Hi,
I am using a Nitrogen6X running kernel 3.10.17. I have made the secure memory module of CAAM working by applying the patches discussed in this previous thread: Re: i.MX6 CAAM : sm_test.c in 3.0.35 kernel broken
Note that with the current SM module, we can transform a black key (BK1) into a black blob which can be stored in non-volatile memory. Then, at SoC reboot for example, we can recover a black key from the black blob. The recovered black key (BK2) is different from the initial BK1 because black keys are session keys (SK) which are encrypted with the temporary session JDKEK or TDKEK key. In fact, the following relations are true:
1) BK1= encryption-with-JDKEK1(SK)
2) Transform BK1 into a black blob
3) Reboot the SoC
4) Decapsulate the black blob to get BK2= encryption-with-JDKEK2(SK)
Now, I would like to verify that the session key in BK2 is equal to the one encrypted in BK1. I have 2 choices:
1) Decrypt BK2 in order to get the SK value. However, I will have to recover JDKEK or TDKEK and I do not know where they are stored?
2) Encrypt a message M with SK before creating BK1 and the black blob. Then, encrypt the same message M with BK2 and compare the obtained ciphers. Normally, they must be equal.
However, I do not know how to encrypt messages using black keys and CAAM? Is there any example of encryption with black keys in CAAM?
Thanks for helping,
Best regards,
Aymen
Solved! Go to Solution.
Hi again,
I solved the problem by setting the ENC bit to 1 in the KEY Command in my job descriptor:
#define BLACK_KEY_ENC_FLAG 0x00400000
desc[1] = CMD_KEY | CLASS_1 | (keysz & KEY_LENGTH_MASK) | BLACK_KEY_ENC_FLAG
Setting ENC bit to 1 means setting the bit number 22 in the CMD_KEY to 1. That explains the the value of the BLACK_KEY_ENC_FLAG.
Now, I am able to encrypt data using black keys.
Regards,
Aymen
Hello,Aymen
Can you list your code? I want to know how to use the secure RAM, and I find when the Soc reboot ,I can not read the key from the secure RAM slot.
Hello Jan Gang,
Sorry for the late answer.
Here is the document which summarizes what I did. I used the sm_encapsulate.c and sm_decapsulate.c provided as examples for secure memory usage. I have just modified them a little bit. That is it. The document where I describe what I did is provided by the following link.
I wish that it will help you.
Best regards,
Aymen
Hi again,
I solved the problem by setting the ENC bit to 1 in the KEY Command in my job descriptor:
#define BLACK_KEY_ENC_FLAG 0x00400000
desc[1] = CMD_KEY | CLASS_1 | (keysz & KEY_LENGTH_MASK) | BLACK_KEY_ENC_FLAG
Setting ENC bit to 1 means setting the bit number 22 in the CMD_KEY to 1. That explains the the value of the BLACK_KEY_ENC_FLAG.
Now, I am able to encrypt data using black keys.
Regards,
Aymen