I am following the application note AN12714 (i.MX Encrypted Storage Using CAAM Secure Keys Rev. 0 — 25 February 2020). when I create secure key, I get:
[root@IoT-A6G2C /jffs/dm_crypto]# ./keyctl add caam_tk seckey "new ecb 16" @s | xargs ./keyctl print > blob
keyctl_read_alloc: Permission denied
[root@IoT-A6G2C /jffs/dm_crypto]#
I dont know how to slove it, then I use cmd: ./keyctl add caam_tk seckey "new ecb 16" @u | xargs ./keyctl print > blob
success!
but when I Execute the following command:
[root@IoT-A6G2C /jffs/dm_crypto]# mount -t ext4 /dev/mapper/encrypted /jffs/dm_crypto/mnt/encrypted/
I find the files in /jffs/dm_crypto/mnt/encrypted/ unencrypt,I don't know how solve it,I need help. thanks
[root@IoT-A6G2C /jffs/dm_crypto/mnt/encrypted]# cat readme.txt
This is a test of full disk encryption on i.MX
[root@IoT-A6G2C /jffs/dm_crypto]#uname -a
Linux IoT-A6G2C 4.14.98-g586ed8b06-dirty #1 SMP Wed Mar 8 08:48:46 UTC 2023 armv7l GNU/Linux
imx6ul
Solved! Go to Solution.
Hi @Harvey021
When I execute the following command:
# fdisk -l
Disk /dev/mmcblk0: 7580 MB, 7948206080 bytes, 15523840 sectors
966 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type
/dev/mmcblk0p1 * 0,32,33 965,254,63 2048 15518789 15516742 7576M c Win95 FAT32 (LBA)
Disk /dev/dm-0: 8 MB, 8388608 bytes, 16384 sectors
1 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-0 doesn't contain a valid partition table
Is it the reason why there is no partition in dm-0? What partition method should I make
Thanks
Hi @haichao
Both session keyring and ext4 filesystem could be done without issue with the BSP that we provided.
Please share how you've tested for the unencrypted? ensure that every step has operated with success, Like how is the Mount operation?
Best regards
Harvey
Hi @Harvey021
Thanks for your reply!
I follow the note AN12714 Rev. 0 — 25 February 2020 step by step. the diffence is my kernel verison(imx-4.14.98). download meta-imx-fde-demo and insert the patch file in the recipes-kernel into my kernel,and modify config file.
.part of kernel startup information:
sdhci-esdhc-imx 2194000.usdhc: assigned as wifi host
mmc1: SDHCI controller on 2194000.usdhc [2194000.usdhc] using ADMA
caam 2140000.caam: ERA source: CCBVID.
caam 2140000.caam: device ID = 0x0a16030000000000 (Era
caam 2140000.caam: job rings = 3, qi = 0, dpaa2 = no
caam_jr 2141000.jr0: Entropy delay = 3200
caam_jr 2141000.jr0: Instantiated RNG4 SH0.
caam_jr 2141000.jr0: Instantiated RNG4 SH1.
