Adding Breno on Cc in case he can help.
On Sun, Dec 17, 2017 at 6:18 PM, Clemens Gruber <[email protected]> wrote: > Hi, > > I am experimenting with the BLOB feature of the CAAM on an i.MX6Q. > However, CAAM does not accept the KEY Command, necessary for the > blob OPERATION. > I want to encapsulate data within U-Boot as a "red blob" to allow > storing it in an unsecure location and ensure that it can only be > decapsulated on the same system and only if it is in HAB secure state. > > Here is what I did in my board code: > hab_caam_clock_enable(1); > sec_init(); > > uint8_t *km = malloc(16); > strncpy((char*)km, "My Key Modifier", 16); > uint8_t *plaintext = malloc(64); > strncpy((char*)plaintext, "My Test Plaintext", 64); > uint8_t *blob = malloc(32+64+16); > > blob_encap(km, plaintext, blob, 64); > > When enabling DEBUG, I see the following: > > 01: operation > 02: jump > 03: load_imm_u32 > 05: operation > 00000000: No error: > SEC0: RNG instantiated > > Encapsulating data to form blob > 01: key > 03: seq_in_ptr > 03: seq_in_ptr_extlen > 06: seq_out_ptr > 06: seq_out_ptr_extlen > 09: operation > Descriptor dump: > Word[0]: b080000a > Word[1]: 04000010 > Word[2]: 4fd7ab20 > Word[3]: f0400000 > Word[4]: 4fd7a9f8 > Word[5]: 00000040 > Word[6]: f8400000 > Word[7]: 4fd7ab38 > Word[8]: 00000070 > Word[9]: 870d0000 > Word[10]: 206d6574 > Word[11]: 65736572 > Word[12]: 2e2e2074 > Word[13]: 72203b20 > 40000006: DECO: desc idx 0: Invalid KEY Command > Error 40000006 > Error in Encapsulation 1073741830 > > -- > > I read through the i.MX6DQ Security Reference Manual [1], but could not > find out why this Invalid KEY Command error occurs. > The KEY command (Word[1..2]) looks OK: CTYPE = 0b0000 (KEY), CLASS = > 0b10 (Class 2), No SGF, No IMM, No ENC, LENGTH=0b10000 (16 bytes) > > Any ideas what's causing this? > Are blob_encap/blob_decap (or CMD_BLOB from CLI) working for you? > > (Not sure if it's important, but I am successfully using HAB on this > system and get_hab_status does not report any errors/events, so the chip > comes up in secure mode and should - if it were working - use the OTPMK > + the key modifier for the BKEK) > > Best regards, > Clemens > > -- > > [1] > https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE > _______________________________________________ > U-Boot mailing list > [email protected] > https://lists.denx.de/listinfo/u-boot _______________________________________________ U-Boot mailing list [email protected] https://lists.denx.de/listinfo/u-boot
