ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

iMX8MM keyctl add trusted, add_key: No such device

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

iMX8MM keyctl add trusted, add_key: No such device

ソリューションへジャンプ
‎07-16-2025 12:25 PM
393件の閲覧回数
mariusoctavian
Contributor IV

Hi,
This is iMX8MM built with yocto scarthgap.

I am following mainly this doc-stm in conjunction with this doc


all optee-os optee-test and optee are in the build.

The Kernel config looks like:

CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_AES=y
CONFIG_MD=y 
CONFIG_DM_CRYPT=y
CONFIG_BLK_DEV_DM=y
CONFIG_KEYS=y
CONFIG_TRUSTED_KEYS=m
CONFIG_ENCRYPTED_KEYS=y
CONFIG_TRUSTED_KEYS_TEE=y

 

The drivers looks okay

[root@imx:~$ dmesg | grep optee
[    1.530781] optee: probing for conduit method.
[    1.530800] optee: revision 4.2 (c6be5b57)
[    1.532316] optee: dynamic shared memory is enabled
[    1.559229] optee: initialized driver

 

The xtest passes

+-----------------------------------------------------
43430 subtests of which 0 failed
155 test cases of which 0 failed
0 test cases were skipped
TEE test application done!

 

But

[root@imx:~$ keyctl add trusted kmk "new 32" @s
add_key: No such device
[root@Dekoda:~$

 

 fails with,

No such device,

dmesg shows nothing

 

0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎07-17-2025 07:20 AM
363件の閲覧回数
mariusoctavian
Contributor IV

I do this, we have all HAB TC enabled.
I found the problem.
I was using the 5.15.60 kernel due custom drivers.
As the results did not make any sense I  replaced for the time being with 6.6.23 and all good.

I can add trusted key to KR session and
use dm to encrypt a partition using the key blob.

RESOLVED

元の投稿で解決策を見る

0 件の賞賛
返信
2 返答(返信)

ソリューションへジャンプ
‎07-17-2025 06:37 AM
369件の閲覧回数
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello, 

On the MX8MM DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.

Please check this thread:

https://community.nxp.com/t5/i-MX-Processors/Enabling-OP-TEE-in-i-MX8MM-EVK-FIT-image/m-p/1160604

 

Regards

0 件の賞賛
返信

ソリューションへジャンプ
‎07-17-2025 07:20 AM
364件の閲覧回数
mariusoctavian
Contributor IV

I do this, we have all HAB TC enabled.
I found the problem.
I was using the 5.15.60 kernel due custom drivers.
As the results did not make any sense I  replaced for the time being with 6.6.23 and all good.

I can add trusted key to KR session and
use dm to encrypt a partition using the key blob.

RESOLVED

0 件の賞賛
返信