How to encrypt data in CAAM with black keys?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to encrypt data in CAAM with black keys?

Jump to solution
2,585 Views
Aymen_IRT
Contributor III

Hi,

I am using a Nitrogen6X running kernel 3.10.17. I have made the secure memory module of CAAM working by applying the patches discussed in this previous thread: Re: i.MX6 CAAM : sm_test.c in 3.0.35 kernel broken

Note that with the current SM module, we can transform a black key (BK1) into a black blob which can be stored in non-volatile memory. Then, at SoC reboot for example, we can recover a black key from the black blob. The recovered black key (BK2) is different from the initial BK1 because black keys are session keys (SK) which are encrypted with the temporary session JDKEK or TDKEK key. In fact, the following relations are true:

1)  BK1= encryption-with-JDKEK1(SK)

2) Transform BK1 into a black blob

3) Reboot the SoC

4) Decapsulate the black blob to get BK2= encryption-with-JDKEK2(SK)

Now, I would like to verify that the session key in BK2 is equal to the one encrypted in BK1. I have 2 choices:

1) Decrypt BK2 in order to get the SK value. However, I will have to recover JDKEK or TDKEK and I do not know where they are stored?

2) Encrypt a message M with SK before creating BK1 and the black blob. Then, encrypt the same message M with BK2 and compare the obtained ciphers. Normally, they must be equal.

However, I do not know how to encrypt messages using black keys and CAAM? Is there any example of encryption with black keys in CAAM?

Thanks for helping,

Best regards,

Aymen

1 Solution
1,729 Views
Aymen_IRT
Contributor III

Hi again,

I solved the problem by setting the ENC bit to 1 in the KEY Command in my job descriptor:

#define BLACK_KEY_ENC_FLAG 0x00400000

desc[1] = CMD_KEY | CLASS_1 | (keysz & KEY_LENGTH_MASK) | BLACK_KEY_ENC_FLAG

Setting ENC bit to 1 means setting the bit number 22 in the CMD_KEY to 1. That explains the the value of the BLACK_KEY_ENC_FLAG.

Now, I am able to encrypt data using black keys.

Regards,

Aymen

View solution in original post

0 Kudos
3 Replies
1,729 Views
jason_rsmgnu
Contributor II

Hello,Aymen

Can you list your code?  I want to know how to use the secure RAM,  and I find when the Soc reboot ,I  can not read  the key from the secure RAM  slot.

1,729 Views
aymenboudguiga
Contributor I

Hello Jan Gang,

Sorry for the late answer.

Here is the document which summarizes what I did. I used the sm_encapsulate.c and sm_decapsulate.c provided as examples for secure memory usage. I have just modified them a little bit. That is it. The document where I describe what I did is provided by the following link.

caam_ss.pdf - Google Drive 

I wish that it will help you.

Best regards,

Aymen

1,730 Views
Aymen_IRT
Contributor III

Hi again,

I solved the problem by setting the ENC bit to 1 in the KEY Command in my job descriptor:

#define BLACK_KEY_ENC_FLAG 0x00400000

desc[1] = CMD_KEY | CLASS_1 | (keysz & KEY_LENGTH_MASK) | BLACK_KEY_ENC_FLAG

Setting ENC bit to 1 means setting the bit number 22 in the CMD_KEY to 1. That explains the the value of the BLACK_KEY_ENC_FLAG.

Now, I am able to encrypt data using black keys.

Regards,

Aymen

0 Kudos