FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

imx8ulp caam encryption suspend state error

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx8ulp caam encryption suspend state error

‎12-19-2025 03:45 AM
1,597 Views
GiacomoE
Contributor I

Platform: iMX8ULP
We are using caam module to encrypt the home partition of our device ad described in [AN12714](https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/172311/1/AN12714_iMX%20En...). We create an encryption key the first time we encrypt the partition and we store the black key blob. On each reboot we extract the black key and we load it the kernel. The key we load in the kernel is a black key, that is a session key becoming invalid between power cycles.
When we put the system in suspend state and we resume it, we get errors from dm-crypt.
I think power to the caam module is disable in suspend state, so the encryption black key becomes invalid.
This seems a common scenario. What is the suggested way to overcome this issue ?

/home/root# ls /home/
/home/root# [ 120.036770] Aborting journal on device dm-3-8.
[ 120.041402] Buffer I/O error on dev dm-3, logical block 65536, lost sync page write
[ 120.049250] JBD2: I/O error when updating journal superblock for dm-3-8.
l
[ 123.246075] EXT4-fs error (device dm-3): ext4_journal_check_start:84: comm sh: Detected aborted journal
[ 123.255851] Buffer I/O error on dev dm-3, logical block 0, lost sync page write
[ 123.263340] EXT4-fs (dm-3): I/O error while writing superblock
[ 123.269292] EXT4-fs (dm-3): Remounting filesystem read-only

 

Labels (3)
Labels
0 Kudos
Reply
6 Replies

3 weeks ago
937 Views
luca_cornacchia
Contributor III

Hello @joanxie ,

thank you for your answer. What's the bsp /kernel version that fixes the issue?

We are currently using kernel 6.6.23 from Scarthgap release.

 

thank you,

Gianluca

0 Kudos
Reply

a month ago
1,417 Views
joanxie
NXP TechSupport
NXP TechSupport

YES, this is exist issue on the old bsp, so what bsp version do you use? if could, pls upgrade it

0 Kudos
Reply

3 weeks ago
929 Views
luca_cornacchia
Contributor III

Hello @joanxie

thank you for your answer. What's the bsp or kernel version that fix the issue?
We are currently using kernel 6.6.23 from Scarthgap release.

thank you,
Gianluca

Tags (1)
0 Kudos
Reply

2 weeks ago
754 Views
joanxie
NXP TechSupport
NXP TechSupport

as I known, 6.6.23 has already fixed this, but let me remind, when you test according to the AN, the step5 of chapter 3.2 usage, the command like

dmsetup -v create encrypted --table "0
$(blockdev --getsz /dev/loop0) crypt capi:tk(cbc(aes))-plain :32:caam_tk:seckey 0 /dev/loop0
0 1 sector_size:512

you need change the capi:tk to the capti:tb

 

0 Kudos
Reply

2 weeks ago
608 Views
GiacomoE
Contributor I
Hi Joanxie, thank you.
What is the purpose of using capi:tb instead of capi:tk ?
About the BSP update. Can you point out which patch is fixing the issue, so maybe we can pull only that change ?
0 Kudos
Reply

