Hi,
I'm trying to enable security related functions on i.Mx8dxp platform (based on linux kernel 4.14), but I don't get the point that how to enable these even I study the doc.
Security Reference Manual for i.MX8DualX/8DualXPlus/8QuadXPlus Application Processors - Document Number: IMX8QXPSRM
My question are:
1. how to enable SNVS and CAAM features on the board? Is there a quick-enable documentation about this?
2. Once I enable it, how can I test it?
Thanks.
Hi @Yuri
But it seems caam-keygen is not enabled on my system.
The dmesg log "Device caam-keygen registered" didn't show up either.
Here are my steps, is there anything missed?
==== Step1 ====
According to the document: [AN12714 - i.MX Encrypted Storage Using CAAM Secure Keys]
I downloaded caam-keygen source from codeaurora and then build the source, put caam-keygen into my device.
https://source.codeaurora.org/external/imx/keyctl_caam/tree/?h=imx_5.4.47_2.2.0
==== Step2 ====
According to caam-keygen_priv.h, the Key Generation will access the node named /dev/caam-keygen
But I dont find this node on my device.
(Note. /bin/caam-keygen is the standalone tool I built form Step1)
root@imx8dxptbox:/# find . -name caam-keygen
./bin/caam-keygen
==== Step3 ====
Review my kernel config, it seems as same as the document says. Every thing is fine.
root@imx8dxptbox:/# zcat /proc/config.gz | grep CAAM
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
# CONFIG_CRYPTO_DEV_FSL_CAAM_INTC is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_SLOTSIZE=7
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y
root@imx8dxptbox:/# zcat /proc/config.gz | grep DM
CONFIG_BLK_DEV_DM_BUILTIN=y
CONFIG_BLK_DEV_DM=y
# CONFIG_DM_MQ_DEFAULT is not set
# CONFIG_DM_DEBUG is not set
CONFIG_DM_CRYPT=y
# CONFIG_DM_SNAPSHOT is not set
# CONFIG_DM_THIN_PROVISIONING is not set
# CONFIG_DM_CACHE is not set
# CONFIG_DM_ERA is not set
# CONFIG_DM_MIRROR is not set
# CONFIG_DM_RAID is not set
# CONFIG_DM_ZERO is not set
CONFIG_DM_MULTIPATH=y
# CONFIG_DM_MULTIPATH_QL is not set
# CONFIG_DM_MULTIPATH_ST is not set
# CONFIG_DM_DELAY is not set
CONFIG_DM_UEVENT=y
# CONFIG_DM_FLAKEY is not set
# CONFIG_DM_VERITY is not set
# CONFIG_DM_SWITCH is not set
# CONFIG_DM_LOG_WRITES is not set
# CONFIG_DM_INTEGRITY is not set
Build environment:
kernel version: Linux-4.14.98_2.3.3 (Build by Yocto)
Thanks,
Syuan
Ping.
As I know, the CAAM is a hardware crypto engine supported on iMx8dxp platform.
In the boot log, I got some message as below, but it's not matched with the doc says. (IMX_LINUX_USERS_GUIDE.pdf)
Is it expected? or I need to patch something into linux codebase?
====
[ 3.560986] caam 31400000.caam: ERA source: device tree
[ 4.010968] caam algorithms registered in /proc/crypto
[ 4.032308] caam_jr 31430000.jr2: registering rng-caam
[ 4.080826] caam 31400000.caam: caam pkc algorithms registered in /proc/crypto
[ 4.090580] platform caam_sm: blkkey_ex: 16 keystore units available
[ 4.097262] caam 31400000.caam: SM test passed
@syuanyang
Hello,
Please use Chapter 8 (Security) in "i.MX_Reference_Manual.pdf" and
Chapter 9 (Security) in "i.MX_Linux_User's_Guide.pdf".
https://www.nxp.com/webapp/Download?colCode=imx-yocto-L4.14.98_2.0.0_ga
It may be recommended to use the recent NXP Linux BSP
https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf
https://www.nxp.com/docs/en/reference-manual/IMX_REFERENCE_MANUAL.pdf
Summary Page:
Regards,
Yuri.
Hello Yuri,
Thanks for your reply.
I'm trying to enable CAAM(Hardware crypto engine) by refer IMX_LINUX_USERS_GUIDE.pdf
https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf
In the "Chapter-10.1.4", the IMX8DXP's default device tree in Linux-4.14.98 has been config as following:
+========================================+
fsl-imx8dx.dtsi
+========================================+
crypto: caam@0x31400000 {
compatible = "fsl,sec-v4.0";
reg = <0 0x31400000 0 0x400000>;
interrupts = <GIC_SPI 148 IRQ_TYPE_LEVEL_HIGH>;
#address-cells = <1>;
#size-cells = <1>;
ranges = <0 0 0x31400000 0x400000>;
fsl,sec-era = <9>;
sec_jr1: jr1@0x20000 {
compatible = "fsl,sec-v4.0-job-ring";
reg = <0x20000 0x1000>;
interrupts = <GIC_SPI 452 IRQ_TYPE_LEVEL_HIGH>;
power-domains = <&pd_caam_jr1>;
status = "disabled";
};
...
+========================================+
That's something different from IMX6.
Do I need to modify it for IMX8DXP CAAM enabling? How to?
And the other question is I'm reading "Chapter-10.3.1 Verifying driver operation and correctness"
The expected dmesg will show the "device ID" and "job ring info". But I don't after enabling CAAM feature config.
Is it caused by above device tree's problem?
====
Expected dmesg
====
[ 1.830397] caam 30900000.crypto: device ID = 0x0a16040100000000 (Era 9)
[ 1.837113] caam 30900000.crypto: job rings = 2, qi = 0
[ 1.849949] caam algorithms registered in /proc/crypto
[ 1.855972] caam 30900000.crypto: caam pkc algorithms registered in /proc/crypto
[ 1.865564] caam_jr 30901000.jr: registering rng-caam
[ 1.870766] Device caam-keygen registered
====
The dmesg I got
====
[ 3.560986] caam 31400000.caam: ERA source: device tree
[ 4.010968] caam algorithms registered in /proc/crypto
[ 4.032308] caam_jr 31430000.jr2: registering rng-caam
[ 4.080826] caam 31400000.caam: caam pkc algorithms registered in /proc/crypto
[ 4.090580] platform caam_sm: blkkey_ex: 16 keystore units available
[ 4.097262] caam 31400000.caam: SM test passed
Thanks.
@syuanyang
Hello,
Use Chapter 8 (Security) of "i.MX_Reference_Manual.pdf" for L4.14.
Also, Chapter 9 (Security) of "i.MX_Linux_User's_Guide.pdf"
https://www.nxp.com/webapp/Download?colCode=imx-yocto-L4.14.98_2.0.0_ga
Regards,
Yuri.