i.MX device specific black key blob

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX device specific black key blob

Jump to solution
2,984 Views
TomJ
Contributor I

Hi All,

I am experimenting with the CAAM module of the imx8mm evk.

I am able to generate black key blobs (AES128 ECB). From this I can generate the black key and use it successfully for encryption. I understand that the black key needs to be regenerated on each boot from the black key blob, so the blob is what needs to be stored on the device.

I would expect that this blob is device specific, but If I copy it to another EVK I am able to generate a black key from this blob on this second EVK, which I can use to do the same encryption as on EVK 1. To my feeling this should not be allowed. Which key is used to generate the black key blob? Is there something like a "ROOT KEY" that needs to be configured in the fuses before the blob will be device specific ?

I have searched through a lot of documentation (RM, HAB, app notes, ... ) but nowhere I found any indication of such a 'ROOT KEY' or how to configure it.

In the kernel CAAM module, i find references like JDKEK, TDKEK & TDSK, (no clue what they are), but to my feeling they should be derived from some (device specific) root key ???

Hopefully somebody can help me with this

Regards

Tom

0 Kudos
Reply
1 Solution
2,967 Views
BiyongSUN
NXP Employee
NXP Employee

Have you closed the device/chip?

Each one of  device/chip uses the same test key till it is closed. 

After closed, the device/chip device uses the unique master key.  

 

page 9

crypto af_alg blackkey demo

crypto af_alg blackkey demo - NXP Community

 

View solution in original post

3 Replies
2,955 Views
TomJ
Contributor I

Thanks, I already felt that it would be the case but I was not able to find any explicit mentioning of this in the References manual.

Currently we only have two EVKs and I am not going to hab close them ;).  So I will just continue and trust your comment on this (we are going to implement HAB for our production devices)

For me my question is solved, but I want to give a big warning about your example for other users. We are currently on branch "imx_5.4.70_2.3.0" (tag rel_imx_5.4.70_2.3.2) and both the caam-keygen kernel module as the caam-keygen user space tool contain an issue for the keys. As indicated in your example the tool (&kernel module) expect a "plain text" key in binary form. However both the tool & kernel module use strlen() at some point so if your key contains 0x00 the "string" will be terminated to early and it will not work ...

 

0 Kudos
Reply
2,932 Views
BiyongSUN
NXP Employee
NXP Employee

I do agree with you and I treat as a bug to report and fix. 

0 Kudos
Reply
2,968 Views
BiyongSUN
NXP Employee
NXP Employee

Have you closed the device/chip?

Each one of  device/chip uses the same test key till it is closed. 

After closed, the device/chip device uses the unique master key.  

 

page 9

crypto af_alg blackkey demo

crypto af_alg blackkey demo - NXP Community