I.MX6 Cryptographic Acceleration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

I.MX6 Cryptographic Acceleration

Jump to solution
33,870 Views
johnlangworthy
Contributor I

The I.MX6 is described as offering cryptographic acceleration in the CAAM. However, as far as I can see, there is no documentation avaialble to support this. Does anybody know what the capabilities are, and how we can access them?

Cheers

Labels (1)
1 Solution
5,866 Views
rodz
Contributor III

Hi John,

As Yuri has mentioned above the i.MX 6 Security reference manual contains all the information on CAAM and it's capabilities.  This is a moderated document but should not require an NDA.  Please contact your local Freescale FAE to obtain access to this document.

At a high level the CAAM is a DMA master supporting the following capabilities:

Secure memory feature with HW enforced access control

Cryptographic authentication

  * Hashing algorithms

     * MD5

     * SHA-1

     * SHA-224

     * SHA-256

  * Message authentication codes (MAC)

     * HMAC-all hashing algorithms

     * AES-CMAC

     * AES-XCBC-MAC

  * Auto padding

  * ICV checking

Authenticated encryption algorithms

  * AES-CCM (counter with CBC-MAC)

Symmetric key block ciphers

  * AES (128-bit, 192-bit or 256-bit keys)

  * DES (64-bit keys, including key parity)

  * 3DES (128-bit or 192-bit keys, including key parity)

Cipher modes

  * ECB, CBC, CFB, OFB for all block ciphers

  * CTR for AES

Symmetric key stream ciphers

* ArcFour (alleged RC4 with 40 - 128 bit keys)

* Random-number generation

  * Entropy is generated via an independent free running ring oscillator

  * Oscillator is off when not generating entropy; for lower-power consumption

  * NIST-compliant, pseudo random-number generator seeded using hardware generated entropy

The Freescale Linux BSP contains a CAAM driver to make use of the above features.  The use of CAAM is via the Linux CryptoAPI.  The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.

Regards,

-Rod

View solution in original post

35 Replies
5,867 Views
rodz
Contributor III

Hi John,

As Yuri has mentioned above the i.MX 6 Security reference manual contains all the information on CAAM and it's capabilities.  This is a moderated document but should not require an NDA.  Please contact your local Freescale FAE to obtain access to this document.

At a high level the CAAM is a DMA master supporting the following capabilities:

Secure memory feature with HW enforced access control

Cryptographic authentication

  * Hashing algorithms

     * MD5

     * SHA-1

     * SHA-224

     * SHA-256

  * Message authentication codes (MAC)

     * HMAC-all hashing algorithms

     * AES-CMAC

     * AES-XCBC-MAC

  * Auto padding

  * ICV checking

Authenticated encryption algorithms

  * AES-CCM (counter with CBC-MAC)

Symmetric key block ciphers

  * AES (128-bit, 192-bit or 256-bit keys)

  * DES (64-bit keys, including key parity)

  * 3DES (128-bit or 192-bit keys, including key parity)

Cipher modes

  * ECB, CBC, CFB, OFB for all block ciphers

  * CTR for AES

Symmetric key stream ciphers

* ArcFour (alleged RC4 with 40 - 128 bit keys)

* Random-number generation

  * Entropy is generated via an independent free running ring oscillator

  * Oscillator is off when not generating entropy; for lower-power consumption

  * NIST-compliant, pseudo random-number generator seeded using hardware generated entropy

The Freescale Linux BSP contains a CAAM driver to make use of the above features.  The use of CAAM is via the Linux CryptoAPI.  The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.

Regards,

-Rod

4,135 Views
markoh
Contributor I

Should there be aes-ccm support in the caam driver? At least for the public  linux-imx git repos and mainline linux kernel I can see support for most algorithms but no ccm(aes) support. For example the nx driver registers support for ccm(aes) but he caam does not.

0 Kudos
4,135 Views
rodz
Contributor III

Support for CCM other capabilities will be added in future releases of the CAAM driver.

-Rod

0 Kudos
4,135 Views
_benjamindubb
Contributor II

When I include the 'caam' argument in the bootargs I see that the caam driver gets registered with the kernel on startup. But I'm still unable to use it with 'openssl speed -engine cryptodev'. Also the 'openssl engine' shows no caam/cryptodev engine installed. I'm using L3.0.35_1.1.0 version. Any idea?

Thanks,

-Ben

0 Kudos
4,135 Views
Yuri
NXP Employee
NXP Employee

  As for current BSP CAAM support :

The driver is integrated to the standard Linux cryptographic services interface

known as the Linux Crypto API (or Linux Scatterlist API). All current features

of CAAM, that the driver supports, are via the Linux Crypto API.

