I.MX6 Cryptographic Acceleration

johnlangworthy · ‎01-10-2013

The I.MX6 is described as offering cryptographic acceleration in the CAAM. However, as far as I can see, there is no documentation avaialble to support this. Does anybody know what the capabilities are, and how we can access them?

Cheers

rodz · ‎01-10-2013

Hi John,

As Yuri has mentioned above the i.MX 6 Security reference manual contains all the information on CAAM and it's capabilities. This is a moderated document but should not require an NDA. Please contact your local Freescale FAE to obtain access to this document.

At a high level the CAAM is a DMA master supporting the following capabilities:

Secure memory feature with HW enforced access control

Cryptographic authentication

* Hashing algorithms

* MD5

* SHA-1

* SHA-224

* SHA-256

* Message authentication codes (MAC)

* HMAC-all hashing algorithms

* AES-CMAC

* AES-XCBC-MAC

* Auto padding

* ICV checking

Authenticated encryption algorithms

* AES-CCM (counter with CBC-MAC)

Symmetric key block ciphers

* AES (128-bit, 192-bit or 256-bit keys)

* DES (64-bit keys, including key parity)

* 3DES (128-bit or 192-bit keys, including key parity)

Cipher modes

* ECB, CBC, CFB, OFB for all block ciphers

* CTR for AES

Symmetric key stream ciphers

* ArcFour (alleged RC4 with 40 - 128 bit keys)

* Random-number generation

* Entropy is generated via an independent free running ring oscillator

* Oscillator is off when not generating entropy; for lower-power consumption

* NIST-compliant, pseudo random-number generator seeded using hardware generated entropy

The Freescale Linux BSP contains a CAAM driver to make use of the above features. The use of CAAM is via the Linux CryptoAPI. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.

Regards,

-Rod

元の投稿で解決策を見る

rodz · ‎01-10-2013

Hi John,

As Yuri has mentioned above the i.MX 6 Security reference manual contains all the information on CAAM and it's capabilities. This is a moderated document but should not require an NDA. Please contact your local Freescale FAE to obtain access to this document.

At a high level the CAAM is a DMA master supporting the following capabilities:

Secure memory feature with HW enforced access control

Cryptographic authentication

* Hashing algorithms

* MD5

* SHA-1

* SHA-224

* SHA-256

* Message authentication codes (MAC)

* HMAC-all hashing algorithms

* AES-CMAC

* AES-XCBC-MAC

* Auto padding

* ICV checking

Authenticated encryption algorithms

* AES-CCM (counter with CBC-MAC)

Symmetric key block ciphers

* AES (128-bit, 192-bit or 256-bit keys)

* DES (64-bit keys, including key parity)

* 3DES (128-bit or 192-bit keys, including key parity)

Cipher modes

* ECB, CBC, CFB, OFB for all block ciphers

* CTR for AES

Symmetric key stream ciphers

* ArcFour (alleged RC4 with 40 - 128 bit keys)

* Random-number generation

* Entropy is generated via an independent free running ring oscillator

* Oscillator is off when not generating entropy; for lower-power consumption

* NIST-compliant, pseudo random-number generator seeded using hardware generated entropy

The Freescale Linux BSP contains a CAAM driver to make use of the above features. The use of CAAM is via the Linux CryptoAPI. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.

Regards,

-Rod

markoh · ‎01-23-2013

Should there be aes-ccm support in the caam driver? At least for the public linux-imx git repos and mainline linux kernel I can see support for most algorithms but no ccm(aes) support. For example the nx driver registers support for ccm(aes) but he caam does not.

rodz · ‎01-25-2013

Support for CCM other capabilities will be added in future releases of the CAAM driver.

-Rod

_benjamindubb · ‎03-04-2013

When I include the 'caam' argument in the bootargs I see that the caam driver gets registered with the kernel on startup. But I'm still unable to use it with 'openssl speed -engine cryptodev'. Also the 'openssl engine' shows no caam/cryptodev engine installed. I'm using L3.0.35_1.1.0 version. Any idea?

Thanks,

-Ben

Yuri · ‎03-04-2013

As for current BSP CAAM support :

The driver is integrated to the standard Linux cryptographic services interface

known as the Linux Crypto API (or Linux Scatterlist API). All current features

of CAAM, that the driver supports, are via the Linux Crypto API.