2 weeks ago
524 Views
joanxie
NXP TechSupport
NXP TechSupport

for these security information, I have mailed to you, pls check

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2266881%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Eimx8ulp%20caam%20encryption%20suspend%20state%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2266881%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EPlatform%3A%20iMX8ULP%3CBR%20%2F%3EWe%20are%20using%20caam%20module%20to%20encrypt%20the%20home%20partition%20of%20our%20device%20ad%20described%20in%20%5BAN12714%5D(%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Fpwmxy87654%2Fattachments%2Fpwmxy87654%2Fimx-processors%2F172311%2F1%2FAN12714_iMX%2520Encrypted%2520Storage%2520Using%2520CAAM%2520Secure%2520Keys.pdf%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fcommunity.nxp.com%2Fpwmxy87654%2Fattachments%2Fpwmxy87654%2Fimx-processors%2F172311%2F1%2FAN12714_iMX%2520Encrypted%2520Storage%2520Using%2520CAAM%2520Secure%2520Keys.pdf%3C%2FA%3E).%20We%20create%20an%20encryption%20key%20the%20first%20time%20we%20encrypt%20the%20partition%20and%20we%20store%20the%20black%20key%20blob.%20On%20each%20reboot%20we%20extract%20the%20black%20key%20and%20we%20load%20it%20the%20kernel.%20The%20key%20we%20load%20in%20the%20kernel%20is%20a%20black%20key%2C%20that%20is%20a%20session%20key%20becoming%20invalid%20between%20power%20cycles.%3CBR%20%2F%3EWhen%20we%20put%20the%20system%20in%20suspend%20state%20and%20we%20resume%20it%2C%20we%20get%20errors%20from%20dm-crypt.%3CBR%20%2F%3EI%20think%20power%20to%20the%20caam%20module%20is%20disable%20in%20suspend%20state%2C%20so%20the%20encryption%20black%20key%20becomes%20invalid.%3CBR%20%2F%3EThis%20seems%20a%20common%20scenario.%20What%20is%20the%20suggested%20way%20to%20overcome%20this%20issue%20%3F%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%2Fhome%2Froot%23%20ls%20%2Fhome%2F%0A%2Fhome%2Froot%23%20%5B%20120.036770%5D%20Aborting%20journal%20on%20device%20dm-3-8.%0A%5B%20120.041402%5D%20Buffer%20I%2FO%20error%20on%20dev%20dm-3%2C%20logical%20block%2065536%2C%20lost%20sync%20page%20write%0A%5B%20120.049250%5D%20JBD2%3A%20I%2FO%20error%20when%20updating%20journal%20superblock%20for%20dm-3-8.%0Al%0A%5B%20123.246075%5D%20EXT4-fs%20error%20(device%20dm-3)%3A%20ext4_journal_check_start%3A84%3A%20comm%20sh%3A%20Detected%20aborted%20journal%0A%5B%20123.255851%5D%20Buffer%20I%2FO%20error%20on%20dev%20dm-3%2C%20logical%20block%200%2C%20lost%20sync%20page%20write%0A%5B%20123.263340%5D%20EXT4-fs%20(dm-3)%3A%20I%2FO%20error%20while%20writing%20superblock%0A%5B%20123.269292%5D%20EXT4-fs%20(dm-3)%3A%20Remounting%20filesystem%20read-only%0A%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2266881%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CLINGO-LABEL%3Ei.MX8ULP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELinux%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2269167%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20imx8ulp%20caam%20encryption%20suspend%20state%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2269167%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EYES%2C%20this%20is%20exist%20issue%20on%20the%20old%20bsp%2C%20so%20what%20bsp%20version%20do%20you%20use%3F%20if%20could%2C%20pls%20upgrade%20it%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2291191%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20imx8ulp%20caam%20encryption%20suspend%20state%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2291191%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3Eas%20I%20known%2C%206.6.23%20has%20already%20fixed%20this%2C%20but%20let%20me%20remind%2C%20when%20you%20test%20according%20to%20the%20AN%2C%20the%20step5%20of%20chapter%203.2%20usage%2C%20the%20command%20like%3C%2FP%3E%0A%3CP%3Edmsetup%20-v%20create%20encrypted%20--table%20%220%3CBR%20%2F%3E%24(blockdev%20--getsz%20%2Fdev%2Floop0)%20crypt%20capi%3A%3CSTRONG%3Etk%3C%2FSTRONG%3E(cbc(aes))-plain%20%3A32%3Acaam_tk%3Aseckey%200%20%2Fdev%2Floop0%3CBR%20%2F%3E0%201%20sector_size%3A512%3C%2FP%3E%0A%3CP%3Eyou%20need%20change%20the%20capi%3CSTRONG%3E%3Atk%3C%2FSTRONG%3E%20to%20the%20capti%3A%3CSTRONG%3Etb%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2291575%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20imx8ulp%20caam%20encryption%20suspend%20state%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2291575%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EHi%20Joanxie%2C%20thank%20you.%3CBR%20%2F%3EWhat%20is%20the%20purpose%20of%20using%20capi%3Atb%20instead%20of%20capi%3Atk%20%3F%3CBR%20%2F%3EAbout%20the%20BSP%20update.%20Can%20you%20point%20out%20which%20patch%20is%20fixing%20the%20issue%2C%20so%20maybe%20we%20can%20pull%20only%20that%20change%20%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2292269%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20imx8ulp%20caam%20encryption%20suspend%20state%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2292269%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3Efor%20these%20security%20information%2C%20I%20have%20mailed%20to%20you%2C%20pls%20check%3C%2FP%3E%3C%2FLINGO-BODY%3E