I'm looking to store some sensitive data on the i.MX 8M Mini EVK and have a question regarding usage of the CAAM and OP-TEE.
I've found the example projects here: imx_sec_apps - i.MX Security Application Examples and have been looking at application note AN12554 (https://www.nxp.com/docs/en/application-note/AN12554.pdf) for CAAM key blobs and on the OP-TEE side I have been looking at the enhanced OpenSSL project in the repository I mentioned and application note AN12632 (https://www.nxp.com/docs/en/application-note/AN12632.pdf). After reading these and playing around with the code, it seems that I could use either of these methods to accomplish my goal of storing some sensitive data. My question is could I do this using the CAAM key blobs or OP-TEE? The OP-TEE path is simpler it seems and I could simply store the keys in the trusted application and provide an API in the client application to retrieve the data when I need it. I suppose the CAAM method might provide a little more security perhaps?
The other implementation would be to use OP-TEE and the CAAM to perform all cryptographic functions in the secure world and only provide a minimal API on the client side to access any needed functions/data. This seems to be more similar to the enhanced OpenSSL application note.
Am I understanding this correctly? Also, are there any examples that apply to Linux kernel 5.4?