AnsweredAssumed Answered

CAAM issue with AES CCM: tag verification fails

Question asked by Mathieu Briand on Jul 31, 2018
Latest reply on Aug 6, 2018 by Mathieu Briand



I am currently trying to use the CAAM to encrypt/decrypt buffers with AES CCM algorithm. I can successfully encrypt and decrypt some buffers, but sometimes (about 1% of the samples), the TAG verification fails during decryption, despite the TAG being valid.


Here is an example of CAAM job I am using:

- AES key is 128 bits, all 0.

- Encrypted buffer is 4 bytes: 0x37, 0xee, 0xf4, 0xa3.

- Tag is 16 bytes: 0xa2, 0x18, 0x45, 0xe6, 0x93, 0x8b, 0x03, 0x0d, 0x67, 0xdc, 0xc6, 0xcc, 0xdc, 0xaa, 0x3e, 0x38.

- Corresponding decrypted buffer is: 0x0, 0x0, 0x0, 0x0.


b0800011 # Header   
02800010 # Load class 1 key (AES 128, all 0)
8210080e # Operation: AES CCM, decrypt and check tag
12200038 # Load context from 4e08d220
22530000 # Fifo load 4 bytes of data from 4e08f5c0
60700000 # Fifo store 4 bytes of data to 4e08f580
223b0010 # Fifo load tag from 4e08f54


If I run the same job several times, the test will fail once in a while. CAAM error is 20000f1a: CCB error with AES ICV check, command 15 (fifo load tag).

Between each iterations:

- The job is not modified (I always use the same job).

- Referenced memory areas are not modified (caches are flushed before the first iteration).

- Only one core of the CPU is used to ensure no other core is modifying memory or interacting with the CAAM.


Only some CCM parameters seem to trigger the issue:

- TAG length of 14 or 16 bytes.

- Data length up to 16 bytes.


I have never had any issue regarding other tag lengths or with longer data buffers. There isn't any issue with AES CCM encryption.


Is there something I am doing wrong here ? Is there any external cause that may trigger this issue ?