| 1 | [[PageOutline]] |
| 2 | |
| 3 | = i.MX8M Mini Encryption |
| 4 | The i.MX8M Mini SoC offer hardware encryption through Freescale's Cryptographic Accelerator and Assurance Module (CAAM). It offers the following support: |
| 5 | * Widevine ciper text stealing (AES-CBC-CTS mode) |
| 6 | * !PlayReady content protection |
| 7 | * Public Key Cryptography (PKHA) with RSA 4096 and Elliptic Curve (ECC) algorithms |
| 8 | * Real-time integrity checker (RTIC) |
| 9 | * DRM support for RSA, AES, 3DES, DES with Side channel attach resistance |
| 10 | * Side channel attack resistance |
| 11 | * True random number generation (RNG) |
| 12 | * Manufacturing protection support |
| 13 | |
| 14 | The above features are usable via the CAAM driver which is available in the mainline Linux kernel. In order to make use of some of these features, the Linux CryptoAPI must be used. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations. |
| 15 | |
| 16 | == i.MX8M Mini Security Reference Manual |
| 17 | Detailed information is available in a Security Reference Manual available under NDA from NXP. |
| 18 | |
| 19 | == Linux Drivers |
| 20 | The Cryptographic Accelerator and Assurance Module (CAAM) is the driver for Freescale's hardware crypto. It configures hw to operate as a DPAA component, as well as creates job ring devices. Please see [https://www.kernel.org/doc/menuconfig/drivers-crypto-caam-Kconfig.html here] for more detail. |
| 21 | |
| 22 | In order to enable the CAAM driver from within the kernel, the {{{CONFIG_CRYPTO_DEV_FSL_CAAM}}} must be set: |
| 23 | * {{{make menuconfig}}} |
| 24 | * Kernel Cryptographic API → Hardware crypto devices → Freescale CAAM-Multicore driver backend |
| 25 | * You can either build as a module via {{{M}}} or statically via {{{Y}}} |
| 26 | |
| 27 | Once enabled, {{{/proc/crypto}}} will list out that system's cipher support and where that support comes from. For example: |
| 28 | {{{#!bash |
| 29 | root@focal-venice:~# cat /proc/crypto |
| 30 | name : rsa |
| 31 | driver : rsa-caam |
| 32 | module : caam_jr |
| 33 | priority : 3000 |
| 34 | refcnt : 1 |
| 35 | selftest : passed |
| 36 | internal : no |
| 37 | type : akcipher |
| 38 | |
| 39 | name : cmac(aes) |
| 40 | driver : cmac-aes-caam |
| 41 | module : caam_jr |
| 42 | priority : 3000 |
| 43 | refcnt : 1 |
| 44 | selftest : passed |
| 45 | internal : no |
| 46 | type : ahash |
| 47 | async : yes |
| 48 | blocksize : 16 |
| 49 | digestsize : 16 |
| 50 | |
| 51 | ... |
| 52 | }}} |
| 53 | |
| 54 | The CAAM driver will also grant the ability to directly access the hardware random number generator via {{{/dev/hwrng}}}. This tremendously speeds up generation of random data. |
| 55 | |
| 56 | For information on how to use the Linux Kernel Crypto API consult the kernel documentation: |
| 57 | - https://www.kernel.org/doc/html/latest/crypto/index.html |
| 58 | |
| 59 | For more information on Linux Kernel Crypto API and how to use in Userspace see: |
| 60 | - [wiki:linux/encryption] |
| 61 | |