We want to perform authentication with CAAM and OP-TEE without revealing private key (just keep it in CAAM). We are using i.MX8MM and branch 5.4.70_2.3.0 with corresponding kernel and u-boot.
This is typical scenario:
- generate public key to corresponding private key (without revealing it at any step, the best is to use secure world) and send it to backend
- pass data to TA (trusted application), decrypt data encrypted by public key, solve challenge, encrypt it and send back to backend
We have troubles in understanding, some details:
- Is the proposed scenario possible? We considered options like creating black key blobs (AN12838) in OP-TEE or using manufacturing protection (AN13222) - are we on the right track?
- We have seen a repository https://source.codeaurora.org/external/imxsupport/imx_sec_apps/, however it is hard to figure out whether our idea is possible or not. Do you have more detailed examples or documentation?
- Is it possible to simultaneously use CAAM from OP-TEE and from kernel?
- We have seen support mostly for 4.14, is 5.4 supported as well?
We would appreciate any feedback and/or suggestions. It would be extremely helpful to receive relevant documentation and/or examples.
Moreover we would like to have access to document
https://community.nxp.com/docs/DOC-343388, however from my account access is denied. We have signed NDA with NXP, could you grant me access to mentioned document?