caam algorithms registered in /proc/crypto
caam_jr 2141000.jr0: registering rng-caam
caam 2140000.caam: caam pkc algorithms registered in /proc/crypto
platform caam_sm: blkkey_ex: 8 keystore units available
caam_jr 2143000.jr2: caam_black_key input: [key: 00101000(8) black_key: 00101000(128), auth: 0]
caam_jr 2143000.jr2: caam_black_key processing: [key: 00101000(8) black_key: 00101000(8)
caam_jr 2143000.jr2: req:16, auth: 0x0]
caam_jr 2143000.jr2: caam_black_key input: [key: 00101080(16) black_key: 00101080(128), auth: 0]
caam_jr 2143000.jr2: caam_black_key processing: [key: 00101080(16) black_key: 00101080(16)
caam_jr 2143000.jr2: req:16, auth: 0x0]
caam_jr 2143000.jr2: caam_black_key input: [key: 00101100(24) black_key: 00101100(128), auth: 0]
caam_jr 2143000.jr2: caam_black_key processing: [key: 00101100(24) black_key: 00101100(24)
caam_jr 2143000.jr2: req:32, auth: 0x0]
caam_jr 2143000.jr2: caam_black_key input: [key: 00101180(32) black_key: 00101180(128), auth: 0]
caam_jr 2143000.jr2: caam_black_key processing: [key: 00101180(32) black_key: 00101180(32)
caam_jr 2143000.jr2: req:32, auth: 0x0]
platform caam_sm: 64-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: 64-bit black key:
platform caam_sm: [0000] 66 e4 85 83 07 f2 c9 10
platform caam_sm: [0008] fb c6 2f c3 99 7a 5f 65
platform caam_sm: 128-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: 128-bit black key:
platform caam_sm: [0000] 61 ea 2d b6 28 1c 5f 15
platform caam_sm: [0008] 60 95 c1 5e f9 0b 89 a4
platform caam_sm: 192-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: [0016] 10 11 12 13 14 15 16 17
platform caam_sm: 192-bit black key:
platform caam_sm: [0000] e4 41 b7 ba 9f fc c6 e9
platform caam_sm: [0008] f7 eb ea f1 15 49 51 5a
platform caam_sm: [0016] e2 e2 d5 20 af d8 20 dd
platform caam_sm: [0024] fd 27 4c 7d 2e 22 a6 01
platform caam_sm: 256-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: [0016] 10 11 12 13 14 15 16 17
platform caam_sm: [0024] 18 19 1a 1b 1c 1d 1e 1f
platform caam_sm: 256-bit black key:
platform caam_sm: [0000] fc fd 0b 4f 45 d3 83 fd
platform caam_sm: [0008] 9f 45 2e 2a 03 88 15 8b
platform caam_sm: [0016] 78 d8 37 fd b2 eb d8 71
platform caam_sm: [0024] 05 b7 38 59 bd 49 6f fb
platform caam_sm: 64-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 128-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 196-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 256-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 64-bit black key in blob:
platform caam_sm: [0000] 06 0d b0 d0 31 91 82 71
platform caam_sm: [0008] e9 b3 59 80 ca f5 ef 90
platform caam_sm: [0016] 0c 30 a1 d1 61 70 96 f7
platform caam_sm: [0024] 3c e6 d7 a6 a7 4b c6 13
platform caam_sm: [0032] 3f 38 e9 e2 8b 2e fc 03
platform caam_sm: [0040] 88 7d af 67 5c ed bc 7e
platform caam_sm: [0048] 67 e7 65 69 4b 4d b8 82
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 128-bit black key in blob:
platform caam_sm: [0000] 66 b0 db 79 be 57 a7 fe
platform caam_sm: [0008] 38 7e a9 63 fa f9 23 be
platform caam_sm: [0016] 2e a7 fd 0c d2 71 13 99
platform caam_sm: [0024] 53 54 f5 80 d4 e5 ff 5a
platform caam_sm: [0032] f2 ba e2 76 21 21 68 68
platform caam_sm: [0040] 4c 1b 17 90 a4 df 8b 6a
platform caam_sm: [0048] 35 9c 77 f8 10 c0 6c a9
platform caam_sm: [0056] fa e0 d9 3d cc 79 d6 99
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 192-bit black key in blob:
platform caam_sm: [0000] f1 26 9d d2 de 91 3f a2
platform caam_sm: [0008] bb d3 4a c7 1e da 6b 40
