Linux caam_blob driver support.

noorahmadshinwa · ‎09-20-2020

Hi everyone!

I am interested in using the CAAM blob mechanism in my i.MX6 device to create general purpose BLOBs (not related to encrypted boot images).

I have been studying these documents:

1. AN12554: https://www.nxp.com/docs/en/application-note/AN12554.pdf

This references (in the source code kb_test.c) the /dev/kb device.

2. AN12838: https://www.nxp.com/docs/en/application-note/AN12838.pdf

This references /dev/caam_blob.

I got some demo files and openembedded layers from: https://source.codeaurora.org/external/imxsupport/imx_sec_apps/

I have a few questions:

1. What is the difference between /dev/kb and /dev/caam_blob? don't they both provide an interface to generate BLOBs using CAAM?

2. In the files that I got (imx_sec_apps), I can see that there is a patch to add CAAM BLOBs to the kernel. However this patch seems to be for the 4.19.35 kernel. I am building 5.4.39. My kernel does not seem to have the needed caam_blob driver files (no /drivers/crypto/caam/caam_keyblob.c, for example). what would be the best way to add caam blob support to my version of the kernel? do i need to manually do it and generate my own patch?

3. In the repo mentioned above, what is the difference between the two layers: meta-caam-pkc-sec and meta-imx-ecdsa-sec?

Any information that will help me explore caam blobs further would be appreciated!

Thank you!

noorahmadshinwa · ‎10-11-2020

If it helps, I am building branch 5.4.x+fslc from the community repository "https://github.com/Freescale/linux-fslc"

I noticed that someone updated the imx_sec_apps repo the other day. Fausto Chiatante added patches for BSP 5.4.24-2.1.0. I am aware that his patches are for the official BSP. but i thought I'd try applying them manually to my kernel and seeing what happens. (I also had to add the sm.h file to get it to compile). I am able to see the /dev/caam_blob.

I proceeded to build eckey.c manually (the test file tool in the same repository). and i created a keypair to test the blob mechanism (without cryptodev engine). and I attempted to use eckey to encapsulate my private key in a blob. the kernel crashed.

I am not surprised that this didn't work properly. but I am in need of some guidance here. How does one go about adding blob support to a version of the kernel that doesn't support it? What other drivers are needed (if any)?

Where should I look for patches for my version of the kernel to support this?

Thank you.

danielberhe · ‎03-10-2021

Hi Noorahmadshinwa,

Have you had much luck with this?

I'm also interested in this, and I'm also running on 5.4.x+fslc. I'm struggling to get the /dev/caam_blob. caam_blob_init in caamblob.c doesn't finish initialising because priv = dev_get_drvdata(ctrldev) is returning null. Do you remember seeing this issue?

Daniel

noorahmadshinwa · ‎03-17-2021

Hi @danielberhe .

Sorry for the late reply, I missed the email notification.

Unfortunately I was not successful in porting the drivers to the community version. I did not try any further and ended up using an older official kernel version (4.19.someting) that some of the available imx_sec_apps drivers were compatible with.

Regarding that specific function return value I'm sorry but I don't remember dealing with it.

I don't now why the community kernel, or even the official one, do not have these drivers available by default.

I will get back to this issue again soon. If I am successful in porting the driver to the community branch, I will make a pull request to update it and will update this thread.

If you are ever successful with this, please update me here also.

danielberhe · ‎03-17-2021

No worries @noorahmadshinwa.

I ended up porting this driver to my 5.4.x+fslc kernel and it is working fine.