How to encrypt data in CAAM with black keys?

Aymen_IRT · ‎07-15-2015

Hi,

I am using a Nitrogen6X running kernel 3.10.17. I have made the secure memory module of CAAM working by applying the patches discussed in this previous thread: Re: i.MX6 CAAM : sm_test.c in 3.0.35 kernel broken

Note that with the current SM module, we can transform a black key (BK1) into a black blob which can be stored in non-volatile memory. Then, at SoC reboot for example, we can recover a black key from the black blob. The recovered black key (BK2) is different from the initial BK1 because black keys are session keys (SK) which are encrypted with the temporary session JDKEK or TDKEK key. In fact, the following relations are true:

1) BK1= encryption-with-JDKEK1(SK)

2) Transform BK1 into a black blob

3) Reboot the SoC

4) Decapsulate the black blob to get BK2= encryption-with-JDKEK2(SK)

Now, I would like to verify that the session key in BK2 is equal to the one encrypted in BK1. I have 2 choices:

1) Decrypt BK2 in order to get the SK value. However, I will have to recover JDKEK or TDKEK and I do not know where they are stored?

2) Encrypt a message M with SK before creating BK1 and the black blob. Then, encrypt the same message M with BK2 and compare the obtained ciphers. Normally, they must be equal.

However, I do not know how to encrypt messages using black keys and CAAM? Is there any example of encryption with black keys in CAAM?

Thanks for helping,

Best regards,

Aymen

Aymen_IRT · ‎07-16-2015

Hi again,

I solved the problem by setting the ENC bit to 1 in the KEY Command in my job descriptor:

#define BLACK_KEY_ENC_FLAG 0x00400000

desc[1] = CMD_KEY | CLASS_1 | (keysz & KEY_LENGTH_MASK) | BLACK_KEY_ENC_FLAG

Setting ENC bit to 1 means setting the bit number 22 in the CMD_KEY to 1. That explains the the value of the BLACK_KEY_ENC_FLAG.

Now, I am able to encrypt data using black keys.

Regards,

Aymen

元の投稿で解決策を見る

jason_rsmgnu · ‎06-22-2017

Hello,Aymen

Can you list your code? I want to know how to use the secure RAM, and I find when the Soc reboot ,I can not read the key from the secure RAM slot.

aymenboudguiga · ‎03-23-2018

Hello Jan Gang,

Sorry for the late answer.

Here is the document which summarizes what I did. I used the sm_encapsulate.c and sm_decapsulate.c provided as examples for secure memory usage. I have just modified them a little bit. That is it. The document where I describe what I did is provided by the following link.

caam_ss.pdf - Google Drive

I wish that it will help you.

Best regards,

Aymen

Aymen_IRT · ‎07-16-2015

Hi again,

I solved the problem by setting the ENC bit to 1 in the KEY Command in my job descriptor:

#define BLACK_KEY_ENC_FLAG 0x00400000

desc[1] = CMD_KEY | CLASS_1 | (keysz & KEY_LENGTH_MASK) | BLACK_KEY_ENC_FLAG

Setting ENC bit to 1 means setting the bit number 22 in the CMD_KEY to 1. That explains the the value of the BLACK_KEY_ENC_FLAG.

Now, I am able to encrypt data using black keys.

Regards,

Aymen