Hi,
The objective is to generate digitally signed data which can be only signed and verified using CAAM ( i.e. hardware dependent, similar to HAB using OTPMK )
We are trying to explore CAAM Hardware's SIGNATURE command to digitally sign any data using CAAM's TDSK. We have following queries.
CAAM supports many Hash hardware accelerators, Can these be used while creating/verifying digital signatures of a document?
Thanks for your support,
Regards,
Swapnil
Solved! Go to Solution.
> We understand that HMAC is used to digitally signed data.
> Hence we have to run combination of operation, key and other
> commands instead of signature command for the same.
> it this correct?
[Platon] Yes.
> If yes, please suggest the correct sequence of descriptors for signing data.
>
[Platon] Refer to Linux kernel source, file drivers/crypto/caam/caamhash.c
for hash and HMAC JD build routines.
>Does it mean, the digital signing can work on both secure and non
>secure boards?
[Platon] Yes.
>HMAC uses IPAD/OPAD in its algorithm. Are these values when generated
>in different boards going to be the same?
[Platon] IPAD and OPAD values are specified in the respective HMAC
specification. They can be forced to custom values, but typically
it's not necessary.
> How do we verify the signed data on different systems ?
>
[Platon] Study the material at the link below for HMAC basics:
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
>If answer for question 4 is NO, then for verification do we need to
>pass these need IPAD/OPAD along with key and signed data to verify
>the signature across boards.
[Platon] See above.
Have a great day,
Platon
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
>Can we sign user data using CAAM, other than secure boot ?
[Platon] Yes, but you cannot use OTPMK for that. OTPMK is used _only_ to encrypt the blob key. Note that
HAB does not use it, either.
>If yes, are there any specific signing mechanism available in CAAM. like RSA?
[Platon] There are no specific mechanisms. Generic HMAC descriptors should be used. Note,
CAAM on i.MX processors has no public key accelerator. If you prefer asymmetric key signaltures
(distinguish from HMAC), you should implement it in software. Initial data hash for RSA can be accelerated
with generic CAAM hash JDs
>Can We Generate Public, Private key pair from CAAM to generate signed data?
[Platon] See above. There is no asymmetric key crypto operations accelerator.
>Is it possible to use TDSK and SIGNATURE command of CAAM to sign user data
[Platon] No. TDSK together with related commends are only used to sign Job Descriptors,
not user data.
Have a great day,
Platon
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi,
Thanks for your input.
I have some specific queries on your reply.
If answer for question 4 is NO, then for verification do we need to pass these need IPAD/OPAD along with key and signed data to verify the signature across boards.
Thanks in advance.
Regards,
Swapnil Pendhare.
> We understand that HMAC is used to digitally signed data.
> Hence we have to run combination of operation, key and other
> commands instead of signature command for the same.
> it this correct?
[Platon] Yes.
> If yes, please suggest the correct sequence of descriptors for signing data.
>
[Platon] Refer to Linux kernel source, file drivers/crypto/caam/caamhash.c
for hash and HMAC JD build routines.
>Does it mean, the digital signing can work on both secure and non
>secure boards?
[Platon] Yes.
>HMAC uses IPAD/OPAD in its algorithm. Are these values when generated
>in different boards going to be the same?
[Platon] IPAD and OPAD values are specified in the respective HMAC
specification. They can be forced to custom values, but typically
it's not necessary.
> How do we verify the signed data on different systems ?
>
[Platon] Study the material at the link below for HMAC basics:
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
>If answer for question 4 is NO, then for verification do we need to
>pass these need IPAD/OPAD along with key and signed data to verify
>the signature across boards.
[Platon] See above.
Have a great day,
Platon
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------