Would like to use i.MX6ULL DCP with linux-fslc-imx 5.15-2.2.x-imx

JohnKlug · ‎02-19-2024

I saw this similar posting:
https://community.nxp.com/t5/i-MX-Processors/IMX28-use-DCP-engine-to-encrypt-data-using-AES/m-p/1173...

However, when I try to load the driver I see:

bash# modprobe tcrypt mode=10
[ 112.629041] alg: skcipher: failed to allocate transform for lrw(aes): -2

What does "mode=10" mean, which is in the other posting. Is there documentation for this driver that explains?

What we would like to do is to use the DCP and the key that is burned into the OTP by NXP to encrypt and decrypt data from Linux user space.

JohnKlug · ‎02-27-2024

I found the solution through these two item I found.

First is the NXP change to the Linux-FSLC kernel:

Using OTP keys to Encrypt/Decrypt Blobs using the DCP and AES

For help writing the user-space application I found this article by Herbert Xu:

Crypto API User-interface

Between the two sources, I found it possible to write code that uses the i.MX6ULL DCP to encrypt data.

View solution in original post

JohnKlug · ‎02-20-2024

If the driver will not load, then:

https://github.com/cryptodev-linux/cryptodev-linux

will not be useful.

The first problem that must be solved is how to load the Linux driver to use the DCP.

JohnKlug · ‎02-20-2024

My interest was in encrypting data or a file, not secure boot.

Your application note does not explain how to do the encryption from Linux.

In Kernel Configuration, you need exclude below option (default <Y>):
Cryptographic API ---> Disable run-time self tests

I already did disable the "Disable run-time self tests"

And the result I got was:

bash# modprobe tcrypt mode=10
[ 112.629041] alg: skcipher: failed to allocate transform for lrw(aes): -2

Do you have a guide for how to do the encryption from Linux?

Is there documentation for tcrypt.ko and how to use it with the i.MX6ULL?

Bio_TICFSL · ‎02-20-2024

Hi,

Use of these services through the API is exemplified in the common conformance/performance testing module
in the kernel's crypto subsystem, known as tcrypt, visible in the kernel source tree at crypto/tcrypt.c.
The caamhashmodule provides a connection through the Scatterlist Crypto API both for common
asynchronous hashes.

This can be seeing in the Linux reference manual chapter 8.1.

regards

JohnKlug · ‎02-20-2024

Chapter 8
LVDS Display Bridge(LDB) Driver
8.1 Introduction
This section describes the LVDS Display Bridge(LDB) driver which controls LDB
module to connect with external display devices with LVDS interface.

This is from:
i.MX Linux® Reference Manual, Rev. 0, 07/2016

So exactly which document do you refer?

Bio_TICFSL · ‎02-20-2024

I refer this:

https://www.nxp.com/docs/en/reference-manual/IMX_REFERENCE_MANUAL.pdf

Bio_TICFSL · ‎02-20-2024

Hello,

The DCP allows to perform HAB for authentication although it does not support encrypted boot.

one can consider cryptodev-linux/test:

https://github.com/cryptodev-linux/cryptodev-linux

Some customers tested on i.MX6ULL board, which has the same DCP module.

In Kernel Configuration, you need exclude below option (default <Y>):

Cryptographic API ---> Disable run-time self tests

The result is shown below when insert the tcrypt.ko module:

# insmod tcrypt.ko mode=10

But this is not in the NXP BSP. Please check:

https://www.nxp.com/docs/en/application-note/AN12901.pdf

regards

JohnKlug · ‎02-21-2024

I think a possible solution to my problem is described in the prologue to this change to the NXP Linux BSP:

Using OTP keys to Encrypt/Decrypt Blobs using the DCP and AES

I will see if it works for me.

Unfortunately this feature is only documented in the change, and not in the Documentation directory of the kernel.

JohnKlug · ‎02-27-2024

I found the solution through these two item I found.

First is the NXP change to the Linux-FSLC kernel:

Using OTP keys to Encrypt/Decrypt Blobs using the DCP and AES

For help writing the user-space application I found this article by Herbert Xu:

Crypto API User-interface

Between the two sources, I found it possible to write code that uses the i.MX6ULL DCP to encrypt data.

JohnKlug · ‎02-20-2024

Is it possible to use the DCP with tcrypt driver?

