Want to store private key on OCRAM and use it for signing operation on i.mx6q

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Want to store private key on OCRAM and use it for signing operation on i.mx6q

935 Views
manojbasarikatt
Contributor I

Hi,

   We want to store our private key on to OCRAM from linux user space application and use it in the signing operation. How to map the OCRAM memory in the linux user space application.

Also how to check the the portion of OCRAM memory already used by the kernel.

Thanks

Manoj

Labels (2)
0 Kudos
6 Replies

718 Views
Yuri
NXP Employee
NXP Employee

Hello,

      It is not recommended to use OCRAM in user’s apps, since
the OCRAM may be used in Linux, please search OCRAM or IRAM

terms in  “i.MX_Linux_Reference_Manual.pdf”. 


Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos

718 Views
manojbasarikatt
Contributor I

As per i.MX_Linux_Reference_Manual.pdf manual, the Linux might be using for MLB Or Power management drivers. We haven't used the MLB modules and our device will be powered always. So if we set power management option to disable then will we be able to use the OCRAM from 0x00907000 - 0x00938000 on linux 3.10.17 ? 

Thanks

Manoj

0 Kudos

718 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Looks like it is possible, at least, You may try it.

Regards,

Yuri.

0 Kudos

718 Views
manojbasarikatt
Contributor I

Hi Yuri,

    We tried to use the OCRAM region for storing tjhe keys using the linker script But not able to read/write OCRAM region. The value we are fetching doesn't matches with the OCRAM content dumped using the MMAP call. Please suggest on programming the OCRAM memory properly.

Linker script:

1. Default  linker script from the toolchain attached.

2. Our modification for the linker script is below (also attached)

3. The C program used to place the key in the OCRAM and output dumps also attached.

4. Map file for c program also attached, where "caterpillar_privkey" looks to be placed at right place.

#2, Modified sections of linker scripts (armelf_linux_eabi.x)

===========================================

/* Default linker script, for normal executables */
/* Copyright (C) 2014 Free Software Foundation, Inc.
   Copying and distribution of this script, with or without modification,
   are permitted in any medium without royalty provided the copyright
   notice and this notice are preserved.  */
OUTPUT_FORMAT("elf32-littlearm", "elf32-bigarm",
          "elf32-littlearm")
OUTPUT_ARCH(arm)
ENTRY(_start)
SEARCH_DIR("=/opt/arada/arm-arada-linux-gnueabihf/arm-arada-linux-gnueabihf/lib"); SEARCH_DIR("=/usr/local/lib"); SEARCH_DIR("=/lib"); SEARCH_DIR("=/usr/lib");

/*MEMORY
{
    pseudo_ocram  (rw) : ORIGIN = 0x910000, LENGTH = 0x800
}
*/

SECTIONS
{
   .bss 0x910000  :
   {
       KEEP (*(.pseudo_seg))
   }
}

INSERT AFTER .data;

MAP files

=========

.bss            0x00910000       0x70
 *(.pseudo_seg)
 .pseudo_seg    0x00910000       0x64 bin/ocram.o
                0x00910000                caterpillar_privkey
 *(.dynbss)
 *fill*         0x00910064        0x4
 .dynbss        0x00910068        0x4 /opt/arada/arm-arada-linux-gnueabihf/arm-arada-linux-gnueabihf/sysroot/usr/lib/crt1.o
                0x00910068                stderr@@GLIBC_2.4
 *(.bss .bss.* .gnu.linkonce.b.*)
 .bss           0x0091006c        0x0 /opt/arada/arm-arada-linux-gnueabihf/arm-arada-linux-gnueabihf/sysroot/usr/lib/crt1.o
 .bss           0x0091006c        0x0 /opt/arada/arm-arada-linux-gnueabihf/arm-arada-linux-gnueabihf/sysroot/usr/lib/crti.o
 .bss           0x0091006c        0x1 /opt/arada/arm-arada-linux-gnueabihf/lib/gcc/arm-arada-linux-gnueabihf/4.9.3/crtbegin.o
 .bss           0x0091006d        0x0 bin/ocram.o
 .bss           0x0091006d        0x0 /opt/arada/arm-arada-linux-gnueabihf/arm-arada-linux-gnueabihf/sysroot/usr/lib/libc_nonshared.a(elf-init.oS)
 .bss           0x0091006d        0x0 /opt/arada/arm-arada-linux-gnueabihf/lib/gcc/arm-arada-linux-gnueabihf/4.9.3/crtend.o
 .bss           0x0091006d        0x0 /opt/arada/arm-arada-linux-gnueabihf/arm-arada-linux-gnueabihf/sysroot/usr/lib/crtn.o
 *(COMMON)
                0x00910070                . = ALIGN ((. != 0x0)?0x4:0x1)
 *fill*         0x0091006d        0x3

#3, C program

===============

#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define CODE_BASE_ADDR_START 0x910000
uint8_t __attribute__((section (".pseudo_seg"))) caterpillar_privkey[100];

void * MapMemory(unsigned int address, int size)
{
int32_t fd;
void *ret_addr;

fd = open("/dev/mem", O_RDWR | O_SYNC);

if (fd == -1) {
perror("open");
return NULL;
}

ret_addr = mmap(0, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, address);
if (ret_addr == MAP_FAILED) {
perror("mmap");
ret_addr = NULL;
}

if (close(fd) == -1) {
perror("close");
}
return ret_addr;
}

int main(void)
{
int32_t k;
void *mem = MapMemory(CODE_BASE_ADDR_START, 4096);

fprintf(stderr, "*********************caterpillar key base=%p value=0x%0x, \n", caterpillar_privkey, caterpillar_privkey[0]);
#if 0
memset(caterpillar_privkey, 0xa, sizeof(caterpillar_privkey));
#endif

fprintf(stderr, "\nDump caterpillar_privkey on iram mem at %p len=%d [linker script region]\n\n", caterpillar_privkey, sizeof(caterpillar_privkey));
for (k = 0; k < sizeof(caterpillar_privkey); k++) {
fprintf(stderr, "0x%02x ", caterpillar_privkey[k]);
}
fprintf(stderr, "\nDump caterpillar_privkey on iram mem at %p len=%d [linker script region] Endddddddddddd\n\n", caterpillar_privkey, sizeof(caterpillar_privkey));


