imx93 dm-crypt options

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

imx93 dm-crypt options

1,129 次查看
electro1
Contributor II

Hi,

We are setting up dm-crypt on imx93 and have been having stability issues with the cbc-aes-tee driver, which we still hope NXP are looking at.

When looking at the keytypes and encryption algorithms, I tried understanding the different options. As I understand it:

1. Using user key and cbc-aes-ce. Key is completely unprotected and available in plain text in user space. Encryption is handled in kernel. Not a viable option.

2. Using TEE-backed trusted key and cbc-aes-ce. Key is protected and only available encrypted in user space. Key is unsealed in kernel by calling OP-TEE. Encryption is handled in kernel. Key is open to DRAM bus sniffing and kernel attacks.

3. Using user key and cbc-aes-tee. Key in keyring is completely unprotected and available in plain text in user space. However, this key is only used as a salt for the actual key derived in OP-TEE so it does not matter(?). Derived key is only ever stored in OCRAM. Encryption is handled in OP-TEE.

4. Using TEE-backed trusted key and cbc-aes-tee. Key is protected and only available encrypted in user space. Key is unsealed in kernel by calling OP-TEE. However, this key is still only used as a salt for the actual key derived in OP-TEE so now it is unnecessarily protected in keyring as well(?). Derived key is only ever stored in OCRAM. Encryption is handled in OP-TEE.

In Rev. LF6.12.3_1.0.0 of Linux User Guide a user key is used, and in Rev. LF6.12.20_2.0.0 a trusted key is used (chapter 10.5.5), that's why I started thing about the difference. Is my understanding of the options listed above correct?

Thinking about the security implications of option 2 versus 3 or 4 is seems the main difference is that the key might be open to DRAM sniffing attacks or kernel attacks? The on-disk storage of the key is still encrypted and secure?

 

标签 (1)
0 项奖励
回复
1 回复

1,058 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi, 

Please referencing our latest BSP release: 6.12.34_2.1.0 to see if there are any issues. First, the salt is encapsulated in a trusted blob. Second, the key is exported from the ELE to OCRAM with the salt, and is only used within the TEE.

 

