I want to implement an authentication protocol with the i.MX6 where the SoC is challenged and needs to respond with a piece of data that it alone knows. Ideally I would like to have the CAAM module fetch the secret piece of data, hash it with some input, and send the resulting value back out of the chip for use by high level software. To make the system secure, I don't want to store the secret in plain text in main memory, FLASH, or on a hard drive.
Does anyone know of a good way to do this and where the data can be kept?
I considered using the General Purpose Fuse Registers (GP1 & GP2), but these are easily readable throug /sys/fsl_otp.
I considered the One Time Programmable Master Key (OTPMK), but this is burned by Freescale rather than being customizable by the end user.
Supposedly one can burn up to 4 keys for use with the High Assurance Boot process, but it's not clear to me whether those keys can be used outside of the boot process. If they can be used this might be the best way to go.
I thought about using a red blob to encrypt the private data so that it could be stored outside the chip, but people don't seem to have had much luck with writing firmware to do this from the message board posts that I readthat from what I read on the message boards (See post 352462)
I guess another way to phrase the question is can an iMX6 emulate an authenticator chip such as the Atmel ATSHA204 which has some secure memory and a SHA-256 engine. The issue for the design is not cost, the Atmel chips are cheap and I could use one, but I think it would be more secure to authenticate that the Freescale chip is on the PCB.
Hello,
Sorry, but the information you are requesting is treated as confidential info at this time and requires a signed NDA (Non-Disclosure Agreement). Naturally, we cannot discuss this with you in public anyway, this requires to be handled as a Service Request (SR). Be aware that to give you remote support through a SR, we will still need the confirmation of a Freescale employee that the NDA is in place. If you want to go this route, the next steps will be: If you have already signed a NDA agreement for this product, please contact the person who assisted you or create a SR and name us a Freescale person that can confirm this. If you have not signed an agreement, please contact your local Freescale Distributor Salesperson or FAE for assistance. For a listing of our distributors, refer to: http://www.freescale.com/webapp/sps/site/overview.jsp?code=DISTRIBUTORS
Have a great day,
Jaime
-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------
Thanks Jaime. I'll start the process of a service request with my local FAE and see where it leads.