Imx8 keygen caam_tk error

Erno · ‎09-05-2023

I'm trying to follow AN12714.

I have built a firmware image for my DART-MX8M-MINI.

Alas, I get the following:

keyctl add caam_tk seckey "new ecb 16" @s
add_key: No such device

I've used these configuration options:

What causes me to get this error and what should I do to make this work?

# Enable DM-Crypt and its dependencies
CONFIG_BLK_DEV_DM=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD=y
CONFIG_DM_CRYPT=y
# Enable CAAM black key/blob driver and its dependencies
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
CONFIG_CRYPTO_DEV_FSL_CAAM_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_UTIL_BLACK_KEY=y
CONFIG_CRYPTO_DEV_FSL_CAAM_UTIL_BLOB=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_KEY_BLOB=y
CONFIG_CAAM_KEYS=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_ARM64_CRYPTO=y
CONFIG_CRYPTO_SHA512_ARM64=m
CONFIG_CRYPTO_SHA1_ARM64_CE=y

Erno · ‎09-12-2023

Some more progress:

I used origin/5.15-2.0.x-imx_var01 kernel and I now have in my config:

CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y

CONFIG_CRYPTO_DEV_FSL_CAAM=y

CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST=y

CONFIG_CRYPTO_DEV_FSL_DPAA2_CAAM=y

CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y

CONFIG_CRYPTO_DEV_FSL_CAAM_BLOB_GEN=y

CONFIG_CRYPTO_DEV_FSL_CAAM_COMMON=y

CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y

CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI=y

CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y

CONFIG_CRYPTO_DEV_FSL_CAAM_JR_UIO=y

CONFIG_CRYPTO_DEV_FSL_CAAM_KEYBLOB_API_DESC=y

CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_PRNG_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y

CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API_TEST=y

CONFIG_BLK_DEV_DM=y

CONFIG_BLK_DEV_MD=y

CONFIG_DM_CRYPT=y

This gives my the caam-keygen device. And this gives me:

./caam-keygen create randomkeyfordiskenc ecb -s 16
root@imx8mm-var-dart:~# ls -l /data/caam
total 8
-rw-r--r-- 1 root root 36 Sep 12 13:33 randomkeyfordiskenc
-rw-r--r-- 1 root root 96 Sep 12 13:33 randomkeyfordiskenc.bb

So, that seems to work. But.....I have not crypt module for the dm.
root@imx8mm-var-dart:~# dmsetup targets
[ 328.304579] device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
striped v1.6.0
linear v1.4.0
error v1.5.0

With the above config I would expect it to be here just as the application note AN12714 states in step 2 of the usage.

Hopefully you can guide me to the complete solution as I am almost there.

Any help appreciated.
(P.S. Should I create a new thread for this? The original problem is solved. This is just the next one.)

View solution in original post

andreea_miu · ‎09-12-2023

Hello,

The kernel configurations match the AN, so this should be ok. Can also add CONFIG_DM_MULTIPATH=y to make sure.

You can also have a look on AN12714 from the NXP website, which uses caam-keygen.

If you would like to use keyctl specifically, there is an example in i.MX Linux User's Guide, section 10.5 Disk encryption acceleration. Section 10.5.3.1 example uses keyctl.

Best wishes

Erno · ‎09-12-2023

What I really want is to be able to follow the application note AN12714. It seems out of date. There are multiple steps that require codeaurora, which is down. And even when using the mentioned Ubuntu, the repo tool is not version locked and is now different causing it to no longer work.

So I cannot follow the steps at all. I made a journey on my own. I used the kernel from here https://github.com/varigit/linux-imx
Tag I used is origin/imx_5.4.47_2.2.0_var01. Then I applied the patch I found in https://github.com/nxp-imx-support/imx_sec_apps/blob/master/demo-caam-blobs/kernel/0001-support-for-...

And I get to generate a key. So far this is nice and all. But this implies I'm stuck with this kernel version forever (or until another patch is made).

Isn't there a more generic way to enable support for this.
I'm currently looking at the kernel 5.15-2.0.x-imx_var01.

What must be done to get the same behavior but without the patch using this kernel?

Thanks for all the help so far.

Erno · ‎09-12-2023

Some more progress:

I used origin/5.15-2.0.x-imx_var01 kernel and I now have in my config:

CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y

CONFIG_CRYPTO_DEV_FSL_CAAM=y

CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST=y

CONFIG_CRYPTO_DEV_FSL_DPAA2_CAAM=y

CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y

CONFIG_CRYPTO_DEV_FSL_CAAM_BLOB_GEN=y

CONFIG_CRYPTO_DEV_FSL_CAAM_COMMON=y

CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y

CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI=y

CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y

CONFIG_CRYPTO_DEV_FSL_CAAM_JR_UIO=y

CONFIG_CRYPTO_DEV_FSL_CAAM_KEYBLOB_API_DESC=y

CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_PRNG_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y

CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y

CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API_TEST=y

CONFIG_BLK_DEV_DM=y

CONFIG_BLK_DEV_MD=y

CONFIG_DM_CRYPT=y

This gives my the caam-keygen device. And this gives me:

./caam-keygen create randomkeyfordiskenc ecb -s 16
root@imx8mm-var-dart:~# ls -l /data/caam
total 8
-rw-r--r-- 1 root root 36 Sep 12 13:33 randomkeyfordiskenc
-rw-r--r-- 1 root root 96 Sep 12 13:33 randomkeyfordiskenc.bb

So, that seems to work. But.....I have not crypt module for the dm.
root@imx8mm-var-dart:~# dmsetup targets
[ 328.304579] device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
striped v1.6.0
linear v1.4.0
error v1.5.0

With the above config I would expect it to be here just as the application note AN12714 states in step 2 of the usage.

Hopefully you can guide me to the complete solution as I am almost there.

Any help appreciated.
(P.S. Should I create a new thread for this? The original problem is solved. This is just the next one.)

andreea_miu · ‎09-13-2023

Hello,
If crypt module does not appear, you can also try inserting the modules manually, for example:

root@imx8mmevk:/# modprobe dm-mod
[ 266.982638] device-mapper: ioctl: 4.41.0-ioctl (2019-09-16) initialised: dm-
devel@redhat.com
root@imx8mmevk:/# modprobe dm-crypt
root@imx8mmevk:/# dmsetup targets
crypt v1.19.0
striped v1.6.0
linear v1.4.0
error v1.5.0

Best wishes

Erno · ‎09-13-2023

Thanks. That actually makes the crypt appear.

How could I get that loaded by default?

I was under the impression that this would;

CONFIG_BLK_DEV_DM=y
CONFIG_BLK_DEV_MD=y
CONFIG_DM_CRYPT=y
CONFIG_TRUSTED_KEYS=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y

But still, only using your commands the crypt appears.

andreea_miu · ‎09-14-2023

Hello,

The configurations above should enable the crypt module automatically. If you find it is not enabled automatically, there is also this option of enabling the crypt module manually, which should work at anytime.

Best wishes

Erno · ‎09-14-2023

Thanks.

The strange thing is, that when I don't load them manually but execute the command to create the encrypted device, it gets loaded automatically at that moment.

So, I guess it is all good.

Kind regards,

Erno

Bio_TICFSL · ‎09-05-2023

Hello,

It looks like a bad installation of the tool,

You can find the source from the link: GitHub - nxp-imx/keyctl_caam: Keyctl CAAM Security

Regards

Erno · ‎09-06-2023

./caam-keygen create randomkeyfordiskenc ecb -s 16
Unable to open device /dev/caam-keygen

There seems to be another issue then.
Besides that, the app note uses keyctl and not this tool.