Version 3 (modified by 3 years ago) ( diff ) | ,
---|
Other Resources
To read more about Trusted Execution Environment (TEE) on Venice, visit venice/tee
To read more about Venice Secure Boot, visit venice/secure_boot
i.MX8M Mini Encryption
The i.MX8M Mini SoC offer hardware encryption through Freescale's Cryptographic Accelerator and Assurance Module (CAAM). It offers the following support:
- Widevine ciper text stealing (AES-CBC-CTS mode)
- PlayReady content protection
- Public Key Cryptography (PKHA) with RSA 4096 and Elliptic Curve (ECC) algorithms
- Real-time integrity checker (RTIC)
- DRM support for RSA, AES, 3DES, DES with Side channel attach resistance
- Side channel attack resistance
- True random number generation (RNG)
- Manufacturing protection support
The above features are usable via the CAAM driver which is available in the mainline Linux kernel. In order to make use of some of these features, the Linux CryptoAPI must be used. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.
i.MX8M Mini Security Reference Manual
Detailed information is available in a Security Reference Manual available under NDA from NXP.
Linux Drivers
The Cryptographic Accelerator and Assurance Module (CAAM) is the driver for Freescale's hardware crypto. It configures hw to operate as a DPAA component, as well as creates job ring devices. Please see here for more detail.
In order to enable the CAAM driver from within the kernel, the CONFIG_CRYPTO_DEV_FSL_CAAM
must be set:
make menuconfig
- Kernel Cryptographic API → Hardware crypto devices → Freescale CAAM-Multicore driver backend
- You can either build as a module via
M
or statically viaY
- You can either build as a module via
- Kernel Cryptographic API → Hardware crypto devices → Freescale CAAM-Multicore driver backend
Once enabled, /proc/crypto
will list out that system's cipher support and where that support comes from. For example:
root@focal-venice:~# cat /proc/crypto name : rsa driver : rsa-caam module : caam_jr priority : 3000 refcnt : 1 selftest : passed internal : no type : akcipher name : cmac(aes) driver : cmac-aes-caam module : caam_jr priority : 3000 refcnt : 1 selftest : passed internal : no type : ahash async : yes blocksize : 16 digestsize : 16 ...
The CAAM driver will also grant the ability to directly access the hardware random number generator via /dev/hwrng
. This tremendously speeds up generation of random data.
For information on how to use the Linux Kernel Crypto API consult the kernel documentation:
For more information on Linux Kernel Crypto API and how to use in Userspace see: