Hi all,
As per AN12838 "Strengthening Public Key Cryptography using CAAM Secure Key" application note, it is possible to use the CAAM black keys with ECDSA (and RSA) algorithms.
As stated by the AN12838 this functionality is added by the patches contained in "meta-imx-ecdsa-sec" layer, that is in "imx_sec_apps" repository (https://github.com/nxp-imx-support/imx_sec_apps).
But this meta-layer supports only kernels up to 5.4 (warrior and zeus Yocto releases), there are no patches for newer kernel versions/Yocto releases.
I searched in newer kernel versions source supposing that patches introduced by "meta-imx-ecdsa-sec" layer were merged upstream, but I didn't find anything.
Is the develop on "meta-imx-ecdsa-sec" layer stopped?
How to implement the public key cryptography with CAAM black keys in latest BSP releases?
Thanks in advance, regards
Mauro
Hello,
Please accept my apologize for the delayed response, it is actually part of the standard release, I don't know which version of BSP you have looked at or at where have you looked, if this is already enabled or not.
Please note that some names are not the same or even file directories of some drivers tend to change specially between major releases, so this may lead to some confusions,
For example, please refer to the section 10.6 crypto_af_alg application support, of the i.MX Linux User's Guide.
https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf
If you have any other questions please do let me know!
Best regards/Saludos,
Aldo.
Hello
Thanks for the answer
Actually we are using Kirkstone BSP
Is it already implemented?
Thanks, William
Hello,
Yes, for the kirskstone release (L5.15.71_2.2.0) it does apply, please refer to the document for this Linux version:
https://www.nxp.com/docs/en/supporting-information/L5.15.71_2.2.0_LINUX_DOCS.zip
Best regards/Saludos,
Aldo.
Hi @AldoG ,
thank you for your answer.
I know that CAAM black keys are supported in NXP latest BSPs, using caam-keygen through crypto_af_alg as you stated: this is for encryption and decryption using symmetric keys, and we already use it.
But my question was about using CAAM black keys with public key cryptography (asymmetric keys) in your recent BSPs: I'm referring to examples shown in AN12838, where openssl is used to generate the keys and the private key is placed automatically in a black blob. In this AN, the "meta-imx-ecdsa-sec" layer is used: this layer applies patches to the kernel, but the layer development stopped at kernel 5.4.24 and the code added by those patches seems not to be in NXP kernels after 5.4.
Then, how can we have CAAM black keys with public key cryptography (asymmetric keys) in our Kirkstone BSP?
Thank you
Mauro
Hello,
Please accept my apologize for the delayed response, I wanted to give an answer as clear as possible.
The solution that was previously offered via imx_sec_app is not suitable for upstream and as such we will not integrate that as part of the BSP enablement.
In BSP ECDSA operation is supported through OP-TEE and PKCS11 interface on all devices (and accelerated with CAAM when available).
Please refer to the Linux Users Guide chapter 10.4.7 Running OpenSSL asymmetric tests with PKCS#11 based engine.
Hope this helps,
Best regards/Saludos,
Aldo.
Hi,
kind ping: anybody in NXP knows the current development status of this topic?
Thanks, regards
Mauro