Dear NXP engineers,
I am from China Hirain company, now i am working on security features on IMX8 with android auto P OS.
I am trying to check RPMB key in trusty trustzone OS, however, it is failed in geting kbox via API "caam_get_keybox()".
struct keyslot_package* kbox = caam_get_keybox(); if (strncmp(kbox->magic, KEYPACK_MAGIC, 4)) {TLOGE("Invalid magic\n"); return; } the kbox->magic is null, so rpmb_keyblob cannot be get from caam keybox. could you help check the reason why the kbox-> magic is null? it seems there is something wrong with caam features on IMX8 android auto chipset. However, i still want to know the common RPMB key concept on IMX7 or earlier chipset with CAAM featus. for example, how is the RPMB key stored in the CAAM Keybox?
Actually i.MX8 series is not launched yet and are not supported by our team (web support).
Sorry for the inconvenience.
Dear Victor,
Thanks for your reply.
I know you cannot give us support on I.MX8 series.
However, our company already make a NDA with nxp,
we need check the security architecture in advance, and to design the android security as well in advance.
So could you give me some support for I.MX common concept?
Could you tell me which part will store the RPMB secure key to CAAM Secure RAM KeyBox?
Thanks a lot.
You need to fuse the RPMB key to your emmc with fastboot cmds. You can find the instructions to do that in our release user guide. Once you have fused, you cannot change it. So be careful to do that
Two ways are provided to set the RPMB key.
Firstly, a file contains the key need to be generated. In the default key file “rpmb_key_test.bin”, all 256 bits are zero. It can be generated with below commands:
$ touch rpmb_key.bin
$ echo –n “RPMB” > rpmb_key.bin
$ echo –n -e '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' >> rpmb_key.bin
The '\xHH' means eight-bit character whose value is the hexadecimal value 'HH'. You can replace above "00" with the key you want to set.
Then, program the key with the file just generated
Make the board enter fastboot mode, then execute below commands on host side:
$ fastboot stage rpmb_key.bin
$ fastboot oem set-rpmb-key
Make the board enter fastboot mode, execute below commands on host side:
$ fastboot oem set-rpmb-random-key
After RPMB key programed with either of the two ways, reboot the board, the RPMB service in Trusty OS will be initialized successfully.
The preceding two ways will program the key to eMMC fuse, a key blob will be generated base on the key value and the blob will be saved for TEE to use. In default condition, this key blob is saved in the 16383rd block of BOOT1 partition in eMMC for i.MX8QuadMax and i.MX8QuadXPlus. The BOOT1 partition size of eMMC on i.MX8QuadMax and i.MX8QuadXPlus is 8MB, we can find that the key blob is in the last block in BOOT1 partition. To prevent key blob from been tampered when the system is running, BOO1 partition will be set with power-on write protection when the board boot up.