size of zImage.

Regarding an application note you've linked. I have checked the source code. Two obvious problems from the first glance. It seems the 5 year old bug with DM-Crypt and CAAM still is not fixed. Instead DM-crypt is changed to be broken for all other crypto drivers. Next, the 0001-full-disk-encryption-using-caam-secure-key.patch patch makes dm-crypt accept keys with different key types, however later the code assumes that it can use user_key_payload for each and every key it got (which is far from being true). It works for a demo, but I would not use this code in the production software.

-- 

With best wishes

Dmtiry

0 Kudos

1,102 Views
Yuri
NXP Employee
NXP Employee

Hello, dmitry_eremin-solenikov@mentor.com 

  Customers can apply to the Proservice to adapt DM-crypt for their  requirements.

Regards,

Yuri.

0 Kudos

1,102 Views
Yuri
NXP Employee
NXP Employee

Hello,

  the following Community discussion may help:

https://community.nxp.com/message/1086197 

Regards,

Yuri.

1,102 Views
valentinsitdiko
Contributor II

Hello Yuri,

is ulimit -S -s the only solution or there is fixed version of CST?

0 Kudos

1,102 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

  CST sources are provided in the package. Customers can recompile it as needed.

Regards,

Yuri.

0 Kudos

1,102 Views
valentinsitdiko
Contributor II

Hello Yuri,

Thanks a lot, you are right but we have requirements from our customer:

1 Linux image should be signed and encrypted.

2 Rootfs should be encrypted and IMA/EVM should be used to check integrity

To satisfy 2 we need have small initramfs which setups DM-crypt/Luks and IMA/EVM.

More over it seems like issue depending on size of encrypted data. So nobody say that kernel image should be less than some limit.

Anyway have you ever tried encrypted rootfs with CAAM and CAAM`s secure key ? It would be nice if you can share your experience. From our current project it looks like not such straight forward  as expected.

0 Kudos