i.MX device specific black key blob

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

i.MX device specific black key blob

ソリューションへジャンプ
2,953件の閲覧回数
TomJ
Contributor I

Hi All,

I am experimenting with the CAAM module of the imx8mm evk.

I am able to generate black key blobs (AES128 ECB). From this I can generate the black key and use it successfully for encryption. I understand that the black key needs to be regenerated on each boot from the black key blob, so the blob is what needs to be stored on the device.

I would expect that this blob is device specific, but If I copy it to another EVK I am able to generate a black key from this blob on this second EVK, which I can use to do the same encryption as on EVK 1. To my feeling this should not be allowed. Which key is used to generate the black key blob? Is there something like a "ROOT KEY" that needs to be configured in the fuses before the blob will be device specific ?

I have searched through a lot of documentation (RM, HAB, app notes, ... ) but nowhere I found any indication of such a 'ROOT KEY' or how to configure it.

In the kernel CAAM module, i find references like JDKEK, TDKEK & TDSK, (no clue what they are), but to my feeling they should be derived from some (device specific) root key ???

Hopefully somebody can help me with this

Regards

Tom

ラベル(2)
0 件の賞賛
返信
1 解決策
2,936件の閲覧回数
BiyongSUN
NXP Employee
NXP Employee

Have you closed the device/chip?

Each one of  device/chip uses the same test key till it is closed. 

After closed, the device/chip device uses the unique master key.  

 

page 9

crypto af_alg blackkey demo

crypto af_alg blackkey demo - NXP Community

 

元の投稿で解決策を見る

3 返答(返信)
2,924件の閲覧回数
TomJ
Contributor I

Thanks, I already felt that it would be the case but I was not able to find any explicit mentioning of this in the References manual.

Currently we only have two EVKs and I am not going to hab close them ;).  So I will just continue and trust your comment on this (we are going to implement HAB for our production devices)

For me my question is solved, but I want to give a big warning about your example for other users. We are currently on branch "imx_5.4.70_2.3.0" (tag rel_imx_5.4.70_2.3.2) and both the caam-keygen kernel module as the caam-keygen user space tool contain an issue for the keys. As indicated in your example the tool (&kernel module) expect a "plain text" key in binary form. However both the tool & kernel module use strlen() at some point so if your key contains 0x00 the "string" will be terminated to early and it will not work ...

 

0 件の賞賛
返信
2,901件の閲覧回数
BiyongSUN
NXP Employee
NXP Employee

I do agree with you and I treat as a bug to report and fix. 

0 件の賞賛
返信
2,937件の閲覧回数
BiyongSUN
NXP Employee
NXP Employee

Have you closed the device/chip?

Each one of  device/chip uses the same test key till it is closed. 

After closed, the device/chip device uses the unique master key.  

 

page 9

crypto af_alg blackkey demo

crypto af_alg blackkey demo - NXP Community