This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

J721EXSOMXEVM: A driver of crypto hardware accelerator for J721E DRA829 supports AES-GCM or not

Part Number: J721EXSOMXEVM
Other Parts Discussed in Thread: DRA829

Tool/software:

Hello!

We have some questions about crypto hardware accelerator for J721E DRA829.


1) Crypto API Driver for Linux SDK
Does the following crypto API driver for Linux SDK support AES-GCM ?
We would like to ask this driver can work AES-GCM correctly or not.

https://software-dl.ti.com/jacinto7/esd/processor-sdk-linux-jacinto7/08_01_00_07/exports/docs/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto.html

Note: I have gotten cryptodev source code by following steps.
https://software-dl.ti.com/jacinto7/esd/processor-sdk-linux-jacinto7/08_06_01_02/exports/docs/linux/Overview_Building_the_SDK.html#build-options


2) A driver in J721E SDK
Does a drive in following J721E SDK support AES-GCM ?

SDK file name:
ti-processor-sdk-rtos-j721e-evm-08_05_00_11.tar.gz

Driver directory Name:
ti-processor-sdk-rtos-j721e-evm-08_05_00_11/pdk_jacinto_08_05_00_36/packages/ti/drv/sa

We would like to ask this driver can work AES-GCM correctly or not.

Thank you very much in advance.

Regards, S.Saito

  • Hi,

    https://elixir.bootlin.com/linux/latest/source/drivers/crypto/sa2ul.c

    The Linux driver doesn't support aes-gcm.

    The same is true with rtos. 

    Best Regards,

    Keerthy

  • Hi Keerthy san

    Thank you for your quick response.

    We have just implemented sa2ul driver for hardware acceleration. This driver owns APIs in below URL.
    https://software-dl.ti.com/mcu-plus-sdk/esd/AM64X/09_00_00_35/exports/docs/api_guide_am64x/SECURITY_SA2UL_MODULE_PAGE.html#autotoc_md1912

    Since this driver does not support AES-GCM, we tried to customize it based on SPRUIL3B.pdf, section[3.2.3 GCM Encryption].
    But it looks AES-GCM encryption and decryption does not work as expected.

    Could you answer below questions and let me know ?

    [Questions]
    1) About transfer data to hardware:
    What is correct data our driver must transfer to hardware in AES-GCM case ?

    2) About authentication tag:
    Our driver cannot receive the authentication tag produced by AES-GCM from hardware.
    What do we need to receive it ?


    Details is as below:

    [Steps]
    1)Encrypt input data using AES-GCM
    2)Decrypt ciphertext using AES-GCM
    3)Compare input data with decryption data

    [Result]
    Input data and decryption data do mismatch.

    [ENC]result[0]:53
    [ENC]result[1]:0f
    [ENC]result[2]:8a
    [ENC]result[3]:fb
    [ENC]result[4]:c7
    [ENC]result[5]:45
    [ENC]result[6]:36
    [ENC]result[7]:b9
    [ENC]result[8]:a9
    [ENC]result[9]:63
    [ENC]result[10]:b4
    [ENC]result[11]:f1
    [ENC]result[12]:c4
    [ENC]result[13]:cb
    [ENC]result[14]:73
    [ENC]result[15]:8b

    [Security context data using DMA transfer]

    The following data is transferred from our driver to hardware.

    - start of encryption context
    our driver :0x14610044
    SPRUIL3B.pdf :0x0c610044
    Note:
    Difference!!. When we set 0x0c610044 to this field based on SPRUIL3B.pdf, our driver cannot receive ciphertext from hardware.


    - MCE instructions for GCM
    [0]:88a9fe83
    [1]:997e582e
    [2]:8a907141
    [3]:839d63aa
    [4]:0b7e9a78
    [5]:3aa38b1e
    => same as "Addr N+64B" in section[3.2.3 GCM Encryption] in [SPRUIL3B.pdf]

    - encryption key
    [0]:00000000
    [1]:00000000
    [2]:00000000
    [3]:00000000
    [4]:00000000
    [5]:00000000
    [6]:00000000
    [7]:00000000
    => same as "Addr N+96B:" in above section

    - Aux1
    [0]:dc95c078
    [1]:a2408989
    [2]:ad48a214
    [3]:92842087
    [4]:00000000
    [5]:00000080
    [6]:00000000
    [7]:00000080
    => same as "Addr N+128B:" in above section


    [TX descriptor data]
    The following data is transferred from our driver to hardware.
    Could you please confirm if below data correct or not ?

    [PS Info]
    ps1:02e90000
    ps2:14300010
    ps3:00596272

    [SW info]
    word 0:45000000
    word 1:c048f240
    word 2:10000000

    option[0]:00000000
    option[1]:00000000
    option[2]:00000000
    option[3]:00000080
    option[4]:00000000
    option[5]:00000000
    option[6]:00000000
    option[7]:00000000
    option[8]:00000000
    option[9]:00000000
    option[10]:00000000
    option[11]:00000001

    Thank you very much in advance.
    Regards, S.Saito

  • Hi Saito-san,

    I checked with our team and unfortunately, we do not have the bandwidth from our experts to support addition of new encryption modes, so support will be very limited from TI-side. 

    Looking through our Linux driver, I see the following algorithms supported:

    enum sa_algo_id {
    SA_ALG_CBC_AES = 0,
    SA_ALG_EBC_AES,
    SA_ALG_CBC_DES3,
    SA_ALG_ECB_DES3,
    SA_ALG_SHA1,
    SA_ALG_SHA256,
    SA_ALG_SHA512,
    SA_ALG_AUTHENC_SHA1_AES,
    SA_ALG_AUTHENC_SHA256_AES,
    };
    Is it possible to use any of these other encryption methods for your purpose?
    Regards,
    Takuma