- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
I saw this similar posting:
https://community.nxp.com/t5/i-MX-Processors/IMX28-use-DCP-engine-to-encrypt-data-using-AES/m-p/1173...
However, when I try to load the driver I see:
bash# modprobe tcrypt mode=10
[ 112.629041] alg: skcipher: failed to allocate transform for lrw(aes): -2What does "mode=10" mean, which is in the other posting. Is there documentation for this driver that explains?
What we would like to do is to use the DCP and the key that is burned into the OTP by NXP to encrypt and decrypt data from Linux user space.
已解决! 转到解答。
I found the solution through these two item I found.
First is the NXP change to the Linux-FSLC kernel:
Using OTP keys to Encrypt/Decrypt Blobs using the DCP and AES
For help writing the user-space application I found this article by Herbert Xu:
Crypto API User-interface
Between the two sources, I found it possible to write code that uses the i.MX6ULL DCP to encrypt data.
If the driver will not load, then:
https://github.com/cryptodev-linux/cryptodev-linux
will not be useful.
The first problem that must be solved is how to load the Linux driver to use the DCP.
My interest was in encrypting data or a file, not secure boot.
Your application note does not explain how to do the encryption from Linux.
In Kernel Configuration, you need exclude below option (default <Y>):
Cryptographic API ---> Disable run-time self tests
I already did disable the "Disable run-time self tests"
And the result I got was:
bash# modprobe tcrypt mode=10
[ 112.629041] alg: skcipher: failed to allocate transform for lrw(aes): -2
Do you have a guide for how to do the encryption from Linux?
Is there documentation for tcrypt.ko and how to use it with the i.MX6ULL?
Bio_TICFSL
Hi,
Use of these services through the API is exemplified in the common conformance/performance testing module
in the kernel's crypto subsystem, known as tcrypt, visible in the kernel source tree at crypto/tcrypt.c.
The caamhashmodule provides a connection through the Scatterlist Crypto API both for common
asynchronous hashes.
This can be seeing in the Linux reference manual chapter 8.1.
regards
Chapter 8
LVDS Display Bridge(LDB) Driver
8.1 Introduction
This section describes the LVDS Display Bridge(LDB) driver which controls LDB
module to connect with external display devices with LVDS interface.
This is from:
i.MX Linux® Reference Manual, Rev. 0, 07/2016
So exactly which document do you refer?
Bio_TICFSL
Hello,
The DCP allows to perform HAB for authentication although it does not support encrypted boot.
one can consider cryptodev-linux/test:
https://github.com/cryptodev-linux/cryptodev-linux
Some customers tested on i.MX6ULL board, which has the same DCP module.
In Kernel Configuration, you need exclude below option (default <Y>):
Cryptographic API ---> Disable run-time self tests
The result is shown below when insert the tcrypt.ko module:
# insmod tcrypt.ko mode=10
But this is not in the NXP BSP. Please check:
https://www.nxp.com/docs/en/application-note/AN12901.pdf
regards
I think a possible solution to my problem is described in the prologue to this change to the NXP Linux BSP:
Using OTP keys to Encrypt/Decrypt Blobs using the DCP and AES
I will see if it works for me.
Unfortunately this feature is only documented in the change, and not in the Documentation directory of the kernel.
I found the solution through these two item I found.
First is the NXP change to the Linux-FSLC kernel:
Using OTP keys to Encrypt/Decrypt Blobs using the DCP and AES
For help writing the user-space application I found this article by Herbert Xu:
Crypto API User-interface
Between the two sources, I found it possible to write code that uses the i.MX6ULL DCP to encrypt data.
Is it possible to use the DCP with tcrypt driver?
