FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

iMX8MM keyctl add trusted, add_key: No such device

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

iMX8MM keyctl add trusted, add_key: No such device

Jump to solution
‎07-16-2025 12:25 PM
668 Views
mariusoctavian
Contributor IV

Hi,
This is iMX8MM built with yocto scarthgap.

I am following mainly this doc-stm in conjunction with this doc


all optee-os optee-test and optee are in the build.

The Kernel config looks like:

CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_AES=y
CONFIG_MD=y 
CONFIG_DM_CRYPT=y
CONFIG_BLK_DEV_DM=y
CONFIG_KEYS=y
CONFIG_TRUSTED_KEYS=m
CONFIG_ENCRYPTED_KEYS=y
CONFIG_TRUSTED_KEYS_TEE=y

 

The drivers looks okay

[root@imx:~$ dmesg | grep optee
[    1.530781] optee: probing for conduit method.
[    1.530800] optee: revision 4.2 (c6be5b57)
[    1.532316] optee: dynamic shared memory is enabled
[    1.559229] optee: initialized driver

 

The xtest passes

+-----------------------------------------------------
43430 subtests of which 0 failed
155 test cases of which 0 failed
0 test cases were skipped
TEE test application done!

 

But

[root@imx:~$ keyctl add trusted kmk "new 32" @s
add_key: No such device
[root@Dekoda:~$

 

 fails with,

No such device,

dmesg shows nothing

 

0 Kudos
Reply
1 Solution

Jump to solution
‎07-17-2025 07:20 AM
638 Views
mariusoctavian
Contributor IV

I do this, we have all HAB TC enabled.
I found the problem.
I was using the 5.15.60 kernel due custom drivers.
As the results did not make any sense I  replaced for the time being with 6.6.23 and all good.

I can add trusted key to KR session and
use dm to encrypt a partition using the key blob.

RESOLVED

View solution in original post

0 Kudos
Reply
2 Replies

Jump to solution
‎07-17-2025 06:37 AM
644 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello, 

On the MX8MM DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.

Please check this thread:

https://community.nxp.com/t5/i-MX-Processors/Enabling-OP-TEE-in-i-MX8MM-EVK-FIT-image/m-p/1160604

 

Regards

0 Kudos
Reply

Jump to solution
‎07-17-2025 07:20 AM
639 Views
mariusoctavian
Contributor IV

I do this, we have all HAB TC enabled.
I found the problem.
I was using the 5.15.60 kernel due custom drivers.
As the results did not make any sense I  replaced for the time being with 6.6.23 and all good.

I can add trusted key to KR session and
use dm to encrypt a partition using the key blob.

RESOLVED

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2135213%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EiMX8MM%20keyctl%20add%20trusted%2C%20add_key%3A%20No%20such%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2135213%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EThis%20is%20iMX8MM%20built%20with%20yocto%20scarthgap.%3C%2FP%3E%3CP%3EI%20am%20following%20mainly%20this%20%3CA%20title%3D%22Thestm%20way%22%20href%3D%22https%3A%2F%2Fwiki.st.com%2Fstm32mpu%2Findex.php%3Ftitle%3DHow_to_encrypt_a_disk_with_dm-crypt%26amp%3Boldid%3D101931%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Edoc-stm%3C%2FA%3E%20in%20conjunction%20with%20%3CA%20title%3D%22imx9%22%20href%3D%22https%3A%2F%2Fwww.thegoodpenguin.co.uk%2Fblog%2Fsecure-storage-with-i-mx-95-verdin-evk-using-trusted-keys-with-op-tee%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ethis%20doc%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Eall%20optee-os%20optee-test%20and%20optee%20are%20in%20the%20build.%3C%2FP%3E%3CP%3EThe%20Kernel%20config%20looks%20like%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ECONFIG_CRYPTO_HASH%3Dy%0ACONFIG_CRYPTO_AES%3Dy%0ACONFIG_MD%3Dy%20%0ACONFIG_DM_CRYPT%3Dy%0ACONFIG_BLK_DEV_DM%3Dy%0ACONFIG_KEYS%3Dy%0ACONFIG_TRUSTED_KEYS%3Dm%0ACONFIG_ENCRYPTED_KEYS%3Dy%0ACONFIG_TRUSTED_KEYS_TEE%3Dy%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EThe%20drivers%20looks%20okay%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%5Broot%40imx%3A~%24%20dmesg%20%7C%20grep%20optee%0A%5B%20%20%20%201.530781%5D%20optee%3A%20probing%20for%20conduit%20method.%0A%5B%20%20%20%201.530800%5D%20optee%3A%20revision%204.2%20(c6be5b57)%0A%5B%20%20%20%201.532316%5D%20optee%3A%20dynamic%20shared%20memory%20is%20enabled%0A%5B%20%20%20%201.559229%5D%20optee%3A%20initialized%20driver%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EThe%20xtest%20passes%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%2B-----------------------------------------------------%0A43430%20subtests%20of%20which%200%20failed%0A155%20test%20cases%20of%20which%200%20failed%0A0%20test%20cases%20were%20skipped%0ATEE%20test%20application%20done!%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EBut%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%5Broot%40imx%3A~%24%20keyctl%20add%20trusted%20kmk%20%22new%2032%22%20%40s%0Aadd_key%3A%20No%20such%20device%0A%5Broot%40Dekoda%3A~%24%20%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3E%26nbsp%3Bfails%20with%2C%3C%2FP%3E%3CP%3ENo%20such%20device%2C%3C%2FP%3E%3CP%3Edmesg%20shows%20nothing%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2135880%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20iMX8MM%20keyctl%20add%20trusted%2C%20add_key%3A%20No%20such%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2135880%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EI%20do%20this%2C%20we%20have%20all%20HAB%20TC%20enabled.%3CBR%20%2F%3EI%20found%20the%20problem.%3CBR%20%2F%3EI%20was%20using%20the%205.15.60%20kernel%20due%20custom%20drivers.%3CBR%20%2F%3EAs%20the%20results%20did%20not%20make%20any%20sense%20I%26nbsp%3B%20replaced%20for%20the%20time%20being%20with%206.6.23%20and%20all%20good.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%20add%20trusted%20key%20to%20KR%20session%20and%3CBR%20%2F%3Euse%20dm%20to%20encrypt%20a%20partition%20using%20the%20key%20blob.%3C%2FP%3E%3CP%3E%3CSTRONG%3ERESOLVED%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2135850%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20iMX8MM%20keyctl%20add%20trusted%2C%20add_key%3A%20No%20such%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2135850%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20the%20MX8MM%20DEK%20blob%20must%20be%20created%20by%20a%20software%20running%20in%20Arm%20TrustZone%20Secure%20World%2C%20the%20CAAM%20block%20takes%20into%20consideration%20the%20TrustZone%20configuration%20when%20encapsulating%20the%20DEK%20and%20the%20resulting%20blob%20can%20be%20only%20decapsulated%20by%20a%20SW%20running%20in%20the%20same%20configuration.%20As%20ROM%20code%20is%20running%20in%20ARM%20TrustZone%20secure%20world%20we%20must%20encapsulate%20the%20blobs%20using%20OP-TEE.%3C%2FP%3E%0A%3CP%3EPlease%20check%20this%20thread%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fi-MX-Processors%2FEnabling-OP-TEE-in-i-MX8MM-EVK-FIT-image%2Fm-p%2F1160604%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fi-MX-Processors%2FEnabling-OP-TEE-in-i-MX8MM-EVK-FIT-image%2Fm-p%2F1160604%3C%2FA%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E