AnsweredAssumed Answered

How to encrypt data in CAAM with black keys?

Question asked by Aymen Boudguiga on Jul 15, 2015
Latest reply on Mar 23, 2018 by aymen boudguiga



I am using a Nitrogen6X running kernel 3.10.17. I have made the secure memory module of CAAM working by applying the patches discussed in this previous thread: Re: i.MX6 CAAM : sm_test.c in 3.0.35 kernel broken

Note that with the current SM module, we can transform a black key (BK1) into a black blob which can be stored in non-volatile memory. Then, at SoC reboot for example, we can recover a black key from the black blob. The recovered black key (BK2) is different from the initial BK1 because black keys are session keys (SK) which are encrypted with the temporary session JDKEK or TDKEK key. In fact, the following relations are true:

1)  BK1= encryption-with-JDKEK1(SK)

2) Transform BK1 into a black blob

3) Reboot the SoC

4) Decapsulate the black blob to get BK2= encryption-with-JDKEK2(SK)


Now, I would like to verify that the session key in BK2 is equal to the one encrypted in BK1. I have 2 choices:

1) Decrypt BK2 in order to get the SK value. However, I will have to recover JDKEK or TDKEK and I do not know where they are stored?

2) Encrypt a message M with SK before creating BK1 and the black blob. Then, encrypt the same message M with BK2 and compare the obtained ciphers. Normally, they must be equal.

However, I do not know how to encrypt messages using black keys and CAAM? Is there any example of encryption with black keys in CAAM?


Thanks for helping,


Best regards,