#if 1
fprintf(stderr, "Dump mem at %p len=%d using mmap to cross check \n\n", mem, sizeof(caterpillar_privkey));
for (k = 0; k < sizeof(caterpillar_privkey); k++) {
fprintf(stderr, "0x%02x ", ((uint8_t *) mem) [k]);
}
fprintf(stderr, "\nDump mem using mmap endddddddddddddddddddddddd\n\n");
#endif

return 0;

Execution output:

==============

# /var/ocram_test
*********************caterpillar key base=0x910000 value=0x0,

Dump caterpillar_privkey on iram mem at 0x910000 len=100 [linker script region]

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Dump caterpillar_privkey on iram mem at 0x910000 len=100 [linker script region] Endddddddddddd

Dump mem at 0x76f5f000 len=100 using mmap to cross check

0xec 0x1a 0x42 0x4d 0xb3 0x62 0x55 0xe2 0x49 0xe6 0xba 0x77 0x96 0x77 0xa4 0x84 0x7b 0x76 0xf0 0x33 0xe2 0x42 0x17 0x88 0xe6 0xbd 0x53 0x5a 0xe5 0x31 0x57 0xaf 0x3d 0xbe 0x8b 0x1a 0x0f 0xba 0x9c 0x17 0x2e
0x31 0xe5 0x39 0xf7 0x65 0x27 0xfa 0x7f 0xc9 0xe2 0x65 0xfb 0xf2 0x13 0xbb 0x0f 0xd2 0x91 0x4f 0xa9 0x84 0x1b 0x2a 0xd2 0x6e 0x86 0xb2 0x29 0xc8 0xd6 0x2c 0x15 0x2b 0xff 0x4d 0xdf 0xbc 0x73 0xbf 0x09 0x61
0xd8 0x73 0x3a 0x89 0xaa 0x7a 0xb3 0x6a 0xcd 0xf0 0x9a 0xa8 0x97 0x3a 0x29 0x31 0xb2 0x32
Dump mem using mmap endddddddddddddddddddddddd

/* Dumping memory at the U-boot to make sure same content exist on OCRAM */
U-Boot 2016.03 (Dec 06 2017 - 11:54:13 +0530)

CPU:   Freescale i.MX6Q rev1.5 at 792 MHz
Reset cause: WDOG
Board: SABRE Lite
I2C:   ready
DRAM:  1 GiB
MMC:   FSL_SDHC: 0, FSL_SDHC: 1
SF: Detected SST25VF016B with page size 256 Bytes, erase size 4 KiB, total 2 MiB
Display: hdmi:1280x720M@60 (1280x720)
In:    serial
Out:   serial
Err:   serial
Net:   Micrel ksz9021 at 7
FEC [PRIME], usb_ether
Hit any key to stop autoboot:  0
Enter passphrase to stop autoboot:
LC3_HAB => md 0x910000
00910000: 4d421aec e25562b3 77bae649 84a47796    ..BM.bU.I..w.w..
00910010: 33f0767b 881742e2 5a53bde6 af5731e5    {v.3.B....SZ.1W.
00910020: 1a8bbe3d 179cba0f 39e5312e fa2765f7    =........1.9.e'.
00910030: 65e2c97f bb13f2fb 4f91d20f 2a1b84a9    ...e.......O...*
00910040: b2866ed2 2cd6c829 4dff2b15 bf73bcdf    .n..)..,.+.M..s.
00910050: 73d86109 7aaa893a f0cd6ab3 3a97a89a    .a.s:..z.j.....:
00910060: 32b23129 724ea2b0 02cc1510 564da177    )1.2..Nr....w.MV
00910070: 7b646936 4dd721ad 4b80692f 22ecdc98    6id{.!.M/i.K..."
00910080: 682e525f 5c0bed9a 1218fa32 9ef66eb6    _R.h...\2....n..
00910090: 728c29d8 1197b647 997247c0 37ab36a2    .).rG....Gr..6.7
009100a0: 72c571e1 4c6b3bda 49f2639f c719b88e    .q.r.;kL.c.I....
009100b0: 9dca08b3 3a9140cc 2d3baf94 93875366    .....@.:..;-fS..
009100c0: a465e61b 2c6bb79e ce61f195 75e89607    ..e...k,..a....u
009100d0: e53cc9af 4953b4db a497ca23 206f5f87    ..<...SI#...._o
009100e0: ab309c04 03ae7f91 cf2c65cf 017420b4    ..0......e,.. t.
009100f0: b09f5053 5104ac83 ea898c88 3e737bc2    SP.....Q.....{s>

The attachment available at below link

https://ufile.io/qatu7 

0 Kudos

718 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

  As for general approach how to protect user keys and sensitive data with black

key and blob - You may create request / ticket.

Support|NXP 

Regards,

Yuri.

0 Kudos

718 Views
manojbasarikatt
Contributor I

Hi Yuri,

     Want to keep some data in OCRAM. Can you please look at the above method and let us know whats going wrong.  For key storage we will use raise the support request.

Cheers

Manoj

0 Kudos