AnsweredAssumed Answered

How to decrypt and use a black key?

Question asked by Robert Lubas on Jun 27, 2017
Latest reply on Jun 29, 2017 by Yuri Muhin

imx 6ul caam cryptography secure memory black key

Hello,

Suppose that, we have following scenario:

  1. Generate some random 256 bit key, and treat as red key.
  2. Create an encryption device mapper (e.g. root file system) with red key.
  3. Encapsulate this red key into red blob and store in no-volatile memory.
  4. Decapsulate red blob to obtain red key and store in secure memory.
  5. Cover the red key to a black key and store in secure memory.
  6. Use the covered key to decrypt something - in particular pass this key as keyfile to the plain dm-crypt (volume with encrypted root file system.

 

We are using i.MX6 UL, Linux version 4.1.15-6UL ( with CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST=y) , CAAM read to use. There is know how to accomplish the first 5 points.The point 6 in the scenario is the blocker. I try to uncover the blackened key.

 

As a starting point I modified the sm_test.c and sm_store.c from drivers/crypto/caam:

  1. Just focused on 256 bit case.
  2. Covered (blacken/encrypt key) loaded clear key and obtain black key.
  3. Allocated secured memory for 256 bit key slot for uncovering process.
  4. Uncover (whiten) black key and store it in the key slot. ( based on blacken_key_jobdesc function )
  5. Read, display and compare the clear key with the uncovered key.

The output:

 

[ 2.078030] platform caam_sm: blkkey_ex: 8 keystore units available
[ 2.084656] platform caam_sm: 256-bit clear key:
[ 2.089487] platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
[ 2.095196] platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
[ 2.101254] platform caam_sm: [0016] 10 11 12 13 14 15 16 17
[ 2.107062] platform caam_sm: [0024] 18 19 1a 1b 1c 1d 1e 1f
[ 2.140432] platform caam_sm: 256-bit black key:
[ 2.145091] platform caam_sm: [0000] f7 7f ef d3 dd 15 45 34
[ 2.150823] platform caam_sm: [0008] 84 8d 39 3d 85 fe e7 69
[ 2.156556] platform caam_sm: [0016] 5c 54 c5 27 1c 36 86 49
[ 2.162255] platform caam_sm: [0024] d0 6d 34 c2 35 6f 6a a7
[ 2.195698] platform caam_sm: 256-bit uncover black key:
[ 2.201050] platform caam_sm: [0000] f7 7f ef d3 dd 15 45 34
[ 2.206781] platform caam_sm: [0008] 84 8d 39 3d 85 fe e7 69
[ 2.212479] platform caam_sm: [0016] 5c 54 c5 27 1c 36 86 49
[ 2.218210] platform caam_sm: [0024] d0 6d 34 c2 35 6f 6a a7
...

 

The uncovering procedure work bad...

 

General questions are:

Is my thinking process it correct?

It is possible to read and display uncovered key?

Does anybody has working caam job descriptor for this uncovering process?

 

Thank you,
Robert Lubaś

Outcomes