[i.Mx8] How to enable SNVS and CAAM feature

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[i.Mx8] How to enable SNVS and CAAM feature

3,856 Views
syuanyang
Contributor II

Hi,

I'm trying to enable security related functions on i.Mx8dxp platform (based on linux kernel 4.14), but I don't get the point that how to enable these even I study the doc.

Security Reference Manual for i.MX8DualX/8DualXPlus/8QuadXPlus Application Processors - Document Number: IMX8QXPSRM

 

My question are:

1. how to enable SNVS and CAAM features on the board? Is there a quick-enable documentation about this?

2. Once I enable it, how can I test it?

 

Thanks.

0 Kudos
6 Replies

3,774 Views
syuanyang
Contributor II

Hi @Yuri 

But it seems caam-keygen is not enabled on my system.

The dmesg log "Device caam-keygen registered" didn't show up either.

 

 

Here are my steps, is there anything missed?

==== Step1 ====

According to the document: [AN12714 - i.MX Encrypted Storage Using CAAM Secure Keys]

I downloaded caam-keygen source from codeaurora and then build the source, put caam-keygen into my device.

https://source.codeaurora.org/external/imx/keyctl_caam/tree/?h=imx_5.4.47_2.2.0

 

==== Step2 ====

According to caam-keygen_priv.h, the Key Generation will access the node named /dev/caam-keygen

But I dont find this node on my device. 

(Note. /bin/caam-keygen is the standalone tool I built form Step1)

 

root@imx8dxptbox:/# find . -name caam-keygen
./bin/caam-keygen 

 

==== Step3 ====

Review my kernel config, it seems as same as the document says. Every thing is fine.

root@imx8dxptbox:/# zcat /proc/config.gz | grep CAAM
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
# CONFIG_CRYPTO_DEV_FSL_CAAM_INTC is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_SLOTSIZE=7
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y

 

root@imx8dxptbox:/# zcat /proc/config.gz | grep DM

CONFIG_BLK_DEV_DM_BUILTIN=y
CONFIG_BLK_DEV_DM=y
# CONFIG_DM_MQ_DEFAULT is not set
# CONFIG_DM_DEBUG is not set
CONFIG_DM_CRYPT=y
# CONFIG_DM_SNAPSHOT is not set
# CONFIG_DM_THIN_PROVISIONING is not set
# CONFIG_DM_CACHE is not set
# CONFIG_DM_ERA is not set
# CONFIG_DM_MIRROR is not set
# CONFIG_DM_RAID is not set
# CONFIG_DM_ZERO is not set
CONFIG_DM_MULTIPATH=y
# CONFIG_DM_MULTIPATH_QL is not set
# CONFIG_DM_MULTIPATH_ST is not set
# CONFIG_DM_DELAY is not set
CONFIG_DM_UEVENT=y
# CONFIG_DM_FLAKEY is not set
# CONFIG_DM_VERITY is not set
# CONFIG_DM_SWITCH is not set
# CONFIG_DM_LOG_WRITES is not set
# CONFIG_DM_INTEGRITY is not set

 

Build environment:

kernel version: Linux-4.14.98_2.3.3 (Build by Yocto)

 

Thanks,

Syuan

0 Kudos

3,806 Views
syuanyang
Contributor II

Ping.

 

As I know, the CAAM is a hardware crypto engine supported on iMx8dxp platform.

In the boot log, I got some message as below, but it's not matched with the doc says. (IMX_LINUX_USERS_GUIDE.pdf)

Is it expected? or I need to patch something into linux codebase?