   Basically Open SSL is able to use a crypto hardware though NetKey API ,
which in turn can
use Linux scatterlist crypto API. As for the cryptodev,   /dev/crypto
today does not use hardware features of the CAAM,  it is
just a software implementation.

0 Kudos
4,135 Views
_benjamindubb
Contributor II

Yura,


are you saying that IPSec will use CAAM driver as long as I include 'caam' in the bootargs?


And for openssl to take advantage of CAAM, do I need to rebuild it? I'm using rootfs from Freescale i.MX6 BSP L3.0.35_1.1.0. Any idea how to configure openssl for it?


Thanks,


-Ben

0 Kudos
4,107 Views
Yuri
NXP Employee
NXP Employee

> ... are you saying that IPSec will use CAAM driver as long as I include 'caam' in the bootargs?

Yes, assuming the kernel is configured properly.

Network support --->

  Network option --->

    <*> PF_KEY sockets

    <*>   IP: AH transformation

    <*>   IP: ESP transformation

    <*>   IP: IPComp transformation

    <*>   IP: IPsec transport mode

    <*>   IP: IPsec tunnel mode

> And for openssl to take advantage of CAAM do I need to rebuild it?

> Any idea how to configure openssl for it?

While not officially supported in the BSP, there are userspace interface implementations

that enable offloading OpenSSL requests to the built-in kernel crypto API, and thus the

CAAM h/w via its respective driver. While the kernel officially supports the AF_ALG socket

interface, various third-party cryptodev implementations are also available.

Here are some links to a couple of starting points:

http://carnivore.it/2011/04/23/openssl_-_af_alg

http://home.gna.org/cryptodev-linux/

http://ocf-linux.sourceforge.net/

0 Kudos
4,107 Views
AlbertT
Contributor V

What do you mean by bootargs ? Where do you put caam ?

0 Kudos
4,107 Views
_benjamindubb
Contributor II

my kernel command line, populated via uboot bootargs:

console=ttymxc0,115200 video=mxcfb1:dev=ldb,LDB-XGA,if=RGB666 ldb=dul1 root=/dev/mmcblk1p1 rootwait rw caam

0 Kudos
4,107 Views
AlbertT
Contributor V

I had no idea this was possible, thanks for the tip !!

0 Kudos
4,107 Views
Yuri
NXP Employee
NXP Employee

Linux kernel contains various users of the Scatterlist CryptoAPI, including its IPSec implementation, sometimes referred to as the NETKEY stack.

0 Kudos
4,107 Views
_benjamindubb
Contributor II

Where can I find the latest CAAM patches that address the issue reported by the callstack above?

0 Kudos
4,107 Views
Yuri
NXP Employee
NXP Employee

Looks like IPSEC with i.MX6 CAAM was not tested yet. IPSEC + CAAM is working for QorIQ.
 

0 Kudos
4,107 Views
_benjamindubb
Contributor II

not tested?! It was included in the Linux kernel BSP, so better be tested. How do you guys expect to sell this to customers? Is there some other protocol besides IPSec that it was perhaps tested with?

0 Kudos
4,107 Views
Yuri
NXP Employee
NXP Employee

OK, let's create special SR to check it more carefully

0 Kudos
4,107 Views
_benjamindubb
Contributor II

Yuri, can you advice us when we should expect Freescale to resolve the issue with the CAAM driver for i.MX6 Linux BSP.

Thanks

0 Kudos
4,107 Views
AlbertT
Contributor V

So there is a problem with the driver ? I've created a SR too but I have not had an answer yet.

I've tried the af_alg way but without success.

0 Kudos
4,108 Views
Yuri
NXP Employee
NXP Employee

> I've created a SR ...


What is SR number ?



0 Kudos
4,108 Views
AlbertT
Contributor V

SR# 1-1025928941

I have an answer now, thanks.

0 Kudos
4,121 Views
Yuri
NXP Employee
NXP Employee

  While not officially supported in the SDK, there are userspace interface implementations,

that enable offloading OpenSSL requests to the built-in kernel crypto API, and thus the CAAM

h/w via its respective driver. As known, the AF_ALG family provides the user-space interface

for the kernel crypto API. While a kernel (2.6.38 and later) supports the AF_ALG socket interface,

various third-party cryptodev implementations are also available.

Here are some links to a couple of starting points:

http://carnivore.it/2011/04/23/openssl_-_af_alg

http://home.gna.org/cryptodev-linux/

http://ocf-linux.sourceforge.net/

The enclosed is implementaion from Dipen Patel.


https://community.freescale.com/message/342822#342822