how to use Blob protocol of CAAM with RT1165

Hi  @kyle81 

 Do you mean you want to generate the DEK blob and then save it in the external flash, right?

This one:

If yes, in my memory, it can use the tool to generate it.

You can check my RT1050 post:

https://community.nxp.com/docs/DOC-344919

Fig2. and chapter 2.4 APP Encrypted Image

When you use the related encrypted.bd, the cst and elftosb tool will help to generate the dek blob, to the RT1170, you can refer to the AN13250. In fact, the process is similar.

Normally, I do the HAB encrypted boot, I use the cst tool associated with elftosb, or MCUBootUtility, or SPT(secure provisional tool) to do it. So the tool will help to generated the related files.

Wish it helps you!

If you still have questions about it, please kindly let me know.

Best Regards,

Kerry

Kerry

Hi Kerry @kerryzhou ,

I am afraid you misunderstand my question. As the security guide of RT1170, CAAM has built-in blob protocol and it can encapsulate and decapsulate blobs. We need to call the APIs (these should be provided in driver fsl_caam.c of RT1170/RT1165 SDK, but it doesn't exist) to generate the Red blobs(for general data) in our bootloader. But the method you told me is used to encrypt/decrypt boot by using PC tools. Instead I want the methods (APIs) to generate blob during the boot running time.

In fsl_caam.c, it has APIs like CAAM_AES_EncryptTagCcm(), but we want the APIs like CAAM_Blob_Encapsulate().

We want to add the blob API in fsl_caam.c ourself, but it seems not to be simple, the API wevadded like below picture, but it doesn't work, so we need NXP's help to give the sample of APIs to encapsulate/decapsulate blobs which can be called during custom code running time.

Hope that I have clearly represented my quesions.

Best Regards,

Kyle

Hi @kyle81 

  Thanks a lot for your detail information and your effort.

  I understand your request now.

  Seems we still don't have the related API, but I already double check it internally with our expert.

  Any updated information, I will let you know.

  Please keep patient, thanks a lot for your understanding.

Best Regards,

Kerry

Hi Kerry @kerryzhou ,

Thanks for your help of double checking. And I am wondering if NXP will add these APIs into SDK and how about its plan? And really our projects do need these APIs.

Best Regards,

Kyle

Hi @kyle81 

   Some good news to you.

   Please check the following valuable information from our secure expert:

  Please check the SDK code:

SDK_2_10_1_MIMXRT1170-EVK\boards\evkmimxrt1170\bootloader_examples\flashloader\cm7

Source is:

SDK_2_10_1_MIMXRT1170-EVK\middleware\mcu-boot\src\security\keyblob\src

You can find flashloader project is used to match with ROM code, so there just have the operation of the blob encapsulation. About the operation of the blob decapsulation, there request some development according to combine the example code and the demonstration in SRM. 

You can try it, we may implement such reference code (based on flashloader's example) after the new year holiday, or may wait for the official release from SDK team, we submit such requirement to request extend the CAAM driver for supporting more built-in protocols. But it still rely on the resource of SDK team, no schedule currently.

Wish it helps you!

Best Regards,

Kerry

Thank you @kerryzhou ,

Really appreciated that you can response so quickly and I have tried the code in keyblob and it does work for encapsulating. According to that, I also tried decapsulating (only change the last job descriptor from 0x870D0000 to 0x860D0000) and it unexpectedly works. But I am not sure my modification is correct or not even though the result is correct. So please help to figure out the reference code of decapsulating when you come back after new year holiday.

And happy new year.

Kyle

Hi Kile,

Do you have any code snapshot that shows how were able to decapsulating the blob ?

I have tried to decapsulated using the same job descriptor you used but the test fails with the code "DMA error"

Best regards 

Vico Lupoir 

Hi Vico,

You can have a reference to codes below

Regards,

Kyle

Hi Kyle,

Your help was very useful.

Thank 

Vico

Hi @kyle81 ,

  Thanks for your updated information.

   And I glad to hear you already make the encapsulate blob works.

   After the new year, I will help you to check it internally again.

   But as it may need to share the code, so, I suggest you create the private case directly for the decapsulate blobs after the new year.

  You can follow this post to create the case:

1. Open below SUPPORT site, click blue "Go to Tickets" in the middle.
http://www.nxp.com/support/support:SUPPORTHOME

2.Then you will be requested to Login, if you have no an account, please first Register with your business email.

3.After login, please "Create New Cases" button in the middle, then you can submit your question.

  Then we will support you with email directly.

  Thanks a lot for your understanding.

Best Regards,

Kerry