wiki:venice/encryption

Version 5 (modified by Tim Harvey, 17 months ago) ( diff )

removed link to trusted boot (its now merged into secure boot)

Venice Security

This page is about the i.MX8M security modules.

To read more about Trusted Execution Environment (TEE) on Venice, visit venice/secure_boot

To read more about Venice Secure Boot, visit venice/secure_boot

i.MX8M Mini Encryption

The i.MX8M Mini SoC offer hardware encryption through Freescale's Cryptographic Accelerator and Assurance Module (CAAM). It offers the following support:

  • Widevine ciper text stealing (AES-CBC-CTS mode)
  • PlayReady content protection
  • Public Key Cryptography (PKHA) with RSA 4096 and Elliptic Curve (ECC) algorithms
  • Real-time integrity checker (RTIC)
  • DRM support for RSA, AES, 3DES, DES with Side channel attach resistance
  • Side channel attack resistance
  • True random number generation (RNG)
  • Manufacturing protection support

The above features are usable via the CAAM driver which is available in the mainline Linux kernel. In order to make use of some of these features, the Linux CryptoAPI must be used. The driver itself is integrated with the Crypto API kernel service in which the algorithms supported by CAAM can replace the native SW implementations.

i.MX8M Mini Security Reference Manual

Detailed information is available in a Security Reference Manual available under NDA from NXP.

Linux Drivers

The Cryptographic Accelerator and Assurance Module (CAAM) is the driver for Freescale's hardware crypto. It configures hw to operate as a DPAA component, as well as creates job ring devices. Please see here for more detail.

In order to enable the CAAM driver from within the kernel, the CONFIG_CRYPTO_DEV_FSL_CAAM must be set:

  • make menuconfig
    • Kernel Cryptographic API → Hardware crypto devices → Freescale CAAM-Multicore driver backend
      • You can either build as a module via M or statically via Y

Once enabled, /proc/crypto will list out that system's cipher support and where that support comes from. For example:

root@focal-venice:~# cat /proc/crypto 
name         : rsa
driver       : rsa-caam
module       : caam_jr
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : akcipher

name         : cmac(aes)
driver       : cmac-aes-caam
module       : caam_jr
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 16
digestsize   : 16

...

The CAAM driver will also grant the ability to directly access the hardware random number generator via /dev/hwrng. This tremendously speeds up generation of random data.

For information on how to use the Linux Kernel Crypto API consult the kernel documentation:

For more information on Linux Kernel Crypto API and how to use in Userspace see:

Note: See TracWiki for help on using the wiki.