- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: caam-keygen: using black key from a plaintext
caam-keygen: using black key from a plaintext
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
caam-keygen supports generating a black key from plaintext. Is it possible to:
1. decrypting data from one device on another if the keys were generated with the same plaintext? (OTPMKs are different)
2. using this plaintext as a key for dmsetup and preparing an image, for example, on a host machine, and later mounting the image on a device using a black key generated with the same plaintext?
In other words, is plaintext interpreted as a symmetric key and used for encryption/decryption? Or is it just some modifier that allows generating black keys similarly on the same/different devices?
Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer. My question was mostly about using a key for encrypting something on one host/board and decrypting it on another, which has that key as a black key.
Some experiments showed it's possible. I just put some notes here. It could be helpful in the future.
Preparing key & encrypted partition on a host
#!/bin/bash
LOOPDEV=/dev/loop0
DMPART=/dev/mapper/encrypted-tmp
KEY="782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A"
MNTDIR=/tmp/mnt
# Create raw file
dd if=/dev/zero of=./data.img bs=1M count=16
# Mount the raw file and create FS on it
sudo losetup $LOOPDEV ./data.img
sudo dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:ecb(aes) $KEY 0 $LOOPDEV 0 1 sector_size:512"
sudo mkfs.ext4 $DMPART
sync
mkdir -p $MNTDIR
sudo mount $DMPART $MNTDIR
# Mark
sudo touch $MNTDIR/crypto-shripto
# Sync & unmount
sync
sudo umount $DMPART
sudo dmsetup remove encrypted-tmp
sudo losetup -d $LOOPDEV
# Export key in caam-keygen format
echo $KEY | xxd -r -p > caam.key.txt
# data.img & caam.key.txt are ready for export on a board
Creating BB key from the key & mounting encrypted partition on a device
#!/bin/bash
# it's differs from default caam-keygen
KEYSTORAGE=/run/caam/keys/
LOOPDEV=/dev/loop5
MNTDIR=/tmp/mnt/
DMDEV=/dev/mapper/encrypted
KEYNAME=mountkey
# create black key
caam-keygen create $KEYNAME ecb -t $(cat caam.key.txt)
# import black key to keyctl
cat $KEYSTORAGE/$KEYNAME | keyctl padd logon $KEYNAME: @s
mkdir -p /tmp/mnt
losetup $LOOPDEV data.img
dmsetup -v create encrypted --table "0 $(blockdev --getsz $LOOPDEV) crypt capi:tk(ecb(aes)) :52:logon:$KEYNAME: 0 $LOOPDEV 0 1 sector_size:512"
mount $DMDEV $MNTDIR
ls -l $MNTDIR
Sanket_Parekh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Alexander_iv ,
I hope you are doing well.
Q)is plaintext interpreted as a symmetric key and used for encryption/decryption?
->It makes an encryption key out of plain text or data.
$ ./caam-keygen
create <key_name> <key_enc> <key_mode> <key_val>
Where using key mode we can generate a black key from a plaintext given in the next argument or generate a black key from random with the size given in the next argument.
I have mentioned the example for the reference as well.
->To generate a random black key encrypted with CCM from a plaintext of 24 bytes:
./caam-keygen create randomkeyCCM ccm -s 24
Please refer to this doc for in-depth details.
https://community.nxp.com/
I hope this information helps you.
Thanks & Regards,
Sanket Parekh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer. My question was mostly about using a key for encrypting something on one host/board and decrypting it on another, which has that key as a black key.
Some experiments showed it's possible. I just put some notes here. It could be helpful in the future.
Preparing key & encrypted partition on a host
#!/bin/bash
LOOPDEV=/dev/loop0
DMPART=/dev/mapper/encrypted-tmp
KEY="782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A"
MNTDIR=/tmp/mnt
# Create raw file
dd if=/dev/zero of=./data.img bs=1M count=16
# Mount the raw file and create FS on it
sudo losetup $LOOPDEV ./data.img
sudo dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:ecb(aes) $KEY 0 $LOOPDEV 0 1 sector_size:512"
sudo mkfs.ext4 $DMPART
sync
mkdir -p $MNTDIR
sudo mount $DMPART $MNTDIR
# Mark
sudo touch $MNTDIR/crypto-shripto
# Sync & unmount
sync
sudo umount $DMPART
sudo dmsetup remove encrypted-tmp
sudo losetup -d $LOOPDEV
# Export key in caam-keygen format
echo $KEY | xxd -r -p > caam.key.txt
# data.img & caam.key.txt are ready for export on a board
Creating BB key from the key & mounting encrypted partition on a device
#!/bin/bash
# it's differs from default caam-keygen
KEYSTORAGE=/run/caam/keys/
LOOPDEV=/dev/loop5
MNTDIR=/tmp/mnt/
DMDEV=/dev/mapper/encrypted
KEYNAME=mountkey
# create black key
caam-keygen create $KEYNAME ecb -t $(cat caam.key.txt)
# import black key to keyctl
cat $KEYSTORAGE/$KEYNAME | keyctl padd logon $KEYNAME: @s
mkdir -p /tmp/mnt
losetup $LOOPDEV data.img
dmsetup -v create encrypted --table "0 $(blockdev --getsz $LOOPDEV) crypt capi:tk(ecb(aes)) :52:logon:$KEYNAME: 0 $LOOPDEV 0 1 sector_size:512"
mount $DMDEV $MNTDIR
ls -l $MNTDIR- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Alexander_iv ,
Thanks for sharing it.
It'd be really helpful for the others to get a reference from it.
Thanks & Regards,
Sanket Parekh