Regards

Harvey

0 项奖励
回复
%3CLINGO-SUB%20id%3D%22lingo-sub-2175753%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Eimx93%20dm-crypt%20%E9%80%89%E9%A1%B9%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2175753%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%E6%82%A8%E5%A5%BD%EF%BC%8C%3C%2FP%3E%3CP%3E%E6%88%91%E4%BB%AC%E6%AD%A3%E5%9C%A8imx93%E4%B8%8A%E8%AE%BE%E7%BD%AEdm-crypt%EF%BC%8C%E4%BD%86%E5%9C%A8%E5%AF%86%E7%A0%81%E5%9D%97%E9%93%BE%E6%8E%A5(CBC)-aes-tee%E9%A9%B1%E5%8A%A8%E7%A8%8B%E5%BA%8F%E4%B8%AD%E9%81%87%E5%88%B0%E4%BA%86%E7%A8%B3%E5%AE%9A%E6%80%A7%E9%97%AE%E9%A2%98%EF%BC%8C%E6%88%91%E4%BB%AC%E4%BB%8D%E7%84%B6%E5%B8%8C%E6%9C%9B%E6%81%A9%E6%99%BA%E6%B5%A6%E8%83%BD%E7%A0%94%E7%A9%B6%E8%BF%99%E4%B8%AA%E9%97%AE%E9%A2%98%E3%80%82%3C%2FP%3E%3CP%3E%E5%9C%A8%E7%A0%94%E7%A9%B6%E5%AF%86%E9%92%A5%E7%B1%BB%E5%9E%8B%E5%92%8C%E5%8A%A0%E5%AF%86%E7%AE%97%E6%B3%95%E6%97%B6%EF%BC%8C%E6%88%91%E5%B0%9D%E8%AF%95%E4%BA%86%E8%A7%A3%E4%B8%8D%E5%90%8C%E7%9A%84%E9%80%89%E9%A1%B9%E3%80%82%E6%8D%AE%E6%88%91%E6%89%80%E7%9F%A5%3C%2FP%3E%3CP%3E1%E3%80%82%E4%BD%BF%E7%94%A8%E7%94%A8%E6%88%B7%E5%AF%86%E9%92%A5%E5%92%8C%E5%AF%86%E7%A0%81%E5%9D%97%E9%93%BE%E6%8E%A5(CBC)-aes-ce%E3%80%82%E5%AF%86%E9%92%A5%E5%AE%8C%E5%85%A8%E4%B8%8D%E5%8F%97%E4%BF%9D%E6%8A%A4%EF%BC%8C%E5%9C%A8%E7%94%A8%E6%88%B7%E7%A9%BA%E9%97%B4%E4%BB%A5%E7%BA%AF%E6%96%87%E6%9C%AC%E5%BD%A2%E5%BC%8F%E6%8F%90%E4%BE%9B%E3%80%82%E5%8A%A0%E5%AF%86%E7%94%B1%E5%86%85%E6%A0%B8%E5%A4%84%E7%90%86%E3%80%82%E8%BF%99%E4%B8%8D%E6%98%AF%E4%B8%80%E4%B8%AA%E5%8F%AF%E8%A1%8C%E7%9A%84%E9%80%89%E6%8B%A9%E3%80%82%3C%2FP%3E%3CP%3E2%E3%80%82%E4%BD%BF%E7%94%A8%20TEE%20%E6%94%AF%E6%8C%81%E7%9A%84%E5%8F%AF%E4%BF%A1%E5%AF%86%E9%92%A5%E5%92%8C%20%E5%AF%86%E7%A0%81%E5%9D%97%E9%93%BE%E6%8E%A5(CBC)-aes-ce%E3%80%82%E5%AF%86%E9%92%A5%E5%8F%97%E5%88%B0%E4%BF%9D%E6%8A%A4%EF%BC%8C%E5%8F%AA%E8%83%BD%E5%9C%A8%E7%94%A8%E6%88%B7%E7%A9%BA%E9%97%B4%E5%8A%A0%E5%AF%86%E4%BD%BF%E7%94%A8%E3%80%82%E9%80%9A%E8%BF%87%E8%B0%83%E7%94%A8%20OP-TEE%20%E5%9C%A8%E5%86%85%E6%A0%B8%E4%B8%AD%E8%A7%A3%E5%B0%81%E5%AF%86%E9%92%A5%E3%80%82%E5%8A%A0%E5%AF%86%E7%94%B1%E5%86%85%E6%A0%B8%E5%A4%84%E7%90%86%E3%80%82%E5%AF%86%E9%92%A5%E5%AE%B9%E6%98%93%E5%8F%97%E5%88%B0%E5%8A%A8%E6%80%81%E9%9A%8F%E6%9C%BA%E5%AD%98%E5%8F%96%E5%AD%98%E5%82%A8%E5%99%A8(DRAM)%E6%80%BB%E7%BA%BF%E5%97%85%E6%8E%A2%E5%92%8C%E5%86%85%E6%A0%B8%E6%94%BB%E5%87%BB%E3%80%82%3C%2FP%3E%3CP%3E3.