openssl cryptodev engine on imx8mp

greeran · ‎12-13-2023

hi all

i am working on the imx8mp. i would like to secure my private keys and be able to use openssl without exposing the private key to userspace. i read that its possible with cryptodev openssl engine. i built the BSP with yocto and added the cryptodev-linux cryptodev-module.

i am able to modprobe cryptodev

but when i test for engines (openssl engine) i do not see the cryptodev engine.

those the imx8mp support cryptodev openssl engine and if it does then how to i add it to my openssl.

i am building yocto krikstone 5.15.71

thanks

greeran · ‎12-14-2023

hi
i found my mistake. i needed to add the openssl-engines to the image-install
thanks

View solution in original post

Harvey021 · ‎12-14-2023

Hi @greeran

You need to follow up the Linux User guide as the chapter 10 security where you will find how to deploy it into rootfs using Yocto.

https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf

Regards

Harvey

greeran · ‎12-14-2023

thanks for the reply
i did what the user guide recommended but with not success.
i had to add the packageconfig =" cryptodev-linux" (something that was missing in the guide.
i added cryptodev-module openssl-bin to the image install.
i see the cryptodev module in my bsp but i do not see the engines-3 directory from the openssl. i see it in the sysroot-destdir but its not installed in the image rootfs.
could you point me what i am missing
thansk

htplus

Should be this with in https://git.yoctoproject.org/poky/tree/meta/recipes-connectivity/openssl/openssl_3.0.15.bb?h=kirksto... like following

PACKAGECONFIG ?= "cryptodev-linux"
PACKAGECONFIG:class-native = ""
PACKAGECONFIG:class-nativesdk = ""

PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
PACKAGECONFIG[no-tls1] = "no-tls1"
PACKAGECONFIG[no-tls1_1] = "no-tls1_1"

And how the local.conf should be?

htplus

Like in Guide? Is there openssl-engine maybe missing?

CORE_IMAGE_EXTRA_INSTALL+="cryptodev-module openssl-bin"

htplus

There is no answer? Should I ask a new question?

htplus

**Enabling the cryptodev engine in OpenSSL**

* The `PACKAGECONFIG` variable is used to customize package configurations.
* In the case of OpenSSL, setting `PACKAGECONFIG ?= "cryptodev-linux"` enables the `devcrypto` engine and `cryptography` module.
* Conversely, setting `PACKAGECONFIG ?= ""` disables the `devcrypto` engine.

**Verifying the changes**

* Running `bitbake -e openssl | grep ^PACKAGECONFIG_CONFARGS=` shows the current configuration settings for OpenSSL.
* The presence or absence of certain files and directories can be used to verify whether the `devcrypto` engine is enabled or disabled.

**Example output**

* When disabling the `devcrypto` engine, you'll see a list of files without the `devcrypto` prefix:
```bash
ls /home/cidocker/gitlab-project/project/tmp/work/armv7at2hf-neon-poky-linux-gnueabi/openssl/3.0.14-r0/build/engines/
afalg-... capi-... dasync-... loader_... ossltest-... padlock-...
```
* When enabling the `devcrypto` engine, you'll see files with the `devcrypto` prefix:
```bash
ls /home/cidocker/gitlab-project/project/tmp/work/armv7at2hf-neon-poky-linux-gnueabi/openssl/3.0.14-r0/build/engines/
afalg-... capi-... dasync-... devcrypto-... loader_... ossltest-... padlock-...
```
**Conclusion**

By modifying the `PACKAGECONFIG` variable, you can control whether the `devcrypto` engine is enabled or disabled in OpenSSL. This can be useful for customizing your build environment to meet specific requirements.

greeran · ‎12-14-2023

hi
i found my mistake. i needed to add the openssl-engines to the image-install
thanks