[U-Boot] i.MX6 CAAM BLOB problem: Invalid KEY Command

Clemens Gruber clemens.gruber at pqgruber.com
Sun Dec 17 20:18:15 UTC 2017 

Hi,

I am experimenting with the BLOB feature of the CAAM on an i.MX6Q.
However, CAAM does not accept the KEY Command, necessary for the
blob OPERATION.
I want to encapsulate data within U-Boot as a "red blob" to allow
storing it in an unsecure location and ensure that it can only be
decapsulated on the same system and only if it is in HAB secure state.

Here is what I did in my board code:
hab_caam_clock_enable(1);
sec_init();

uint8_t *km = malloc(16);
strncpy((char*)km, "My Key Modifier", 16);
uint8_t *plaintext = malloc(64);
strncpy((char*)plaintext, "My Test Plaintext", 64);
uint8_t *blob = malloc(32+64+16);

blob_encap(km, plaintext, blob, 64);

When enabling DEBUG, I see the following:

01: operation
02: jump
03: load_imm_u32
05: operation
00000000: No error:
SEC0: RNG instantiated

Encapsulating data to form blob
01: key
03: seq_in_ptr
03: seq_in_ptr_extlen
06: seq_out_ptr
06: seq_out_ptr_extlen
09: operation
Descriptor dump:
Word[0]: b080000a
Word[1]: 04000010
Word[2]: 4fd7ab20
Word[3]: f0400000
Word[4]: 4fd7a9f8
Word[5]: 00000040
Word[6]: f8400000
Word[7]: 4fd7ab38
Word[8]: 00000070
Word[9]: 870d0000
Word[10]: 206d6574
Word[11]: 65736572
Word[12]: 2e2e2074
Word[13]: 72203b20
40000006: DECO: desc idx 0: Invalid KEY Command
Error 40000006
Error in Encapsulation 1073741830

--

I read through the i.MX6DQ Security Reference Manual [1], but could not
find out why this Invalid KEY Command error occurs.
The KEY command (Word[1..2]) looks OK: CTYPE = 0b0000 (KEY), CLASS =
0b10 (Class 2), No SGF, No IMM, No ENC, LENGTH=0b10000 (16 bytes)

Any ideas what's causing this?
Are blob_encap/blob_decap (or CMD_BLOB from CLI) working for you?

(Not sure if it's important, but I am successfully using HAB on this
system and get_hab_status does not report any errors/events, so the chip
comes up in secure mode and should - if it were working - use the OTPMK
+ the key modifier for the BKEK)

Best regards,
Clemens

--

[1] https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE

More information about the U-Boot mailing list