Using this setting it appears to pass the test, but the driver still will not load because it claims the resource is temporarily unavailable:

bash# modprobe tcrypt sec=2 mode=404 dyndbg 
[ 3219.925261] 
[ 3219.925261] testing speed of async sha256 (sha256-dcp)
[ 3219.932464] tcrypt: test  0 (   16 byte blocks,   16 bytes per update,   1 updates): 
[ 3221.925646]  29932 opers/sec,    478912 bytes/sec
[ 3221.938307] tcrypt: test  1 (   64 byte blocks,   16 bytes per update,   4 updates):  74192 opers/sec,   4748288 bytes/sec
[ 3223.946755] tcrypt: test  2 (   64 byte blocks,   64 bytes per update,   1 updates): 
[ 3225.945641]  29919 opers/sec,   1914816 bytes/sec
[ 3225.958263] tcrypt: test  3 (  256 byte blocks,   16 bytes per update,  16 updates):  67453 opers/sec,  17267968 bytes/sec
[ 3227.966760] tcrypt: test  4 (  256 byte blocks,   64 bytes per update,   4 updates):  75977 opers/sec,  19450240 bytes/sec
[ 3229.976746] tcrypt: test  5 (  256 byte blocks,  256 bytes per update,   1 updates): 
[ 3231.975629]  27294 opers/sec,   6987392 bytes/sec
[ 3231.988251] tcrypt: test  6 ( 1024 byte blocks,   16 bytes per update,  64 updates):  65168 opers/sec,  66732544 bytes/sec
[ 3233.996737] tcrypt: test  7 ( 1024 byte blocks,  256 bytes per update,   4 updates):  76009 opers/sec,  77833216 bytes/sec
[ 3236.006749] tcrypt: test  8 ( 1024 byte blocks, 1024 bytes per update,   1 updates): 
[ 3238.005637]  20238 opers/sec,  20723712 bytes/sec
[ 3238.018397] tcrypt: test  9 ( 2048 byte blocks,   16 bytes per update, 128 updates):  53336 opers/sec, 109233152 bytes/sec
[ 3240.026767] tcrypt: test 10 ( 2048 byte blocks,  256 bytes per update,   8 updates):  73109 opers/sec, 149727232 bytes/sec
[ 3242.036755] tcrypt: test 11 ( 2048 byte blocks, 1024 bytes per update,   2 updates):  78156 opers/sec, 160064512 bytes/sec
[ 3244.046780] tcrypt: test 12 ( 2048 byte blocks, 2048 bytes per update,   1 updates): 
[ 3246.045667]  14053 opers/sec,  28781568 bytes/sec
[ 3246.058311] tcrypt: test 13 ( 4096 byte blocks,   16 bytes per update, 256 updates):  38731 opers/sec, 158644224 bytes/sec
[ 3248.066851] tcrypt: test 14 ( 4096 byte blocks,  256 bytes per update,  16 updates):  67951 opers/sec, 278327296 bytes/sec
[ 3250.076741] tcrypt: test 15 ( 4096 byte blocks, 1024 bytes per update,   4 updates):  74208 opers/sec, 303955968 bytes/sec
[ 3252.086740] tcrypt: test 16 ( 4096 byte blocks, 4096 bytes per update,   1 updates): 
[ 3254.085665]  10614 opers/sec,  43474944 bytes/sec
[ 3254.098305] tcrypt: test 17 ( 8192 byte blocks,   16 bytes per update, 512 updates):  25365 opers/sec, 207794176 bytes/sec
[ 3256.106760] tcrypt: test 18 ( 8192 byte blocks,  256 bytes per update,  32 updates):  60040 opers/sec, 491847680 bytes/sec
[ 3258.116769] tcrypt: test 19 ( 8192 byte blocks, 1024 bytes per update,   8 updates):  73124 opers/sec, 599035904 bytes/sec
[ 3260.126859] tcrypt: test 20 ( 8192 byte blocks, 4096 bytes per update,   2 updates):  76350 opers/sec, 625463296 bytes/sec
[ 3262.136774] tcrypt: test 21 ( 8192 byte blocks, 8192 bytes per update,   1 updates): 
[ 3264.135641]   5792 opers/sec,  47448064 bytes/sec
modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable

JohnKlug · ‎02-20-2024

What exactly is meant by:

Cryptographic API ---> Disable run-time self tests

If I have in the kernel configuration:

CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y

Then I see:

bash# modprobe tcrypt mode=10
modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable

If I remove it:

# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
# CONFIG_CRYPTO_MANAGER_EXTRA_TESTS is not set

Then I see:

[  219.357209] WARNING: CPU: 0 PID: 648 at crypto/testmgr.c:5904 alg_test.part.0+0x15c/0x488
[  219.365462] alg: self-tests for lrw(aes) (lrw(aes)) failed (rc=-2)
  ...
[  219.849357] tcrypt: one or more tests failed!