CAAM (Cryptographic Accelerator and Assurance Module)
The i.MX6 Cortex-A9 processor offers hardware encryption through NXP's Cryptographic Accelerator and Assurance Module (CAAM, also known as SEC4). The CAAM combines functions to create a modular and scalable acceleration and assurance engine.
Features
The CAAM supports:
- Secure memory feature with hardware-enforced access control
- Cryptographic authentication
- Hashing algorithms
- MD5
- SHA-1
- SHA-224
- SHA-256
- Message authentication codes (MAC)
- HMAC with all hashing algorithms
- AES-CMAC
- AES-XCBC-MAC
- Auto padding
- ICV checking
- Authenticated encryption algorithms
- AES-CCM (counter with CBC-MAC)
- Symmetric key block ciphers
- AES (128-bit, 192-bit or 256-bit keys)
- DES (64-bit keys, including key parity)
- 3DES (128-bit or 192-bit keys, including key parity)
- Cipher modes
- ECB, CBC, CFB, OFB for all block ciphers
- CTR for AES
- Symmetric key stream ciphers
- ArcFour (Alleged RC4 with 40 - 128 bit keys)
- Random-number generation
- Entropy is generated via an independent free-running ring oscillator
- For lower-power consumption, oscillator is off when not generating entropy
- NIST-compliant, pseudo random-number generator seeded using hardware-generated entropy
Kernel configuration
You can manage the CAAM support through the following kernel configuration options:
Cryptographic API (CRYPTO) → Hardware crypto devices (CRYPTO_HW) → Freescale CAAM-Multicore driver backend (CRYPTO_DEV_FSL_CAAM)
which is enabled as built-in on the default ConnectCore 6 SBC kernel configuration file.
Platform driver mapping
The CAAM drivers are located at drivers/crypto/caam:
File |
Description |
---|---|
CAAM control-plane driver backend |
|
CAAM/SEC 4.x functions for handling key-generation jobs |
|
NXP FSL CAAM support for crypto API |
|
NXP FSL CAAM support for hash functions of crypto API |
|
NXP FSL CAAM support for general memory keyblob encryption and decryption |
|
NXP FSL CAAM support for hw_random |
|
CAAM secure memory storage interface |
|
SNVS security violation handler |
|
CAAM/SEC 4.x functions for handling key-generation jobs |
Device tree bindings and customization
The CAAM device tree binding is documented at Documentation/devicetree/bindings/crypto/fsl-sec4.txt.
User space usage
True Random Number Generator (TRNG)
Digi Embedded Yocto uses the hardware TRNG to feed both /dev/random and /dev/urandom. Applications should use /dev/random and /dev/urandom as normal.
Cryptographic authentication
At runtime, /proc/crypto will list a system's cipher support and where that support comes from.
root@ccimx6sbc:~# cat /proc/crypto ... name : cbc(aes) driver : cbc-aes-caam module : kernel priority : 3000 refcnt : 1 selftest : passed type : ablkcipher async : yes blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : eseqiv ...
Digi Embedded Yocto uses the cryptodev user space support that, in turn, uses the crypto API in the Linux kernel:
- Port of the OpenBSD Cryptographic Framework
- /dev/crypto character device interface
- Not part of the kernel (must be built out of tree)
The following user space cryptographic libraries use the cryptodev support through /dev/crypto:
- OpenSSL
- GnuTLS
The caam_keyblob driver creates a char device under /dev/caam_kb that can be used with the standard Linux API (open, close, ioctl) to perform encryption and decryption of data blobs.