CAAM (Cryptographic Accelerator and Assurance Module)
The i.MX6 Cortex-A9 processor offers hardware encryption through NXP's Cryptographic Accelerator and Assurance Module (CAAM, also known as SEC4). The CAAM combines functions to create a modular and scalable acceleration and assurance engine.
Features
The CAAM supports:
- Secure memory feature with hardware-enforced access control
- Cryptographic authentication
- Hashing algorithms
- MD5
- SHA-1
- SHA-224
- SHA-256
- Message authentication codes (MAC)
- HMAC with all hashing algorithms
- AES-CMAC
- AES-XCBC-MAC
- Auto padding
- ICV checking
- Authenticated encryption algorithms
- AES-CCM (counter with CBC-MAC)
- Symmetric key block ciphers
- AES (128-bit, 192-bit or 256-bit keys)
- DES (64-bit keys, including key parity)
- 3DES (128-bit or 192-bit keys, including key parity)
- Cipher modes
- ECB, CBC, CFB, OFB for all block ciphers
- CTR for AES
- Symmetric key stream ciphers
- ArcFour (Alleged RC4 with 40 - 128 bit keys)
- Random-number generation
- Entropy is generated via an independent free-running ring oscillator
- For lower-power consumption, oscillator is off when not generating entropy
- NIST-compliant, pseudo random-number generator seeded using hardware-generated entropy
Kernel configuration
You can manage the CAAM support through the following kernel configuration options:
Cryptographic API (CRYPTO) → Hardware crypto devices (CRYPTO_HW) → Freescale CAAM-Multicore driver backend (CRYPTO_DEV_FSL_CAAM)
which is enabled as built-in on the (missing or bad snippet).
Platform driver mapping
The CAAM drivers are located at drivers/crypto/caam:
|
File |
Description |
|---|---|
|
CAAM control-plane driver backend |
|
|
CAAM/SEC 4.x functions for handling key-generation jobs |
|
|
NXP FSL CAAM support for crypto API |
|
|
NXP FSL CAAM support for hash functions of crypto API |
|
|
NXP FSL CAAM support for general memory keyblob encryption and decryption |
|
|
NXP FSL CAAM support for hw_random |
|
|
CAAM secure memory storage interface |
|
|
SNVS security violation handler |
|
|
CAAM/SEC 4.x functions for handling key-generation jobs |
Device tree bindings and customization
The CAAM device tree binding is documented at Documentation/devicetree/bindings/crypto/fsl-sec4.txt.
User space usage
True Random Number Generator (TRNG)
Digi Embedded Yocto uses the hardware TRNG inside the CAAM to feed both /dev/random and /dev/urandom. Applications should use /dev/random and /dev/urandom as normal.
Cryptographic authentication
You can list the encryption algorithms supported by the system with cat /proc/crypto:
root@ccimx6sbc:~# cat /proc/crypto ... name : cbc(aes) driver : cbc-aes-caam module : kernel priority : 3000 refcnt : 1 selftest : passed type : ablkcipher async : yes blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : eseqiv ...
For each algorithm you get a set of properties, including:
- name: the name of the algorithm
- driver: the driver that provides this support. If the driver contains caam it means the CAAM hardware engine provides support for this encryption algorithm.
- priority: the higher the value, the higher the priority. Normally hardware-accelerated algorithms have higher priority over software algorithms.
To verify if an encryption or hashing operation is using the CAAM, you can check the interruption count for the jr (job ring) devices. The example below shows how the interruption count for 2142000.jr1 increases when performing AES CBC encryption with OpenSSL (which uses the CAAM).
root@ccimx6ulsbc:~# cat /proc/interrupts | grep jr 305: 2 GPC 105 Level 2141000.jr0 306: 0 GPC 106 Level 2142000.jr1 307: 0 GPC 46 Level 2143000.jr2 root@ccimx6ulsbc:~# openssl enc -in input.txt -out encrypted.bin -e -k mypassword -aes-128-cbc root@ccimx6ulsbc:~# cat /proc/interrupts | grep jr 305: 2 GPC 105 Level 2141000.jr0 306: 116 GPC 106 Level 2142000.jr1 307: 0 GPC 46 Level 2143000.jr2
Digi Embedded Yocto uses the cryptodev user space support that, in turn, uses the crypto API in the Linux kernel:
- Port of the OpenBSD Cryptographic Framework
- /dev/crypto character device interface
- Not part of the kernel (must be built out of tree)
The following user space cryptographic libraries use the cryptodev support through /dev/crypto:
- OpenSSL
- GnuTLS
The caam_keyblob driver creates a char device under /dev/caam_kb that can be used with the standard Linux API (open, close, ioctl) to perform encryption and decryption of data blobs.
