CAAM secure (tagged) keys with openssl

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CAAM secure (tagged) keys with openssl

3,525 Views
tmayr
Contributor I

Hello,

we set up an iMX6 board with secure boot and CAAM support enabled, and also configured file-system encryption using CAAM and secure keys (tagged keys).

Now we'd like to use tagged keys with openssl (AES) as well. We managed to configure CAAM as engine for openssl, using cryptodev. However, only non-tagged-key algorithms (e.g. aes-256-cbc) are available in openssl.

How can we tell openssl about the tagged key algorithms?
I found this document about how to use black keys with openssl for asymmetric crypto operations, but has anything similar already been done for AES (e.g. aes-256-cbc-tk)?

Thanks,
Tobias

0 Kudos
Reply
6 Replies

2,274 Views
Fabien_M
Contributor I

Hello @igorpadykov ,
I would also like to use AES openssl with black keys.

May I also get the procedure and patch please ?

Note : I use 5.15.52 BSP on iMX8mp.

Best regards,
Fabien

0 Kudos
Reply

3,386 Views
igorpadykov
NXP Employee
NXP Employee

Hi Tobias

 

from team:

----------------------

Please tell me your BSP version. I think this need to be done by adding some custom code to link the tagged key transform. It can't be selected autonomously. Please share test code or patch to reproduce on our side.

----------------------

Best regards
igor

0 Kudos
Reply

3,369 Views
tmayr
Contributor I

Hi Igor,

This is the BSP we are using: https://github.com/varigit/variscite-bsp-platform/tree/dunfell

I'm not sure what the team means by "code or patch to reproduce on our side", but I would like to do something like

openssl enc -e -engine cryptodev -in plainfile -out cryptofile aes-256-cbc-tk -K blackkey

to encrypt a plainfile using the provided blackkey (note the -tk in the cipher, which obviously openssl doesn't know about), through the CAAM (e.g. with cryptodev).

This doesn't work out of the box, and it would be cool to know what's missing.

Tobias

0 Kudos
Reply

3,252 Views
igorpadykov
NXP Employee
NXP Employee

procedure and verification patch were sent via mail.

-----------------------

Best regards
igor

0 Kudos
Reply

349 Views
jborregos
Contributor I

Can i get the path for the -tk solution?

Thanks!!!

0 Kudos
Reply

2,083 Views
ahightower
Contributor I

Has this been mainlined in the past year?  What was the resolution of this?

0 Kudos
Reply