Using CAAM for blob decapsulation in Linux (ls1012a)

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Using CAAM for blob decapsulation in Linux (ls1012a)

1,256 次查看
joe_nunes
Contributor I

I'm trying to use the CAAM on an ls1012a for blob decapsulation.  I have the secure boot setup and working, including the OTPMK and SRK fuses burned.  In U-boot I'm able to blob encap and blob decap.  Using the caam_jr module I'm able to encap and decap successfully from Linux.

The problem is that for some reason I can't decap blobs in Linux that were encapsulated in U-boot and vice versa.  I used U-boot as a reference to build the job descriptor in Linux-land and I have verified that it is identical, except the pointer addresses to the DMA memory locations of the actual blob data, key modifier and output buffer.

I'm getting a CAAM jobring error of 0x20000c1a, which looks like an ICV check failure, but the same blob decapsulates just fine in U-boot, so I'm not sure what is different about it.  Is there anything I can look into to find out why I'm getting this error?

Thanks!

0 项奖励
回复
2 回复数

591 次查看
bschaefer
Contributor I

@joe_nunes Hello joe, do you happen to be able to share some details on how you used caam_jr to perform blob encap / decap? We are running linux kernel version 4.19, and any of the support in kernel or userspace doesn't seem easily portable (either solutions depend on newer kernel versions that support tagged keys, or i.MX specific solutions using SNVS).


0 项奖励
回复

1,131 次查看
joe_nunes
Contributor I

I found the answer to my problem, which I'll document here in case anyone else runs into the same thing.

The background is that with the kernel module I'm using I had to byte swap the job descriptor commands (which I'd already figured out), but it turns out I needed to 4-byte byteswap the key modifier as well.  The blob itself did not need to be byteswapped.

Since the key modifier was being byteswapped (and as a result didn't match what the other environment had) it makes perfect sense that it was failing the ICV check.

It was the inconsistency in byteswapping one input, but not the other, that had me tripped up.  As of now I'm able to encapsulate and decapsulate across U-boot and Linux.

Cheers!

0 项奖励
回复