%E4%BD%BF%E7%94%A8%E7%94%A8%E6%88%B7%E5%AF%86%E9%92%A5%E5%92%8C%E5%AF%86%E7%A0%81%E5%9D%97%E9%93%BE%E6%8E%A5(CBC)-aes-tee%E3%80%82%E5%AF%86%E9%92%A5%E7%8E%AF%E4%B8%AD%E7%9A%84%E5%AF%86%E9%92%A5%E5%AE%8C%E5%85%A8%E4%B8%8D%E5%8F%97%E4%BF%9D%E6%8A%A4%EF%BC%8C%E5%8F%AF%E4%BB%A5%E5%9C%A8%E7%94%A8%E6%88%B7%E7%A9%BA%E9%97%B4%E4%B8%AD%E4%BB%A5%E7%BA%AF%E6%96%87%E6%9C%AC%E5%BD%A2%E5%BC%8F%E8%8E%B7%E5%8F%96%E3%80%82%E4%B8%8D%E8%BF%87%EF%BC%8C%E8%BF%99%E4%B8%AA%E5%AF%86%E9%92%A5%E5%8F%AA%E7%94%A8%E4%BD%9C%20OP-TEE%20%E4%B8%AD%E7%94%9F%E6%88%90%E7%9A%84%E5%AE%9E%E9%99%85%E5%AF%86%E9%92%A5%E7%9A%84%E7%9B%90%EF%BC%8C%E6%89%80%E4%BB%A5%E5%B9%B6%E4%B8%8D%E9%87%8D%E8%A6%81%EF%BC%88%EF%BC%9F%EF%BC%89%E6%B4%BE%E7%94%9F%E5%AF%86%E9%92%A5%E5%8F%AA%E5%AD%98%E5%82%A8%E5%9C%A8%20OCRAM%20%E4%B8%AD%E3%80%82%E5%8A%A0%E5%AF%86%E7%94%B1%20OP-TEE%20%E5%A4%84%E7%90%86%E3%80%82%3C%2FP%3E%3CP%3E4%E3%80%82%E4%BD%BF%E7%94%A8%20TEE%20%E6%94%AF%E6%8C%81%E7%9A%84%E5%8F%AF%E4%BF%A1%E5%AF%86%E9%92%A5%E5%92%8C%E5%AF%86%E7%A0%81%E5%9D%97%E9%93%BE%E6%8E%A5(CBC)-aes-tee%E3%80%82%E5%AF%86%E9%92%A5%E5%8F%97%E5%88%B0%E4%BF%9D%E6%8A%A4%EF%BC%8C%E5%8F%AA%E8%83%BD%E5%9C%A8%E7%94%A8%E6%88%B7%E7%A9%BA%E9%97%B4%E5%8A%A0%E5%AF%86%E4%BD%BF%E7%94%A8%E3%80%82%E9%80%9A%E8%BF%87%E8%B0%83%E7%94%A8%20OP-TEE%20%E5%9C%A8%E5%86%85%E6%A0%B8%E4%B8%AD%E8%A7%A3%E5%B0%81%E5%AF%86%E9%92%A5%E3%80%82%E4%BD%86%E6%98%AF%EF%BC%8C%E8%AF%A5%E5%AF%86%E9%92%A5%E4%BB%8D%E7%84%B6%E5%8F%AA%E7%94%A8%E4%BD%9C%20OP-TEE%20%E4%B8%AD%E7%94%9F%E6%88%90%E7%9A%84%E5%AE%9E%E9%99%85%E5%AF%86%E9%92%A5%E7%9A%84%E7%9B%90%EF%BC%8C%E5%9B%A0%E6%AD%A4%E7%8E%B0%E5%9C%A8%E5%AE%83%E5%9C%A8%E5%AF%86%E9%92%A5%E7%8E%AF%E4%B8%AD%E4%B9%9F%E5%8F%97%E5%88%B0%E4%BA%86%E4%B8%8D%E5%BF%85%E8%A6%81%E7%9A%84%E4%BF%9D%E6%8A%A4%EF%BC%88%EF%BC%9F%EF%BC%89%E6%B4%BE%E7%94%9F%E5%AF%86%E9%92%A5%E5%8F%AA%E5%AD%98%E5%82%A8%E5%9C%A8%20OCRAM%20%E4%B8%AD%E3%80%82%E5%8A%A0%E5%AF%86%E7%94%B1%20OP-TEE%20%E5%A4%84%E7%90%86%E3%80%82%3C%2FP%3E%3CP%3E%E5%9C%A8%E3%80%8ALinux%20%E7%94%A8%E6%88%B7%E6%8C%87%E5%8D%97%E3%80%8BLF6.12.3_1.0.0%20%E4%BF%AE%E8%AE%A2%E7%89%88%E4%B8%AD%E4%BD%BF%E7%94%A8%E7%9A%84%E6%98%AF%E7%94%A8%E6%88%B7%E5%AF%86%E9%92%A5%EF%BC%8C%E8%80%8C%E5%9C%A8%20LF6.12.20_2.0.0%20%E4%BF%AE%E8%AE%A2%E7%89%88%E4%B8%AD%E4%BD%BF%E7%94%A8%E7%9A%84%E6%98%AF%E5%8F%97%E4%BF%A1%E4%BB%BB%E5%AF%86%E9