====

[ 3.560986] caam 31400000.caam: ERA source: device tree

[ 4.010968] caam algorithms registered in /proc/crypto
[ 4.032308] caam_jr 31430000.jr2: registering rng-caam
[ 4.080826] caam 31400000.caam: caam pkc algorithms registered in /proc/crypto
[ 4.090580] platform caam_sm: blkkey_ex: 16 keystore units available
[ 4.097262] caam 31400000.caam: SM test passed

 

0 Kudos

3,846 Views
Yuri
NXP Employee
NXP Employee

@syuanyang 
Hello,

Please use Chapter 8 (Security) in "i.MX_Reference_Manual.pdf" and
Chapter 9 (Security) in "i.MX_Linux_User's_Guide.pdf".

 https://www.nxp.com/webapp/Download?colCode=imx-yocto-L4.14.98_2.0.0_ga

 

It may be recommended to use the recent NXP Linux BSP

https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf

https://www.nxp.com/docs/en/reference-manual/IMX_REFERENCE_MANUAL.pdf

Summary Page:

https://www.nxp.com/design/software/embedded-software/i-mx-software/embedded-linux-for-i-mx-applicat...

 

Regards,
Yuri.

0 Kudos

3,821 Views
syuanyang
Contributor II

Hello Yuri,

Thanks for your reply.

 

I'm trying to enable CAAM(Hardware crypto engine) by refer IMX_LINUX_USERS_GUIDE.pdf

https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf

 

In the "Chapter-10.1.4", the IMX8DXP's default device tree in Linux-4.14.98 has been config as following:

+========================================+

fsl-imx8dx.dtsi

+========================================+

crypto: caam@0x31400000 {
compatible = "fsl,sec-v4.0";
reg = <0 0x31400000 0 0x400000>;
interrupts = <GIC_SPI 148 IRQ_TYPE_LEVEL_HIGH>;
#address-cells = <1>;
#size-cells = <1>;
ranges = <0 0 0x31400000 0x400000>;
fsl,sec-era = <9>;

sec_jr1: jr1@0x20000 {
compatible = "fsl,sec-v4.0-job-ring";
reg = <0x20000 0x1000>;
interrupts = <GIC_SPI 452 IRQ_TYPE_LEVEL_HIGH>;
power-domains = <&pd_caam_jr1>;
status = "disabled";
};

...

+========================================+

That's something different from IMX6.

Do I need to modify it for IMX8DXP CAAM enabling? How to?

 

And the other question is I'm reading "Chapter-10.3.1 Verifying driver operation and correctness"

The expected dmesg will show the "device ID" and "job ring info". But I don't after enabling CAAM feature config.

Is it caused by above device tree's problem?

====

Expected dmesg

==== 

[ 1.830397] caam 30900000.crypto: device ID = 0x0a16040100000000 (Era 9)
[ 1.837113] caam 30900000.crypto: job rings = 2, qi = 0
[ 1.849949] caam algorithms registered in /proc/crypto
[ 1.855972] caam 30900000.crypto: caam pkc algorithms registered in /proc/crypto
[ 1.865564] caam_jr 30901000.jr: registering rng-caam
[ 1.870766] Device caam-keygen registered

 

====

The dmesg I got
====

[ 3.560986] caam 31400000.caam: ERA source: device tree

[ 4.010968] caam algorithms registered in /proc/crypto
[ 4.032308] caam_jr 31430000.jr2: registering rng-caam
[ 4.080826] caam 31400000.caam: caam pkc algorithms registered in /proc/crypto
[ 4.090580] platform caam_sm: blkkey_ex: 16 keystore units available
[ 4.097262] caam 31400000.caam: SM test passed

 

Thanks.

0 Kudos

3,750 Views
Yuri
NXP Employee
NXP Employee

@syuanyang 
Hello,

  Use Chapter 8 (Security) of "i.MX_Reference_Manual.pdf" for L4.14.
Also, Chapter 9 (Security) of "i.MX_Linux_User's_Guide.pdf"

https://www.nxp.com/webapp/Download?colCode=imx-yocto-L4.14.98_2.0.0_ga

Regards,
Yuri.

0 Kudos

3,798 Views
Yuri
NXP Employee
NXP Employee

@syuanyang 
Hello,

  according to Your log - CAAM is working in Your system.

Regards,
Yuri.

 

0 Kudos