CAAM (Cryptographic Accelerator and Assurance Module)

Note This topic contains Android-specific commands for the CAAM drivers. For information on other drivers and interfaces available on the ConnectCore 6, see Linux Board Support Package v3.14.

The i.MX6 processors offer hardware encryption through NXP's Cryptographic Accelerator and Assurance Module (CAAM, also known as SEC4). The CAAM combines functions to create a modular and scalable acceleration and assurance engine.

Features

The CAAM supports:

• Secure memory feature with hardware-enforced access control
• Cryptographic authentication

• Hashing algorithms

• MD5
• SHA-1
• SHA-224
• SHA-256

• Message authentication codes (MAC)

• HMAC with all hashing algorithms
• AES-CMAC
• AES-XCBC-MAC

• Auto padding
• ICV checking

• Authenticated encryption algorithms

• AES-CCM (counter with CBC-MAC)

• Symmetric key block ciphers

• AES (128-bit, 192-bit or 256-bit keys)
• DES (64-bit keys, including key parity)
• 3DES (128-bit or 192-bit keys, including key parity)
• Cipher modes

• ECB, CBC, CFB, OFB for all block ciphers
• CTR for AES

• Symmetric key stream ciphers

• ArcFour (Alleged RC4 with 40 - 128 bit keys)

• Random-number generation

• Entropy is generated via an independent free-running ring oscillator
• For lower-power consumption, oscillator is off when not generating entropy
• NIST-compliant, pseudo random-number generator seeded using hardware-generated entropy

Kernel configuration

You can manage the CAAM support through the following kernel configuration options:

Cryptographic API (CRYPTO) → Hardware crypto devices (CRYPTO_HW) → Freescale CAAM-Multicore driver backend (CRYPTO_DEV_FSL_CAAM)

which is enabled as built-in on the default kernel_imx/arch/arm/configs/ccimx6sbc_android_defconfig.

Platform driver mapping

The CAAM drivers are located at drivers/crypto/caam:

File	Description
ctrl.c	CAAM control-plane driver backend
jr.c	CAAM/SEC 4.x functions for handling key-generation jobs
caamalg.c	NXP FSL CAAM support for crypto API
caamhash.c	NXP FSL CAAM support for hash functions of crypto API
caam_keyblob.c	NXP FSL CAAM support for general memory keyblob encryption and decryption
caamrng.c	NXP FSL CAAM support for hw_random
sm_store.c	CAAM secure memory storage interface
secvio.c	SNVS security violation handler
key_gen.c	CAAM/SEC 4.x functions for handling key-generation jobs

Device tree bindings and customization

The CAAM device tree binding is documented at Documentation/devicetree/bindings/crypto/fsl-sec4.txt.

User space usage

True Random Number Generator (TRNG)

Digi Embedded for Android uses the hardware TRNG to feed both /dev/random and /dev/urandom. Applications should use /dev/random and /dev/urandom as normal.

Cryptographic authentication

At runtime, /proc/crypto will list a system's cipher support and where that support comes from.

root@ccimx6sbc:~# cat /proc/crypto
...
name : cbc(aes)
driver : cbc-aes-caam
module : kernel
priority : 3000
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : eseqiv
...

The caam_keyblob driver creates a char device under /dev/caam_kb that can be used to perform encryption and decryption of data blobs.