%92%A5%EF%BC%88%E7%AC%AC%2010.5.5%20%E7%AB%A0%EF%BC%89%EF%BC%8C%E8%BF%99%E5%B0%B1%E6%98%AF%E6%88%91%E5%BC%80%E5%A7%8B%E8%AE%A8%E8%AE%BA%E4%B8%A4%E8%80%85%E5%8C%BA%E5%88%AB%E7%9A%84%E5%8E%9F%E5%9B%A0%E3%80%82%E6%88%91%E5%AF%B9%E4%B8%8A%E8%BF%B0%E9%80%89%E9%A1%B9%E7%9A%84%E7%90%86%E8%A7%A3%E6%98%AF%E5%90%A6%E6%AD%A3%E7%A1%AE%EF%BC%9F%3C%2FP%3E%3CP%3E%E8%80%83%E8%99%91%E4%B8%80%E4%B8%8B%E9%80%89%E9%A1%B9%202%20%E4%B8%8E%203%20%E6%88%96%204%20%E7%9A%84%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E5%BD%B1%E5%93%8D%EF%BC%8C%E4%B8%BB%E8%A6%81%E5%8C%BA%E5%88%AB%E4%BC%BC%E4%B9%8E%E5%9C%A8%E4%BA%8E%E5%85%B3%E9%94%AE%E5%8F%AF%E8%83%BD%E5%8F%97%E5%88%B0%E5%8A%A8%E6%80%81%E9%9A%8F%E6%9C%BA%E5%AD%98%E5%8F%96%E5%AD%98%E5%82%A8%E5%99%A8(DRAM)%E5%97%85%E6%8E%A2%E6%94%BB%E5%87%BB%E6%88%96%E5%86%85%E6%A0%B8%E6%94%BB%E5%87%BB%EF%BC%9F%E5%AF%86%E9%92%A5%E7%9A%84%E7%A3%81%E7%9B%98%E5%AD%98%E5%82%A8%E6%98%AF%E5%90%A6%E4%BB%8D%E7%84%B6%E5%8A%A0%E5%AF%86%E5%92%8C%E5%AE%89%E5%85%A8%EF%BC%9F%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2175753%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CLINGO-LABEL%3E%E5%AE%89%E5%85%A8%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2178075%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20imx93%20dm-crypt%20options%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2178075%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%E4%BD%A0%E5%A5%BD%E3%80%81%20%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-teams%3D%22true%22%3E%E8%AF%B7%E5%8F%82%E8%80%83%E6%88%91%E4%BB%AC%E6%9C%80%E6%96%B0%E7%9A%84%20BSP%20%E7%89%88%E6%9C%AC%EF%BC%9A6.12.34_2.1.0%E7%9C%8B%E7%9C%8B%E6%98%AF%E5%90%A6%E6%9C%89%E4%BB%BB%E4%BD%95%E9%97%AE%E9%A2%98%E3%80%82%E9%A6%96%E5%85%88%EF%BC%8C%E7%9B%90%E8%A2%AB%E5%B0%81%E8%A3%85%E5%9C%A8%E4%B8%80%E4%B8%AA%E5%8F%AF%E4%BF%A1%E7%9A%84%20Blob%20%E4%B8%AD%E3%80%82%E5%85%B6%E6%AC%A1%EF%BC%8C%E5%AF%86%E9%92%A5%E4%B8%8E%E7%9B%90%E4%B8%80%E8%B5%B7%E4%BB%8E%20ELE%20%E5%AF%BC%E5%87%BA%E5%88%B0%20OCRAM%EF%BC%8C%E5%B9%B6%E4%B8%94%E5%8F%AA%E5%9C%A8%20TEE%20%E5%86%85%E9%83%A8%E4%BD%BF%E7%94%A8%E3%80%82%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%3CSPAN%20data-teams%3D%22true%22%3E%E6%AD%A4%E8%87%B4%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-teams%3D%22true%22%3E%E5%93%88%E7%BB%B4%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E