Hi,
I am looking into CAAM of RT1165 and want to use Blobs protocol, but I can't find a sample in RT116x SDK. Could you help to give out a sample to use Blob protocol of CAAM?
Best Regards,
Kyle
Hi Kerry, @kerryzhou
We want to use CAAM to generate blob stored in our external nor flash, why we do this is because we want to protect our secret key in external flash. According to the application note of IMXRT1170SRM, CAAM support Blob PROTOCOL OPERATION Commands. But how to use? And there is no sample or details can be found in IMXRT1170SRM.pdf. Like below template commands wrote by me will cause error, I am not sure how to get the right one.
static const uint32_t templateBlobEncapsule[] = {
/* 00 */ 0xB0800000u, /* HEADER */
/* 01 */ 0x22130000u, /* FIFO LOAD Message */
/* 02 */ 0x00000000u, /* place: source address */
/* 03 */ 0x60300000u, /* FIFO STORE Message */
/* 04 */ 0x00000000u, /* place: destination address */
/* 05 */ 0x870D0000u, /* OPERATION: blob encapsule protocol */
};
static const uint32_t templateBlobDecapsule[] = {
/* 00 */ 0xB0800000u, /* HEADER */
/* 01 */ 0x22130000u, /* FIFO LOAD Message */
/* 02 */ 0x00000000u, /* place: source address */
/* 03 */ 0x60300000u, /* FIFO STORE Message */
/* 04 */ 0x00000000u, /* place: destination address */
/* 05 */ 0x860D0000u, /* OPERATION: blob decapsule protocol */
};
Please help to look deep into my problem, it will be very appreciated, thanks.
Best Regards,
Kyle
Hi @kyle81
Do you mean you want to generate the DEK blob and then save it in the external flash, right?
This one:
If yes, in my memory, it can use the tool to generate it.
You can check my RT1050 post:
https://community.nxp.com/docs/DOC-344919
Fig2. and chapter 2.4 APP Encrypted Image
When you use the related encrypted.bd, the cst and elftosb tool will help to generate the dek blob, to the RT1170, you can refer to the AN13250. In fact, the process is similar.
Normally, I do the HAB encrypted boot, I use the cst tool associated with elftosb, or MCUBootUtility, or SPT(secure provisional tool) to do it. So the tool will help to generated the related files.
Wish it helps you!
If you still have questions about it, please kindly let me know.
Best Regards,
Kerry
Kerry
Hi Kerry @kerryzhou ,
I am afraid you misunderstand my question. As the security guide of RT1170, CAAM has built-in blob protocol and it can encapsulate and decapsulate blobs. We need to call the APIs (these should be provided in driver fsl_caam.c of RT1170/RT1165 SDK, but it doesn't exist) to generate the Red blobs(for general data) in our bootloader. But the method you told me is used to encrypt/decrypt boot by using PC tools. Instead I want the methods (APIs) to generate blob during the boot running time.
In fsl_caam.c, it has APIs like CAAM_AES_EncryptTagCcm(), but we want the APIs like CAAM_Blob_Encapsulate().
We want to add the blob API in fsl_caam.c ourself, but it seems not to be simple, the API wevadded like below picture, but it doesn't work, so we need NXP's help to give the sample of APIs to encapsulate/decapsulate blobs which can be called during custom code running time.
Hope that I have clearly represented my quesions.
Best Regards,
Kyle
Hi @kyle81
Thanks a lot for your detail information and your effort.
I understand your request now.
Seems we still don't have the related API, but I already double check it internally with our expert.
Any updated information, I will let you know.
Please keep patient, thanks a lot for your understanding.
Best Regards,
Kerry
Hi Kerry @kerryzhou ,
Thanks for your help of double checking. And I am wondering if NXP will add these APIs into SDK and how about its plan? And really our projects do need these APIs.
Best Regards,
Kyle
Hi @kyle81
Some good news to you.
Please check the following valuable information from our secure expert:
Please check the SDK code:
SDK_2_10_1_MIMXRT1170-EVK\boards\evkmimxrt1170\bootloader_examples\flashloader\cm7
Source is:
SDK_2_10_1_MIMXRT1170-EVK\middleware\mcu-boot\src\security\keyblob\src
You can find flashloader project is used to match with ROM code, so there just have the operation of the blob encapsulation. About the operation of the blob decapsulation, there request some development according to combine the example code and the demonstration in SRM.
You can try it, we may implement such reference code (based on flashloader's example) after the new year holiday, or may wait for the official release from SDK team, we submit such requirement to request extend the CAAM driver for supporting more built-in protocols. But it still rely on the resource of SDK team, no schedule currently.
Wish it helps you!
Best Regards,
Kerry
Thank you @kerryzhou ,
Really appreciated that you can response so quickly and I have tried the code in keyblob and it does work for encapsulating. According to that, I also tried decapsulating (only change the last job descriptor from 0x870D0000 to 0x860D0000) and it unexpectedly works. But I am not sure my modification is correct or not even though the result is correct. So please help to figure out the reference code of decapsulating when you come back after new year holiday.
And happy new year.
Kyle
Hi Kile,
Do you have any code snapshot that shows how were able to decapsulating the blob ?
I have tried to decapsulated using the same job descriptor you used but the test fails with the code "DMA error"
Best regards
Vico Lupoir
Hi @kyle81 ,
Thanks for your updated information.
And I glad to hear you already make the encapsulate blob works.
After the new year, I will help you to check it internally again.
But as it may need to share the code, so, I suggest you create the private case directly for the decapsulate blobs after the new year.
You can follow this post to create the case:
1. Open below SUPPORT site, click blue "Go to Tickets" in the middle.
http://www.nxp.com/support/support:SUPPORTHOME
2.Then you will be requested to Login, if you have no an account, please first Register with your business email.
3.After login, please "Create New Cases" button in the middle, then you can submit your question.
Then we will support you with email directly.
Thanks a lot for your understanding.
Best Regards,
Kerry
Hi @kyle81
About the CAAM and the blob, you can find some information from this application note:
https://www.nxp.com/webapp/Download?colCode=AN13250&location=null
More details about the CAAM, please refer to application note:
https://www.nxp.com/webapp/Download?colCode=AN12056&location=null
Wish it helps you!
Best Regards,
Kerry