Cryptographic App' exploiting the Freescale iMX6 CAAM

the CAAM is a protected module.

fresscale faes can share those to you. check this and this

no sure if NDA is required or check with your board vendor .

Fabien,

     As I am a programmer of many years and have done crypto work for a few of them, This subject is very vast. Here are some of the high level details:

1. The keys must be created using two large prime numbers to create asymmetrical pairs usually RSA.
2. One being the private and is store in protected tamper proof storage over the DMA channel.
3. The other public key is shared with whoever will encrypt the message.
4. The reverse is needed for two way communications.
5. A signature is created in a similar  way to authenticate senders. with a exchange.
6. These are done with PKI interface.
7. Now plaintext is broken done into blocks and encrypted using AES 128 maybe. There are various flavors depending on usage. ECB is one type. The cipher is added to the RSA of the AES block and sent together.

I could go on, but the explanation would be long. Therefore the documentation to the low level is seldom divulge due to details like this. I would encourage you to read about enigma machine used by German in WWII to get a taste. BTW, I plan on writing code to emulate the real machine used back then in near future, if you wish to learn more. Follow me if you wish.

Cheers,

Clem

Hi Clem,

I think there are a misunderstanding ...

My question is more about "How to implement an AES - ECB" rather than " what is an ECB mode..."

I understand cryptography theory. But I don't understand How implement through the CAAM accelerator.

So if you have a code C example using CAAM it could be helpful .

Cheers,

Fabien.

Hi Kyle,

I've already contact Freescale about this topic

and they gave me this link : https://community.freescale.com/thread/338204

So I'll test this answer.

Cheers,

Fabien.

Hi Fabien

I don't know the OS you are working with

I don't have specific experience on iMX6, but I implemented a crypto accelerator in an Altera CycloneV FPGA. In that case, the OS was Linux and the interface to the software was done by writing an OpenSSL engine. It's not a difficult task to write and load a new engine... just google and you will find wealth of information about the topic.

In case you need some extra help, just ask!

Hi Ambrogio,

Thank you for your answer.

I've 3 board :

- Riotboard running with linaro-ubuntu-desktop (Ubuntu 11.10) )/ Linux 3.0.35-02871-ga35ffe3

- RIoTboard running with Android 4.3 / Linux 3.0.35-06429-g55e239f

- Sabrelite board running with Android 4.4 / Linux 3.13.0-44 generic

I have already read some articles about OpenSSL cryptographic acceleration using CAAM ( secure hardward module in iMX6).

The main difficulty that I've seen is how to know if the OpenSSL cryptographic library use the hardware accelerator module or a software module.

Because in Linux you have  into /proc/crypto you have some software implementation of AES, RSA and others...

My problem is that I want to be sure that my program use CAAM of the iMX6.

See you .

Fabien.

.

Hi Fabien

When you register your own cryptoengine for a specific algorithm (RSA; AES, etc) that engine will be used in place of the default one. I had a look at the source code and, when you dynamically load a cryptoengine, it is added in front of a queue of engines. OpenSSL then scans the queue from begin to end looking for an engine that can process a given algorithm. Hence, the last engine you register for a specific algortihm will be for sure used for that algorithm

Ok Ambrogio, thank you for these precisions.

For the moment I trying others trick about CAAM handling.

If I succeed I'll write here.

After that I'll try OpenSSL.

Thank you for your help.

Fabien.