platform caam_sm: [0016] 04 79 08 04 f3 df 0f 3f
platform caam_sm: [0024] bf b7 ac 93 1a 02 15 db
platform caam_sm: [0032] dc de 8f 35 2e 3c 95 79
platform caam_sm: [0040] df 59 d8 14 ba 3d ae 46
platform caam_sm: [0048] eb 71 8d 8b 38 02 15 d8
platform caam_sm: [0056] c9 28 fb d5 f9 98 fa 54
platform caam_sm: [0064] ae 81 d2 d1 5f de 17 47
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 256-bit black key in blob:
platform caam_sm: [0000] 1f 60 64 a4 72 ca c2 b1
platform caam_sm: [0008] 9b 68 47 e3 8b c8 ab 85
platform caam_sm: [0016] a2 50 b9 4a c9 b1 3a bf
platform caam_sm: [0024] 73 53 b9 60 83 61 13 69
platform caam_sm: [0032] b2 8d 08 26 b1 7f ed 79
platform caam_sm: [0040] 1e a0 6a 8d c7 fd a3 bb
platform caam_sm: [0048] bd c5 9e f1 6d 50 cb a8
platform caam_sm: [0056] bd b0 91 6b f3 1a 97 83
platform caam_sm: [0064] 13 8d 6b 0c 35 78 7f fd
platform caam_sm: [0072] 89 c2 1b 61 d1 90 0b ac
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: restored 64-bit black key:
platform caam_sm: [0000] 17 8b 93 6d 2c 58 81 c0
platform caam_sm: [0008] ee ec f5 34 9e e2 67 58
platform caam_sm: restored 128-bit black key:
platform caam_sm: [0000] 61 ea 2d b6 28 1c 5f 15
platform caam_sm: [0008] 60 95 c1 5e f9 0b 89 a4
platform caam_sm: restored 192-bit black key:
platform caam_sm: [0000] e4 41 b7 ba 9f fc c6 e9
platform caam_sm: [0008] f7 eb ea f1 15 49 51 5a
platform caam_sm: [0016] 67 1e 14 77 5a 19 4e 54
platform caam_sm: [0024] 55 00 7c 73 ed 46 1c fa
platform caam_sm: restored 256-bit black key:
platform caam_sm: [0000] fc fd 0b 4f 45 d3 83 fd
platform caam_sm: [0008] 9f 45 2e 2a 03 88 15 8b
platform caam_sm: [0016] 78 d8 37 fd b2 eb d8 71
platform caam_sm: [0024] 05 b7 38 59 bd 49 6f fb
caam-snvs 20cc000.caam-snvs: can't get snvs clock
caam-snvs 20cc000.caam-snvs: violation handlers armed - trusted state
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
vf610-adc 2198000.adc: 2198000.adc supply vref not found, using dummy regulator
NET: Registered protocol family 26
nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
xt_time: kernel timezone is -0000
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 10
Segment Routing with IPv6
NET: Registered protocol family 17
can: controller area network core (rev 20170425 abi 9)
NET: Registered protocol family 29
can: raw protocol (rev 20170425)
can: broadcast manager protocol (rev 20170425 t)
can: netlink gateway (rev 20170425) max_hops=1
Bluetooth: RFCOMM TTY layer initialized
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM ver 1.11
Bluetooth: BNEP (Ethernet Emulation) ver 1.3
Bluetooth: BNEP filters: protocol multicast
Bluetooth: BNEP socket layer initialized
Bluetooth: HIDP (Human Interface Emulation) ver 1.2
Bluetooth: HIDP socket layer initialized
Key type dns_resolver registered
mmc0: new high speed SDHC card at address aaaa
mmcblk0: mmc0:aaaa SA08G 7.40 GiB
mmcblk0: p1
imx_thermal 2000000.aips-bus:tempmon: Automotive CPU temperature grade - max:125C critical:120C passive:115C
snvs_rtc 20cc000.snvs:snvs-rtc-lp: setting system clock to 1970-01-01 22:06:52 UTC (79612)
Key type caam_tk registered
wlreg_on: disabling
md: Waiting for all devices to be available before autodetect
md: If you don't use raid, use raid=noautodetect
md: Autodetecting RAID arrays.
..................
Refer to Section 3.2,the implementation results of each step are as follows:
1.make sure that cryptographic transformations using Tagged Key are registered.
