[[PageOutline]] = Venice Security This page is about the i.MX8M security modules. To read more about Trusted Execution Environment (TEE) on Venice, visit [wiki:venice/tee] To read more about Venice Secure Boot, visit [wiki:venice/secure_boot] = i.MX8M Mini Encryption The i.MX8M Mini SoC offer hardware encryption through Freescale's Cryptographic Accelerator and Assurance Module (CAAM). It offers the following support: * Widevine ciper text stealing (AES-CBC-CTS mode) * !PlayReady content protection * Public Key Cryptography (PKHA) with RSA 4096 and Elliptic Curve (ECC) algorithms * Real-time integrity checker (RTIC) * DRM support for RSA, AES, 3DES, DES with Side channel attach resistance * Side channel attack resistance * True random number generation (RNG) * Manufacturing protection support The above features are usable via the CAAM driver which is available in the mainline Linux kernel. In order to make use of some of these features, the Linux CryptoAPI must be used. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations. == i.MX8M Mini Security Reference Manual Detailed information is available in a Security Reference Manual available under NDA from NXP. == Linux Drivers The Cryptographic Accelerator and Assurance Module (CAAM) is the driver for Freescale's hardware crypto. It configures hw to operate as a DPAA component, as well as creates job ring devices. Please see [https://www.kernel.org/doc/menuconfig/drivers-crypto-caam-Kconfig.html here] for more detail. In order to enable the CAAM driver from within the kernel, the {{{CONFIG_CRYPTO_DEV_FSL_CAAM}}} must be set: * {{{make menuconfig}}} * Kernel Cryptographic API → Hardware crypto devices → Freescale CAAM-Multicore driver backend * You can either build as a module via {{{M}}} or statically via {{{Y}}} Once enabled, {{{/proc/crypto}}} will list out that system's cipher support and where that support comes from. For example: {{{#!bash root@focal-venice:~# cat /proc/crypto name : rsa driver : rsa-caam module : caam_jr priority : 3000 refcnt : 1 selftest : passed internal : no type : akcipher name : cmac(aes) driver : cmac-aes-caam module : caam_jr priority : 3000 refcnt : 1 selftest : passed internal : no type : ahash async : yes blocksize : 16 digestsize : 16 ... }}} The CAAM driver will also grant the ability to directly access the hardware random number generator via {{{/dev/hwrng}}}. This tremendously speeds up generation of random data. For information on how to use the Linux Kernel Crypto API consult the kernel documentation: - https://www.kernel.org/doc/html/latest/crypto/index.html For more information on Linux Kernel Crypto API and how to use in Userspace see: - [wiki:linux/encryption]