Using this setting it appears to pass the test, but the driver still will not load because it claims the resource is temporarily unavailable:
bash# modprobe tcrypt sec=2 mode=404 dyndbg
[ 3219.925261]
[ 3219.925261] testing speed of async sha256 (sha256-dcp)
[ 3219.932464] tcrypt: test 0 ( 16 byte blocks, 16 bytes per update, 1 updates):
[ 3221.925646] 29932 opers/sec, 478912 bytes/sec
[ 3221.938307] tcrypt: test 1 ( 64 byte blocks, 16 bytes per update, 4 updates): 74192 opers/sec, 4748288 bytes/sec
[ 3223.946755] tcrypt: test 2 ( 64 byte blocks, 64 bytes per update, 1 updates):
[ 3225.945641] 29919 opers/sec, 1914816 bytes/sec
[ 3225.958263] tcrypt: test 3 ( 256 byte blocks, 16 bytes per update, 16 updates): 67453 opers/sec, 17267968 bytes/sec
[ 3227.966760] tcrypt: test 4 ( 256 byte blocks, 64 bytes per update, 4 updates): 75977 opers/sec, 19450240 bytes/sec
[ 3229.976746] tcrypt: test 5 ( 256 byte blocks, 256 bytes per update, 1 updates):
[ 3231.975629] 27294 opers/sec, 6987392 bytes/sec
[ 3231.988251] tcrypt: test 6 ( 1024 byte blocks, 16 bytes per update, 64 updates): 65168 opers/sec, 66732544 bytes/sec
[ 3233.996737] tcrypt: test 7 ( 1024 byte blocks, 256 bytes per update, 4 updates): 76009 opers/sec, 77833216 bytes/sec
[ 3236.006749] tcrypt: test 8 ( 1024 byte blocks, 1024 bytes per update, 1 updates):
[ 3238.005637] 20238 opers/sec, 20723712 bytes/sec
[ 3238.018397] tcrypt: test 9 ( 2048 byte blocks, 16 bytes per update, 128 updates): 53336 opers/sec, 109233152 bytes/sec
[ 3240.026767] tcrypt: test 10 ( 2048 byte blocks, 256 bytes per update, 8 updates): 73109 opers/sec, 149727232 bytes/sec
[ 3242.036755] tcrypt: test 11 ( 2048 byte blocks, 1024 bytes per update, 2 updates): 78156 opers/sec, 160064512 bytes/sec
[ 3244.046780] tcrypt: test 12 ( 2048 byte blocks, 2048 bytes per update, 1 updates):
[ 3246.045667] 14053 opers/sec, 28781568 bytes/sec
[ 3246.058311] tcrypt: test 13 ( 4096 byte blocks, 16 bytes per update, 256 updates): 38731 opers/sec, 158644224 bytes/sec
[ 3248.066851] tcrypt: test 14 ( 4096 byte blocks, 256 bytes per update, 16 updates): 67951 opers/sec, 278327296 bytes/sec
[ 3250.076741] tcrypt: test 15 ( 4096 byte blocks, 1024 bytes per update, 4 updates): 74208 opers/sec, 303955968 bytes/sec
[ 3252.086740] tcrypt: test 16 ( 4096 byte blocks, 4096 bytes per update, 1 updates):
[ 3254.085665] 10614 opers/sec, 43474944 bytes/sec
[ 3254.098305] tcrypt: test 17 ( 8192 byte blocks, 16 bytes per update, 512 updates): 25365 opers/sec, 207794176 bytes/sec
[ 3256.106760] tcrypt: test 18 ( 8192 byte blocks, 256 bytes per update, 32 updates): 60040 opers/sec, 491847680 bytes/sec
[ 3258.116769] tcrypt: test 19 ( 8192 byte blocks, 1024 bytes per update, 8 updates): 73124 opers/sec, 599035904 bytes/sec
[ 3260.126859] tcrypt: test 20 ( 8192 byte blocks, 4096 bytes per update, 2 updates): 76350 opers/sec, 625463296 bytes/sec
[ 3262.136774] tcrypt: test 21 ( 8192 byte blocks, 8192 bytes per update, 1 updates):
[ 3264.135641] 5792 opers/sec, 47448064 bytes/sec
modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable
What exactly is meant by:
Cryptographic API ---> Disable run-time self tests
If I have in the kernel configuration:
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
Then I see:
bash# modprobe tcrypt mode=10
modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable
If I remove it:
# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
# CONFIG_CRYPTO_MANAGER_EXTRA_TESTS is not set
Then I see:
[ 219.357209] WARNING: CPU: 0 PID: 648 at crypto/testmgr.c:5904 alg_test.part.0+0x15c/0x488
[ 219.365462] alg: self-tests for lrw(aes) (lrw(aes)) failed (rc=-2)
...
[ 219.849357] tcrypt: one or more tests failed!