Basically Open SSL is able to use a crypto hardware though NetKey API ,
which in turn can use Linux scatterlist crypto API. As for the cryptodev, /dev/crypto
today does not use hardware features of the CAAM, it is just a software implementation.

_benjamindubb · ‎03-05-2013

Yura,

are you saying that IPSec will use CAAM driver as long as I include 'caam' in the bootargs?

And for openssl to take advantage of CAAM, do I need to rebuild it? I'm using rootfs from Freescale i.MX6 BSP L3.0.35_1.1.0. Any idea how to configure openssl for it?

Thanks,

-Ben

Yuri · ‎03-29-2013

> ... are you saying that IPSec will use CAAM driver as long as I include 'caam' in the bootargs?

Yes, assuming the kernel is configured properly.

Network support --->

Network option --->

<*> PF_KEY sockets

<*> IP: AH transformation

<*> IP: ESP transformation

<*> IP: IPComp transformation

<*> IP: IPsec transport mode

<*> IP: IPsec tunnel mode

> And for openssl to take advantage of CAAM do I need to rebuild it?

> Any idea how to configure openssl for it?

While not officially supported in the BSP, there are userspace interface implementations

that enable offloading OpenSSL requests to the built-in kernel crypto API, and thus the

CAAM h/w via its respective driver. While the kernel officially supports the AF_ALG socket

interface, various third-party cryptodev implementations are also available.

Here are some links to a couple of starting points:

http://carnivore.it/2011/04/23/openssl_-_af_alg

http://home.gna.org/cryptodev-linux/

http://ocf-linux.sourceforge.net/

AlbertT · ‎03-06-2013

What do you mean by bootargs ? Where do you put caam ?

_benjamindubb · ‎03-06-2013

my kernel command line, populated via uboot bootargs:

console=ttymxc0,115200 video=mxcfb1:dev=ldb,LDB-XGA,if=RGB666 ldb=dul1 root=/dev/mmcblk1p1 rootwait rw caam

AlbertT · ‎03-06-2013

I had no idea this was possible, thanks for the tip !!

Yuri · ‎03-05-2013

Linux kernel contains various users of the Scatterlist CryptoAPI, including its IPSec implementation, sometimes referred to as the NETKEY stack.

_benjamindubb · ‎03-05-2013

Where can I find the latest CAAM patches that address the issue reported by the callstack above?

Yuri · ‎03-06-2013

Looks like IPSEC with i.MX6 CAAM was not tested yet. IPSEC + CAAM is working for QorIQ.

_benjamindubb · ‎03-06-2013

not tested?! It was included in the Linux kernel BSP, so better be tested. How do you guys expect to sell this to customers? Is there some other protocol besides IPSec that it was perhaps tested with?

Yuri · ‎03-06-2013

OK, let's create special SR to check it more carefully

_benjamindubb · ‎03-12-2013

Yuri, can you advice us when we should expect Freescale to resolve the issue with the CAAM driver for i.MX6 Linux BSP.

Thanks

AlbertT · ‎03-12-2013

So there is a problem with the driver ? I've created a SR too but I have not had an answer yet.

I've tried the af_alg way but without success.

Yuri · ‎03-12-2013

> I've created a SR ...

What is SR number ?

AlbertT · ‎03-13-2013

SR# 1-1025928941

I have an answer now, thanks.

Yuri · ‎03-05-2013

While not officially supported in the SDK, there are userspace interface implementations,

that enable offloading OpenSSL requests to the built-in kernel crypto API, and thus the CAAM

h/w via its respective driver. As known, the AF_ALG family provides the user-space interface

for the kernel crypto API. While a kernel (2.6.38 and later) supports the AF_ALG socket interface,

various third-party cryptodev implementations are also available.

Here are some links to a couple of starting points:

http://carnivore.it/2011/04/23/openssl_-_af_alg

http://home.gna.org/cryptodev-linux/

http://ocf-linux.sourceforge.net/

The enclosed is implementaion from Dipen Patel.

https://community.freescale.com/message/342822#342822

I.MX6 Cryptographic Acceleration

I.MX6 Cryptographic Acceleration

i.MX6_All