AnsweredAssumed Answered

CAAM or OP-TEE

Question asked by Mark Saenger on Jul 27, 2020
Latest reply on Jul 28, 2020 by Yuri Muhin

Hello,

 

I'm looking to store some sensitive data on the i.MX 8M Mini EVK and have a question regarding usage of the CAAM and OP-TEE.

 

I've found the example projects here: imx_sec_apps - i.MX Security Application Examples  and have been looking at application note AN12554 (https://www.nxp.com/docs/en/application-note/AN12554.pdf) for CAAM key blobs and on the OP-TEE side I have been looking at the enhanced OpenSSL project in the repository I mentioned and application note AN12632 (https://www.nxp.com/docs/en/application-note/AN12632.pdf).  After reading these and playing around with the code, it seems that I could use either of these methods to accomplish my goal of storing some sensitive data.  My question is could I do this using the CAAM key blobs or OP-TEE?  The OP-TEE path is simpler it seems and I could simply store the keys in the trusted application and provide an API in the client application to retrieve the data when I need it.  I suppose the CAAM method might provide a little more security perhaps?

 

The other implementation would be to use OP-TEE and the CAAM to perform all cryptographic functions in the secure world and only provide a minimal API on the client side to access any needed functions/data.  This seems to be more similar to the enhanced OpenSSL application note.

 

Am I understanding this correctly?   Also, are there any examples that apply to Linux kernel 5.4?

Outcomes