I'm trying to follow AN12714.
I have built a firmware image for my DART-MX8M-MINI.
Alas, I get the following:
keyctl add caam_tk seckey "new ecb 16" @s
add_key: No such device
I've used these configuration options:
What causes me to get this error and what should I do to make this work?
# Enable DM-Crypt and its dependencies
CONFIG_BLK_DEV_DM=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD=y
CONFIG_DM_CRYPT=y
# Enable CAAM black key/blob driver and its dependencies
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
CONFIG_CRYPTO_DEV_FSL_CAAM_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_UTIL_BLACK_KEY=y
CONFIG_CRYPTO_DEV_FSL_CAAM_UTIL_BLOB=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_KEY_BLOB=y
CONFIG_CAAM_KEYS=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_ARM64_CRYPTO=y
CONFIG_CRYPTO_SHA512_ARM64=m
CONFIG_CRYPTO_SHA1_ARM64_CE=y
Solved! Go to Solution.
Some more progress:
I used origin/5.15-2.0.x-imx_var01 kernel and I now have in my config:
This gives my the caam-keygen device. And this gives me:
./caam-keygen create randomkeyfordiskenc ecb -s 16
root@imx8mm-var-dart:~# ls -l /data/caam
total 8
-rw-r--r-- 1 root root 36 Sep 12 13:33 randomkeyfordiskenc
-rw-r--r-- 1 root root 96 Sep 12 13:33 randomkeyfordiskenc.bb
So, that seems to work. But.....I have not crypt module for the dm.
root@imx8mm-var-dart:~# dmsetup targets
[ 328.304579] device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
striped v1.6.0
linear v1.4.0
error v1.5.0
With the above config I would expect it to be here just as the application note AN12714 states in step 2 of the usage.
Hopefully you can guide me to the complete solution as I am almost there.
Any help appreciated.
(P.S. Should I create a new thread for this? The original problem is solved. This is just the next one.)
Hello,
The kernel configurations match the AN, so this should be ok. Can also add CONFIG_DM_MULTIPATH=y to make sure.
You can also have a look on AN12714 from the NXP website, which uses caam-keygen.
If you would like to use keyctl specifically, there is an example in i.MX Linux User's Guide, section 10.5 Disk encryption acceleration. Section 10.5.3.1 example uses keyctl.
Best wishes
What I really want is to be able to follow the application note AN12714. It seems out of date. There are multiple steps that require codeaurora, which is down. And even when using the mentioned Ubuntu, the repo tool is not version locked and is now different causing it to no longer work.
So I cannot follow the steps at all. I made a journey on my own. I used the kernel from here https://github.com/varigit/linux-imx
Tag I used is origin/imx_5.4.47_2.2.0_var01. Then I applied the patch I found in https://github.com/nxp-imx-support/imx_sec_apps/blob/master/demo-caam-blobs/kernel/0001-support-for-...
And I get to generate a key. So far this is nice and all. But this implies I'm stuck with this kernel version forever (or until another patch is made).
Isn't there a more generic way to enable support for this.
I'm currently looking at the kernel 5.15-2.0.x-imx_var01.
What must be done to get the same behavior but without the patch using this kernel?
Thanks for all the help so far.
Some more progress:
I used origin/5.15-2.0.x-imx_var01 kernel and I now have in my config:
This gives my the caam-keygen device. And this gives me:
./caam-keygen create randomkeyfordiskenc ecb -s 16
root@imx8mm-var-dart:~# ls -l /data/caam
total 8
-rw-r--r-- 1 root root 36 Sep 12 13:33 randomkeyfordiskenc
-rw-r--r-- 1 root root 96 Sep 12 13:33 randomkeyfordiskenc.bb
So, that seems to work. But.....I have not crypt module for the dm.
root@imx8mm-var-dart:~# dmsetup targets
[ 328.304579] device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
striped v1.6.0
linear v1.4.0
error v1.5.0
With the above config I would expect it to be here just as the application note AN12714 states in step 2 of the usage.
Hopefully you can guide me to the complete solution as I am almost there.
Any help appreciated.
(P.S. Should I create a new thread for this? The original problem is solved. This is just the next one.)
Thanks. That actually makes the crypt appear.
How could I get that loaded by default?
I was under the impression that this would;
CONFIG_BLK_DEV_DM=y
CONFIG_BLK_DEV_MD=y
CONFIG_DM_CRYPT=y
CONFIG_TRUSTED_KEYS=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
But still, only using your commands the crypt appears.
Thanks.
The strange thing is, that when I don't load them manually but execute the command to create the encrypted device, it gets loaded automatically at that moment.
So, I guess it is all good.
Kind regards,
Erno
Hello,
It looks like a bad installation of the tool,
You can find the source from the link: GitHub - nxp-imx/keyctl_caam: Keyctl CAAM Security
Regards