[U-Boot] i.MX6 CAAM BLOB problem: Invalid KEY Command

Fabio Estevam festevam at gmail.com
Sun Dec 17 20:20:46 UTC 2017 

Adding Breno on Cc in case he can help.

On Sun, Dec 17, 2017 at 6:18 PM, Clemens Gruber
<clemens.gruber at pqgruber.com> wrote:
> Hi,
>
> I am experimenting with the BLOB feature of the CAAM on an i.MX6Q.
> However, CAAM does not accept the KEY Command, necessary for the
> blob OPERATION.
> I want to encapsulate data within U-Boot as a "red blob" to allow
> storing it in an unsecure location and ensure that it can only be
> decapsulated on the same system and only if it is in HAB secure state.
>
> Here is what I did in my board code:
> hab_caam_clock_enable(1);
> sec_init();
>
> uint8_t *km = malloc(16);
> strncpy((char*)km, "My Key Modifier", 16);
> uint8_t *plaintext = malloc(64);
> strncpy((char*)plaintext, "My Test Plaintext", 64);
> uint8_t *blob = malloc(32+64+16);
>
> blob_encap(km, plaintext, blob, 64);
>
> When enabling DEBUG, I see the following:
>
> 01: operation
> 02: jump
> 03: load_imm_u32
> 05: operation
> 00000000: No error:
> SEC0: RNG instantiated
>
> Encapsulating data to form blob
> 01: key
> 03: seq_in_ptr
> 03: seq_in_ptr_extlen
> 06: seq_out_ptr
> 06: seq_out_ptr_extlen
> 09: operation
> Descriptor dump:
> Word[0]: b080000a
> Word[1]: 04000010
> Word[2]: 4fd7ab20
> Word[3]: f0400000
> Word[4]: 4fd7a9f8
> Word[5]: 00000040
> Word[6]: f8400000
> Word[7]: 4fd7ab38
> Word[8]: 00000070
> Word[9]: 870d0000
> Word[10]: 206d6574
> Word[11]: 65736572
> Word[12]: 2e2e2074
> Word[13]: 72203b20
> 40000006: DECO: desc idx 0: Invalid KEY Command
> Error 40000006
> Error in Encapsulation 1073741830
>
> --
>
> I read through the i.MX6DQ Security Reference Manual [1], but could not
> find out why this Invalid KEY Command error occurs.
> The KEY command (Word[1..2]) looks OK: CTYPE = 0b0000 (KEY), CLASS =
> 0b10 (Class 2), No SGF, No IMM, No ENC, LENGTH=0b10000 (16 bytes)
>
> Any ideas what's causing this?
> Are blob_encap/blob_decap (or CMD_BLOB from CLI) working for you?
>
> (Not sure if it's important, but I am successfully using HAB on this
> system and get_hab_status does not report any errors/events, so the chip
> comes up in secure mode and should - if it were working - use the OTPMK
> + the key modifier for the BKEK)
>
> Best regards,
> Clemens
>
> --
>
> [1] https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot

More information about the U-Boot mailing list