Hi All,
I am experimenting with the CAAM module of the imx8mm evk.
I am able to generate black key blobs (AES128 ECB). From this I can generate the black key and use it successfully for encryption. I understand that the black key needs to be regenerated on each boot from the black key blob, so the blob is what needs to be stored on the device.
I would expect that this blob is device specific, but If I copy it to another EVK I am able to generate a black key from this blob on this second EVK, which I can use to do the same encryption as on EVK 1. To my feeling this should not be allowed. Which key is used to generate the black key blob? Is there something like a "ROOT KEY" that needs to be configured in the fuses before the blob will be device specific ?
I have searched through a lot of documentation (RM, HAB, app notes, ... ) but nowhere I found any indication of such a 'ROOT KEY' or how to configure it.
In the kernel CAAM module, i find references like JDKEK, TDKEK & TDSK, (no clue what they are), but to my feeling they should be derived from some (device specific) root key ???
Hopefully somebody can help me with this
Regards
Tom
Solved! Go to Solution.
Have you closed the device/chip?
Each one of device/chip uses the same test key till it is closed.
After closed, the device/chip device uses the unique master key.
page 9
crypto af_alg blackkey demo
crypto af_alg blackkey demo - NXP Community
Thanks, I already felt that it would be the case but I was not able to find any explicit mentioning of this in the References manual.
Currently we only have two EVKs and I am not going to hab close them ;). So I will just continue and trust your comment on this (we are going to implement HAB for our production devices)
For me my question is solved, but I want to give a big warning about your example for other users. We are currently on branch "imx_5.4.70_2.3.0" (tag rel_imx_5.4.70_2.3.2) and both the caam-keygen kernel module as the caam-keygen user space tool contain an issue for the keys. As indicated in your example the tool (&kernel module) expect a "plain text" key in binary form. However both the tool & kernel module use strlen() at some point so if your key contains 0x00 the "string" will be terminated to early and it will not work ...
I do agree with you and I treat as a bug to report and fix.
Have you closed the device/chip?
Each one of device/chip uses the same test key till it is closed.
After closed, the device/chip device uses the unique master key.
page 9
crypto af_alg blackkey demo
crypto af_alg blackkey demo - NXP Community