i.MX6 CAAM - keyblob decryption fails after kernel upgrade

nreis · ‎11-21-2024

Hi,

We are currently upgrading a custom board from Kernel 4.1 to 5.15.

We are using NXP's CAAM driver to securely store a keyblob.

After updating on a security-enabled device, decryption fails.

Adding some debug prints in sm_store.c yields that the job returns with JRSTA_CCBERR_ERRID_ICVCHKL

If I print the status instead of just returning -EBADMSG, I get the following output:

[   30.153764] caam_jr 2101000.jr: 2000081a: CCB: desc idx 8: AES: ICV check failed.
[   30.161259] caam_jr 2101000.jr: 2000081a: CCB: desc idx 8: AES: ICV check failed.

The raw return value is 0x2000 081A<u+202c>, in case there is more information there.

nbsp;w

Any help is highly welcome. I can of course provide more information if needed.

Thanks in advance and best regards

Niklas Reisser

nreis · ‎12-15-2024

Hi,

thanks for the replies. We were able to find the solution in the updated kernel module which extracts the key.

Kind regards,

Niklas

在原帖中查看解决方案

nreis · ‎12-15-2024

Hi,

thanks for the replies. We were able to find the solution in the updated kernel module which extracts the key.

Kind regards,

Niklas

harold07douglas · ‎11-25-2024

The transition between kernels can introduce subtle changes in cryptographic APIs or hardware interactions that aren’t immediately apparent but have far-reaching implications, like in this case with keyblob handling and AES operations. Debugging such issues not only requires a deep understanding of the kernel internals but also a meticulous review of descriptor handling and parameter consistency. It’s impressive to see how tightly coupled cryptographic integrity checks are to kernel upgrades—almost like a puzzle where one misplaced piece can disrupt the entire system.

Harvey021 · ‎11-25-2024

Hi,

Did you use caam_keygen to generate the keyblob in bsp5.15? If not, it is recommended to use caam_keygen.

Regards

Harvey