caam-keygen: using black key from a plaintext

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

caam-keygen: using black key from a plaintext

跳至解决方案
1,699 次查看
Alexander_iv
Contributor II

caam-keygen supports generating a black key from plaintext. Is it possible to:


1. decrypting data from one device on another if the keys were generated with the same plaintext? (OTPMKs are different)


2. using this plaintext as a key for dmsetup and preparing an image, for example, on a host machine, and later mounting the image on a device using a black key generated with the same plaintext?

In other words, is plaintext interpreted as a symmetric key and used for encryption/decryption? Or is it just some modifier that allows generating black keys similarly on the same/different devices?

Thanks

 

0 项奖励
回复
1 解答
1,673 次查看
Alexander_iv
Contributor II

Thank you for your answer. My question was mostly about using a key for encrypting something on one host/board and decrypting it on another, which has that key as a black key.

Some experiments showed it's possible. I just put some notes here. It could be helpful in the future.

Preparing key & encrypted partition on a host

#!/bin/bash

LOOPDEV=/dev/loop0
DMPART=/dev/mapper/encrypted-tmp
KEY="782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A"
MNTDIR=/tmp/mnt

# Create raw file
dd if=/dev/zero of=./data.img bs=1M count=16

# Mount the raw file and create FS on it
sudo losetup $LOOPDEV ./data.img
sudo dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:ecb(aes) $KEY 0 $LOOPDEV 0 1 sector_size:512"
sudo mkfs.ext4 $DMPART
sync

mkdir -p $MNTDIR
sudo mount $DMPART $MNTDIR

# Mark
sudo touch $MNTDIR/crypto-shripto

# Sync & unmount
sync
sudo umount $DMPART
sudo dmsetup remove encrypted-tmp
sudo losetup -d $LOOPDEV

# Export key in caam-keygen format
echo $KEY | xxd -r -p > caam.key.txt

# data.img & caam.key.txt are ready for export on a board

 

Creating BB key from the key & mounting encrypted partition on a device

#!/bin/bash

# it's differs from default caam-keygen
KEYSTORAGE=/run/caam/keys/
LOOPDEV=/dev/loop5
MNTDIR=/tmp/mnt/
DMDEV=/dev/mapper/encrypted
KEYNAME=mountkey
# create black key
caam-keygen create $KEYNAME ecb -t $(cat caam.key.txt)

# import black key to keyctl
cat $KEYSTORAGE/$KEYNAME | keyctl padd logon $KEYNAME: @s

mkdir -p /tmp/mnt

losetup $LOOPDEV data.img
dmsetup -v create encrypted --table "0 $(blockdev --getsz $LOOPDEV) crypt capi:tk(ecb(aes)) :52:logon:$KEYNAME: 0 $LOOPDEV 0 1 sector_size:512"
mount $DMDEV $MNTDIR
ls -l $MNTDIR

在原帖中查看解决方案

0 项奖励
回复
3 回复数
1,682 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hello @Alexander_iv ,

I hope you are doing well.

Q)is plaintext interpreted as a symmetric key and used for encryption/decryption?
->It makes an encryption key out of plain text or data.

$ ./caam-keygen
create <key_name> <key_enc> <key_mode> <key_val>
Where using key mode we can generate a black key from a plaintext given in the next argument or generate a black key from random with the size given in the next argument.

I have mentioned the example for the reference as well.

->To generate a random black key encrypted with CCM from a plaintext of 24 bytes:
./caam-keygen create randomkeyCCM ccm -s 24

Please refer to this doc for in-depth details.
https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/172311/1/AN12714_iMX%20En...

I hope this information helps you.

Thanks & Regards,

Sanket Parekh

0 项奖励
回复
1,674 次查看
Alexander_iv
Contributor II

Thank you for your answer. My question was mostly about using a key for encrypting something on one host/board and decrypting it on another, which has that key as a black key.

Some experiments showed it's possible. I just put some notes here. It could be helpful in the future.

Preparing key & encrypted partition on a host

#!/bin/bash

LOOPDEV=/dev/loop0
DMPART=/dev/mapper/encrypted-tmp
KEY="782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A"
MNTDIR=/tmp/mnt

# Create raw file
dd if=/dev/zero of=./data.img bs=1M count=16

# Mount the raw file and create FS on it
sudo losetup $LOOPDEV ./data.img
sudo dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:ecb(aes) $KEY 0 $LOOPDEV 0 1 sector_size:512"
sudo mkfs.ext4 $DMPART
sync

mkdir -p $MNTDIR
sudo mount $DMPART $MNTDIR

# Mark
sudo touch $MNTDIR/crypto-shripto

# Sync & unmount
sync
sudo umount $DMPART
sudo dmsetup remove encrypted-tmp
sudo losetup -d $LOOPDEV

# Export key in caam-keygen format
echo $KEY | xxd -r -p > caam.key.txt

# data.img & caam.key.txt are ready for export on a board

 

Creating BB key from the key & mounting encrypted partition on a device

#!/bin/bash

# it's differs from default caam-keygen
KEYSTORAGE=/run/caam/keys/
LOOPDEV=/dev/loop5
MNTDIR=/tmp/mnt/
DMDEV=/dev/mapper/encrypted
KEYNAME=mountkey
# create black key
caam-keygen create $KEYNAME ecb -t $(cat caam.key.txt)

# import black key to keyctl
cat $KEYSTORAGE/$KEYNAME | keyctl padd logon $KEYNAME: @s

mkdir -p /tmp/mnt

losetup $LOOPDEV data.img
dmsetup -v create encrypted --table "0 $(blockdev --getsz $LOOPDEV) crypt capi:tk(ecb(aes)) :52:logon:$KEYNAME: 0 $LOOPDEV 0 1 sector_size:512"
mount $DMDEV $MNTDIR
ls -l $MNTDIR
0 项奖励
回复
1,652 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hello @Alexander_iv ,

Thanks for sharing it.

It'd be really helpful for the others to get a reference from it.

Thanks & Regards,

Sanket Parekh

0 项奖励
回复