CAAM secure (tagged) keys with openssl

tmayr · ‎09-16-2021

Hello,

we set up an iMX6 board with secure boot and CAAM support enabled, and also configured file-system encryption using CAAM and secure keys (tagged keys).

Now we'd like to use tagged keys with openssl (AES) as well. We managed to configure CAAM as engine for openssl, using cryptodev. However, only non-tagged-key algorithms (e.g. aes-256-cbc) are available in openssl.

How can we tell openssl about the tagged key algorithms?
I found this document about how to use black keys with openssl for asymmetric crypto operations, but has anything similar already been done for AES (e.g. aes-256-cbc-tk)?

Thanks,
Tobias

Fabien_M · ‎11-15-2022

Hello @igorpadykov ,
I would also like to use AES openssl with black keys.

May I also get the procedure and patch please ?

Note : I use 5.15.52 BSP on iMX8mp.

Best regards,
Fabien

igorpadykov · ‎10-18-2021

Hi Tobias

from team:

----------------------

Please tell me your BSP version. I think this need to be done by adding some custom code to link the tagged key transform. It can't be selected autonomously. Please share test code or patch to reproduce on our side.

----------------------

Best regards
igor

tmayr · ‎10-20-2021

Hi Igor,

This is the BSP we are using: https://github.com/varigit/variscite-bsp-platform/tree/dunfell

I'm not sure what the team means by "code or patch to reproduce on our side", but I would like to do something like

openssl enc -e -engine cryptodev -in plainfile -out cryptofile aes-256-cbc-tk -K blackkey

to encrypt a plainfile using the provided blackkey (note the -tk in the cipher, which obviously openssl doesn't know about), through the CAAM (e.g. with cryptodev).

This doesn't work out of the box, and it would be cool to know what's missing.

Tobias

igorpadykov · ‎11-16-2021

procedure and verification patch were sent via mail.

-----------------------

Best regards
igor

ahightower · ‎02-14-2023

Has this been mainlined in the past year? What was the resolution of this?