i.MX6 CAAM - keyblob decryption fails after kernel upgrade

  • Hi,


    We are currently upgrading a custom board from Kernel 4.1 to 5.15.


    We are using NXP's CAAM driver to securely store a keyblob.


    After updating on a security-enabled device, decryption fails.


    Adding some debug prints in sm_store.c yields that the job returns with JRSTA_CCBERR_ERRID_ICVCHKL


    If I print the status instead of just returning -EBADMSG, I get the following output:


    Code
    1. [ 30.153764] caam_jr 2101000.jr: 2000081a: CCB: desc idx 8: AES: ICV check failed.
    2. [ 30.161259] caam_jr 2101000.jr: 2000081a: CCB: desc idx 8: AES: ICV check failed.


    The raw return value is 0x2000 081A, in case there is more information there.


    Any help is highly welcome. I can of course provide more information if needed.




    Thanks in advance and best regards


    FaBier

  • Hello FaBier,


    thank you for reaching out. We will take a look at this. If we need more Information, we will message you in this thread.


    Your F&S support Team

    F&S Elektronik Systeme GmbH
    As this is an international forum, please try to post in English.
    Da dies ein internationales Forum ist, bitten wir darum, Beiträge möglichst in Englisch zu verfassen.

  • Hello FaBier,


    I have used the CAAM module for partition encryption in fsimx6-Y2024.04. I did not get the error messages you wrote. Do you get the error messages at boot or while working with the keys? I used caam-keygen to generate the keys, and managed them with keyctl. Do you use the same tools?


    Your F&S support Team

    F&S Elektronik Systeme GmbH
    As this is an international forum, please try to post in English.
    Da dies ein internationales Forum ist, bitten wir darum, Beiträge möglichst in Englisch zu verfassen.