Hi, I'm looking to port a security feature from SCCv2 (i.MX53) to CAAM (i.MX6). SCCv2 made it easy to encrypt data using a device-specific non-extractable key when the device was in the closed security mode. I feel certain this is possible with CAAM, but it's not so clear to me how to do this. Can someone point me in the right direction? I have looked at caam_blob_gen, but it seems more intended for boot encryption. Is it possible to use it for the security feature I'm describing, more of an adhoc key encryption?
Thanks!
Hello,
Generally boot ROM, implementing HAB, and U-boot are oriented on signed / encrypted boot approach,
where CAAM may not be used. Therefore U-boot may not contain proper examples for CAAM.
Nevertheless, it makes sense to look at blob commands, supported in recent U-boot releases
[U-Boot] [PATCH 1/3][v2] crypto/fsl: Add command for encapsulating/decapsulating blobs
I am afraid we do not have examples with detailed explanation of corresponding CAAM descriptors.
Please refer to section 5.8.4.3 (Blob conformance considerations) of Security Reference Manual for i.MX 6Dual, 6Quad, 6Solo, and 6DualLite Families of Applications Processors, Rev. 0, 03/2013, available on the Web for some details.
You may look at the following (the similar approach, implemented under Linux).
https://community.nxp.com/message/856589
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Reading a little further, it looks like basically I can create a CAAM blob, and decapsulate it to encrypt/decrypt with it, and it doesn't need to be related to boot encryption at all. The only thing I'm unsure of is how to actually encrypt/decrypt with a decapsulated DEK.