Changes between Initial Version and Version 1 of venice/encryption


Ignore:
Timestamp:
03/11/2021 10:18:19 PM (17 months ago)
Author:
Tim Harvey
Comment:

initial page

Legend:

Unmodified
Added
Removed
Modified
  • venice/encryption

    v1 v1  
     1[[PageOutline]]
     2
     3= i.MX8M Mini Encryption
     4The i.MX8M Mini SoC offer hardware encryption through Freescale's Cryptographic Accelerator and Assurance Module (CAAM). It offers the following support:
     5 * Widevine ciper text stealing (AES-CBC-CTS mode)
     6 * !PlayReady content protection
     7 * Public Key Cryptography (PKHA) with RSA 4096 and Elliptic Curve (ECC) algorithms
     8 * Real-time integrity checker (RTIC)
     9 * DRM support for RSA, AES, 3DES, DES with Side channel attach resistance
     10 * Side channel attack resistance
     11 * True random number generation (RNG)
     12 * Manufacturing protection support
     13
     14The above features are usable via the CAAM driver which is available in the mainline Linux kernel. In order to make use of some of these features, the Linux CryptoAPI must be used. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.
     15
     16== i.MX8M Mini Security Reference Manual
     17Detailed information is available in a Security Reference Manual available under NDA from NXP.
     18
     19== Linux Drivers
     20The Cryptographic Accelerator and Assurance Module (CAAM) is the driver for Freescale's hardware crypto. It configures hw to operate as a DPAA component, as well as creates job ring devices. Please see [https://www.kernel.org/doc/menuconfig/drivers-crypto-caam-Kconfig.html here] for more detail.
     21
     22In order to enable the CAAM driver from within the kernel, the {{{CONFIG_CRYPTO_DEV_FSL_CAAM}}} must be set:
     23 * {{{make menuconfig}}}
     24  * Kernel Cryptographic API → Hardware crypto devices → Freescale CAAM-Multicore driver backend
     25   * You can either build as a module via {{{M}}} or statically via {{{Y}}}
     26
     27Once enabled, {{{/proc/crypto}}} will list out that system's cipher support and where that support comes from. For example:
     28{{{#!bash
     29root@focal-venice:~# cat /proc/crypto
     30name         : rsa
     31driver       : rsa-caam
     32module       : caam_jr
     33priority     : 3000
     34refcnt       : 1
     35selftest     : passed
     36internal     : no
     37type         : akcipher
     38
     39name         : cmac(aes)
     40driver       : cmac-aes-caam
     41module       : caam_jr
     42priority     : 3000
     43refcnt       : 1
     44selftest     : passed
     45internal     : no
     46type         : ahash
     47async        : yes
     48blocksize    : 16
     49digestsize   : 16
     50
     51...
     52}}}
     53
     54The CAAM driver will also grant the ability to directly access the hardware random number generator via {{{/dev/hwrng}}}. This tremendously speeds up generation of random data.
     55
     56For information on how to use the Linux Kernel Crypto API consult the kernel documentation:
     57- https://www.kernel.org/doc/html/latest/crypto/index.html
     58
     59For more information on Linux Kernel Crypto API and how to use in Userspace see:
     60- [wiki:linux/encryption]
     61