AM625: Unique per-device encryption on AM625 from Linux userland

Hi Ben 

Our crypto HW is also exposed in Linux userspace through the standard kernel crypto APIs

https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/11_00_09_04/exports/docs/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.html

 You would find some online references of simple examples for using that API manually from C code. 

Quick google , very first result looks good, https://blog.cloudflare.com/the-linux-crypto-api-for-user-applications/

Our key Linux expert on this topic is out of office for next couple of weeks, so for follow up queries responses maybe delayed but hope this helps.

Regards

Mukul 

Hello,

Ben said:

We need to be able to encrypt some data on our AM625 platform uniquely per-device,

If you want unique per device encryption, you have to use some sort of unique identity tied to the SoC. For this purpose, it would be the DKEK which can be used for symmetric key:

https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/dkek_management.html

Regards,

Prashant

Hello Mukul, Prashant,

Thank you for your responses.

For retrieving the DKEK, is there a more general guide for how to use the TISCI interface from Linux userspace? e.g. how would I retrieve the DKEK to use for symmetric encryption (actually performing the encryption isn't a problem as I already use OpenSSL for these operations).

I've had a look through the ti_sci.c kernel module, but it's not immediately clear to me how I should interact with it from userspace, so hoping there's a guide?

Kind regards,
Ben 

Hi Ben,

It may not be possible to get the DKEK from the Linux as the Linux is a non-secure host while the TISCI_MSG_CRYPTO_GET_DKEK can only be requested from a secure host like ATF/OPTEE.

So, you would have to route the request through the OPTEE

https://github.com/OP-TEE/optee_os/blob/master/core/arch/arm/plat-k3/drivers/ti_sci.c#L308-L308

The same is used for deriving the HUK:

https://github.com/OP-TEE/optee_os/blob/master/core/arch/arm/plat-k3/main.c#L95-L95

Regards,

Prashant

Hi Prashant,

Thanks for clarifying.

So how would I route the request via OP-TEE? Would I need to implement custom OP-TEE software to achieve this? Could you point me to a code example please?

Kind regards,
Ben

Hello,

This would involves writing an OPTEE userpace application like the followings:

https://github.com/linaro-swg/optee_examples

I will check once internally if there is any reference code available.

Regards,

Prashant

Hello,

After discussing internally, it is not recommended to expose the DKEK in a non-secure world. Is it possible for you to leverage the Secure Storage from the OPTEE for your use case?

Thanks!

Hello Prashant,

Yes, I think OP-TEE Secure Storage would work for us. Can you provide a usage example please, ideally from a C userspace application?

Kind regards,
Ben

Hi Ben,

Have you tried the publicly available secure storage example?

https://github.com/linaro-swg/optee_examples/tree/master/secure_storage

Regards,

Prashant