CAAM black keys and public key cryptography in latest BSPs

msalvinik · ‎05-31-2024

Hi all,

As per AN12838 "Strengthening Public Key Cryptography using CAAM Secure Key" application note, it is possible to use the CAAM black keys with ECDSA (and RSA) algorithms.

As stated by the AN12838 this functionality is added by the patches contained in "meta-imx-ecdsa-sec" layer, that is in "imx_sec_apps" repository (https://github.com/nxp-imx-support/imx_sec_apps).

But this meta-layer supports only kernels up to 5.4 (warrior and zeus Yocto releases), there are no patches for newer kernel versions/Yocto releases.

I searched in newer kernel versions source supposing that patches introduced by "meta-imx-ecdsa-sec" layer were merged upstream, but I didn't find anything.

Is the develop on "meta-imx-ecdsa-sec" layer stopped?

How to implement the public key cryptography with CAAM black keys in latest BSP releases?

Thanks in advance, regards

Mauro

AldoG · ‎06-21-2024

Hello,

Please accept my apologize for the delayed response, it is actually part of the standard release, I don't know which version of BSP you have looked at or at where have you looked, if this is already enabled or not.

Please note that some names are not the same or even file directories of some drivers tend to change specially between major releases, so this may lead to some confusions,

For example, please refer to the section 10.6 crypto_af_alg application support, of the i.MX Linux User's Guide.
https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf

If you have any other questions please do let me know!

Best regards/Saludos,
Aldo.

william-degisi · ‎06-26-2024

Hello

Thanks for the answer

Actually we are using Kirkstone BSP

Is it already implemented?

Thanks, William

AldoG · ‎06-26-2024

Hello,

Yes, for the kirskstone release (L5.15.71_2.2.0) it does apply, please refer to the document for this Linux version:
https://www.nxp.com/docs/en/supporting-information/L5.15.71_2.2.0_LINUX_DOCS.zip

Best regards/Saludos,
Aldo.

msalvinik · ‎07-01-2024

Hi @AldoG ,

thank you for your answer.

I know that CAAM black keys are supported in NXP latest BSPs, using caam-keygen through crypto_af_alg as you stated: this is for encryption and decryption using symmetric keys, and we already use it.

But my question was about using CAAM black keys with public key cryptography (asymmetric keys) in your recent BSPs: I'm referring to examples shown in AN12838, where openssl is used to generate the keys and the private key is placed automatically in a black blob. In this AN, the "meta-imx-ecdsa-sec" layer is used: this layer applies patches to the kernel, but the layer development stopped at kernel 5.4.24 and the code added by those patches seems not to be in NXP kernels after 5.4.

Then, how can we have CAAM black keys with public key cryptography (asymmetric keys) in our Kirkstone BSP?

Thank you

Mauro

AldoG

Hello,

Please accept my apologize for the delayed response, I wanted to give an answer as clear as possible.

The solution that was previously offered via imx_sec_app is not suitable for upstream and as such we will not integrate that as part of the BSP enablement.

In BSP ECDSA operation is supported through OP-TEE and PKCS11 interface on all devices (and accelerated with CAAM when available).

Please refer to the Linux Users Guide chapter 10.4.7 Running OpenSSL asymmetric tests with PKCS#11 based engine.

Hope this helps,
Best regards/Saludos,
Aldo.

msalvinik

Hi @AldoG ,

thank you, now it's all clear.

Regards

msalvinik · ‎06-10-2024

Hi,

kind ping: anybody in NXP knows the current development status of this topic?

Thanks, regards

Mauro