# grep -B1 -A2 tk- /proc/crypto|grep -v kernel
name : tk(ecb(aes))
driver : tk-ecb-aes-caam
priority : 1
--
name : tk(cbc(aes))
driver : tk-cbc-aes-caam
priority : 1
2.Make sure Dm-Crypt is enabled
# ./dmsetup targets
crypt v1.18.1
striped v1.6.0
linear v1.4.0
error v1.5.0
3. provide the device with its key
#./keyctl add caam_tk seckey "new ecb 16" @s | xargs ./keyctl print > blob
keyctl_read_alloc: Permission denied
# ./keyctl list @s
1 key in keyring:
228517484: --alswrv 0 65534 keyring: _uid.0
# ./keyctl session
Joined session keyring: 1066486877
# ./keyctl list @s
keyring is empty
# ./keyctl add caam_tk seckey "new ecb 16" @s | xargs ./keyctl print > blob
# ./keyctl list @s
1 key in keyring:
972125402: --als-rv 0 0 caam_tk: seckey
# cat blob
:hex:9926ac021bdba1a40875778dd9aed6a560673ea8fcad7554456ab8826d67743af1304086076f7a5b9fc88ba6a1f5741243f4637fbc15d284f417166b4354d867
4. Create a secure volue
# ./dd if=/dev/zero of=encrypted.img bs=1M count=8
8+0 records in
8+0 records out
8388608 bytes (8.4 MB, 8.0 MiB) copied, 1.74919 s, 4.8 MB/s
# ./losetup /dev/loop0 encrypted.img
5. create a new device-mapper device named encrypted
# ./dmsetup -v create encrypted --table "0 $(./blockdev --getsz /dev/loop0) crypt capi:tk(cbc(aes))-plain :32:caam_tk:secke
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 253, 0
Number of targets: 1
# ./dmsetup table --showkey encrypted
0 16384 crypt capi:tk(cbc(aes))-plain :32:caam_tk:seckey 0 7:0 0
# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Jan 1 1970 control
brw------- 1 root root 253, 0 Mar 9 21:37 encrypted
6,7,8 set mount point and mount
# ./mkfs.ext4 /dev/mapper/encrypted
mke2fs 1.47.0 (5-Feb-2023)
Creating filesystem with 8192 1k blocks and 2048 inodes
Allocating group tables: done
Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done
# mkdir -p ./mnt/encrypted
# mount -t ext4 /dev/mapper/encrypted ./mnt/encrypted/
# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 18.3M 18.3M 0 100% /
..............
/dev/mmcblk0p1 7.4G 58.1M 7.3G 1% /media/mmcblk0p1
tmpfs 58.0M 584.0K 57.4M 1% /root/.ssh
/dev/mapper/encrypted
6.4M 46.0K 5.8M 1% /jffs/dm_crypt/mnt/encrypted
When I execute the mount command, the serial port has the following information,I'm not sure if this is abnormal information
EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
9. write to device
# echo "hello,world" > ./mnt/encrypted/readme.txt
# cat ./mnt/encrypted/readme.txt
hello,world
According to step 8------At this level, everything data you write to /mnt/encrypted is encrypted on the real block device /dev/loop0
I think the readme.txt file should be encrypted, but it is unencrypted
I don't why and how to solve it
Best regards
haichao
[root@IoT-A6G2C /jffs/dm_crypto]# ./keyctl add caam_tk seckey "new ecb 16" @s | xargs ./keyctl print > blob
keyctl_read_alloc: Permission denied
about the problom, the list link give me the answor
Unable to store keys in key ring using keyctl - NXP Community
yes
use this cmd: keyctl session before ./keyctl add caam_tk seckey "new ecb 16" @s | xargs ./keyctl print > blob
but I follow the AN12714 (i.MX Encrypted Storage Using CAAM Secure Keys Rev. 0 — 25 February 2020),when I put file to mnt/encrypted, the file is unencrypt, I don't know why ,please help me many thanks!
Regards
Hi @Harvey021
When I execute the following command:
# fdisk -l
Disk /dev/mmcblk0: 7580 MB, 7948206080 bytes, 15523840 sectors
966 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type
/dev/mmcblk0p1 * 0,32,33 965,254,63 2048 15518789 15516742 7576M c Win95 FAT32 (LBA)
Disk /dev/dm-0: 8 MB, 8388608 bytes, 16384 sectors
1 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-0 doesn't contain a valid partition table
Is it the reason why there is no partition in dm-0? What partition method should I make
Thanks
Hi @Harvey021
I already know why. It's explained on the document---“NAND flash is an MTD device, hence, DM-Crypt cannot be used with”, my flash is NAND flash, I made a big joke