Hi, I am experimenting with the BLOB feature of the CAAM on an i.MX6Q. However, CAAM does not accept the KEY Command, necessary for the blob OPERATION. I want to encapsulate data within U-Boot as a "red blob" to allow storing it in an unsecure location and ensure that it can only be decapsulated on the same system and only if it is in HAB secure state.
Here is what I did in my board code: hab_caam_clock_enable(1); sec_init(); uint8_t *km = malloc(16); strncpy((char*)km, "My Key Modifier", 16); uint8_t *plaintext = malloc(64); strncpy((char*)plaintext, "My Test Plaintext", 64); uint8_t *blob = malloc(32+64+16); blob_encap(km, plaintext, blob, 64); When enabling DEBUG, I see the following: 01: operation 02: jump 03: load_imm_u32 05: operation 00000000: No error: SEC0: RNG instantiated Encapsulating data to form blob 01: key 03: seq_in_ptr 03: seq_in_ptr_extlen 06: seq_out_ptr 06: seq_out_ptr_extlen 09: operation Descriptor dump: Word[0]: b080000a Word[1]: 04000010 Word[2]: 4fd7ab20 Word[3]: f0400000 Word[4]: 4fd7a9f8 Word[5]: 00000040 Word[6]: f8400000 Word[7]: 4fd7ab38 Word[8]: 00000070 Word[9]: 870d0000 Word[10]: 206d6574 Word[11]: 65736572 Word[12]: 2e2e2074 Word[13]: 72203b20 40000006: DECO: desc idx 0: Invalid KEY Command Error 40000006 Error in Encapsulation 1073741830 -- I read through the i.MX6DQ Security Reference Manual [1], but could not find out why this Invalid KEY Command error occurs. The KEY command (Word[1..2]) looks OK: CTYPE = 0b0000 (KEY), CLASS = 0b10 (Class 2), No SGF, No IMM, No ENC, LENGTH=0b10000 (16 bytes) Any ideas what's causing this? Are blob_encap/blob_decap (or CMD_BLOB from CLI) working for you? (Not sure if it's important, but I am successfully using HAB on this system and get_hab_status does not report any errors/events, so the chip comes up in secure mode and should - if it were working - use the OTPMK + the key modifier for the BKEK) Best regards, Clemens -- [1] https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
