i.MX6 CAAM - keyblob decryption fails after kernel upgrade

nreis · ‎11-21-2024

Hi,

We are currently upgrading a custom board from Kernel 4.1 to 5.15.

We are using NXP's CAAM driver to securely store a keyblob.

After updating on a security-enabled device, decryption fails.

Adding some debug prints in sm_store.c yields that the job returns with JRSTA_CCBERR_ERRID_ICVCHKL

If I print the status instead of just returning -EBADMSG, I get the following output:

[   30.153764] caam_jr 2101000.jr: 2000081a: CCB: desc idx 8: AES: ICV check failed.
[   30.161259] caam_jr 2101000.jr: 2000081a: CCB: desc idx 8: AES: ICV check failed.

The raw return value is 0x2000 081A<u+202c>, in case there is more information there.

nbsp;w

Any help is highly welcome. I can of course provide more information if needed.

Thanks in advance and best regards

Niklas Reisser

nreis

Hi,

thanks for the replies. We were able to find the solution in the updated kernel module which extracts the key.

Kind regards,

Niklas

View solution in original post

nreis

Hi,

thanks for the replies. We were able to find the solution in the updated kernel module which extracts the key.

Kind regards,

Niklas

harold07douglas · ‎11-25-2024

The transition between kernels can introduce subtle changes in cryptographic APIs or hardware interactions that aren’t immediately apparent but have far-reaching implications, like in this case with keyblob handling and AES operations. Debugging such issues not only requires a deep understanding of the kernel internals but also a meticulous review of descriptor handling and parameter consistency. It’s impressive to see how tightly coupled cryptographic integrity checks are to kernel upgrades—almost like a puzzle where one misplaced piece can disrupt the entire system.

Harvey021 · ‎11-25-2024

Hi,

Did you use caam_keygen to generate the keyblob in bsp5.15? If not, it is recommended to use caam_keygen.

Regards

Harvey