i.MX device specific black key blob

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

i.MX device specific black key blob

跳至解决方案
2,951 次查看
TomJ
Contributor I

Hi All,

I am experimenting with the CAAM module of the imx8mm evk.

I am able to generate black key blobs (AES128 ECB). From this I can generate the black key and use it successfully for encryption. I understand that the black key needs to be regenerated on each boot from the black key blob, so the blob is what needs to be stored on the device.

I would expect that this blob is device specific, but If I copy it to another EVK I am able to generate a black key from this blob on this second EVK, which I can use to do the same encryption as on EVK 1. To my feeling this should not be allowed. Which key is used to generate the black key blob? Is there something like a "ROOT KEY" that needs to be configured in the fuses before the blob will be device specific ?

I have searched through a lot of documentation (RM, HAB, app notes, ... ) but nowhere I found any indication of such a 'ROOT KEY' or how to configure it.

In the kernel CAAM module, i find references like JDKEK, TDKEK & TDSK, (no clue what they are), but to my feeling they should be derived from some (device specific) root key ???

Hopefully somebody can help me with this

Regards

Tom

0 项奖励
回复
1 解答
2,934 次查看
BiyongSUN
NXP Employee
NXP Employee

Have you closed the device/chip?

Each one of  device/chip uses the same test key till it is closed. 

After closed, the device/chip device uses the unique master key.  

 

page 9

crypto af_alg blackkey demo

crypto af_alg blackkey demo - NXP Community

 

在原帖中查看解决方案

3 回复数
2,922 次查看
TomJ
Contributor I

Thanks, I already felt that it would be the case but I was not able to find any explicit mentioning of this in the References manual.

Currently we only have two EVKs and I am not going to hab close them ;).  So I will just continue and trust your comment on this (we are going to implement HAB for our production devices)

For me my question is solved, but I want to give a big warning about your example for other users. We are currently on branch "imx_5.4.70_2.3.0" (tag rel_imx_5.4.70_2.3.2) and both the caam-keygen kernel module as the caam-keygen user space tool contain an issue for the keys. As indicated in your example the tool (&kernel module) expect a "plain text" key in binary form. However both the tool & kernel module use strlen() at some point so if your key contains 0x00 the "string" will be terminated to early and it will not work ...

 

0 项奖励
回复
2,899 次查看
BiyongSUN
NXP Employee
NXP Employee

I do agree with you and I treat as a bug to report and fix. 

0 项奖励
回复
2,935 次查看
BiyongSUN
NXP Employee
NXP Employee

Have you closed the device/chip?

Each one of  device/chip uses the same test key till it is closed. 

After closed, the device/chip device uses the unique master key.  

 

page 9

crypto af_alg blackkey demo

crypto af_alg blackkey demo - NXP Community