Cryptographic Accelerator and Assurance Module (CAAM)

The i.MX6UL Cortex-A7 processor offers modular and scalable hardware encryption through NXP’s Cryptographic Accelerator and Assurance Module (CAAM, also known as SEC4).

Features

The CAAM on the i.MX6UL supports:

Public key cryptography
- Modular arithmetic
  - Addition, subtraction, multiplication, exponentiation, reduction, inversion,
  - greatest common denominator
  - Both integer and binary polynomial functions
  - Modulus size up to 4096 bits
  - Arithmetic operations performed with 32-bit-digit arithmetic unit
  - Timing-equalized and normal versions of modular exponentiation
- DSA
  - DSA sign and verify
  - Verify with private key
  - DSA key generation
  - Non-timing-equalized versions of private-key operations
  - Timing-equalized version signing and key generation
  - Non-timing-equalized versions of sign and key generation
- Diffie-Hellman
  - Diffie-Hellman (DH) key agreement
  - Key generation
  - Timing-equalized versions of key agreement and key generation
  - Non-timing-equalized versions of key agreement and key generation
- RSA
  - Modulus size up to 4096 bits
  - Public and private key operations
  - Private keys in (n,d), (p,q,d), or 5-part (p,q,dp,dq,c) forms
  - Private key operations (decrypt, sign) timing equalized to thwart side channel attack
  - Non-timing-equalized versions of private-key operations
- Primality testing
  - Maximum size 4096 bits
- Elliptic curve cryptography
  - Point add, point double, point multiply
  - Timing-equalized and normal versions point multiplication
  - Public key validation
  - Both prime field and binary polynomial field functions
  - Elliptic curve digital signature algorithm (ECDSA) sign and verify
  - ECDSA verify with private key
  - Elliptic curve Diffie-Hellman key agreement
  - ECDSA and ECDH key generation
  - Modulus size up to 1024 bits
  - Timing-equalized versions of ECDSA sign and key generation
  - Non-timing-equalized versions of sign and key generation
Cryptographic authentication
- Hashing algorithms
  - MD5
  - SHA-1
  - SHA-224
  - SHA-256
  - SHA-384
  - SHA-512
  - SHA-512/224
  - SHA-512/256
- Message authentication codes (MAC)
  - HMAC-all hashing algorithms
  - AES-CMAC
  - AES-XCBC-MAC
  - Auto padding
  - ICV checking
- Authenticated encryption algorithms
  - AES-CCM (counter with CBC-MAC)
  - AES-GCM (Galois counter mode)
- Symmetric key block ciphers
  - AES (128-bit, 192-bit, or 256-bit keys)
  - DES (64-bit keys, including key parity)
  - 3DES (128-bit or 192-bit keys, including key parity)
  - Cipher modes
    
    ECB, CBC, CFB, OFB for all block ciphers
    
    CTR for AES
  - Symmetric key stream ciphers
    
    ArcFour (alleged RC4 with 40 .. 128 bit keys)
  - Random-number generation
    
    Entropy is generated via an independent free running ring oscillator
    
    For lower-power consumption, oscillator is off when not generating entropy
    
    NIST-compliant, pseudo random-number generator seeded using hardware-generated entropy
- Run-time integrity checking
  - SHA-256 message authentication
  - SHA-512 message authentication
  - Segmented data-gathering to support non-contiguous data blocks in memory
  - Support for up to four independent memory blocks
- Extensive virtualization features
  - Job rings can be time-shared by multiple security domains
  - Black keys are cryptographically separated per security domain
  - Blobs are cryptographically separated per security domain
  - Trusted descriptors are cryptographically separated per security domain
  - Secure memory partitions are separated per security domain

Kernel configuration

You can manage the CAAM support through the following kernel configuration options:

Cryptographic API (CONFIG_CRYPTO)
Hardware crypto devices (CONFIG_CRYPTO_HW)
Freescale CAAM-Multicore driver backend (CONFIG_CRYPTO_DEV_FSL_CAAM)

which are enabled as built-in on the default ConnectCore 6UL kernel configuration file.

Kernel driver

The CAAM drivers are located at drivers/crypto/caam:

File	Description
ctrl.c	CAAM control-plane driver backend
jr.c	CAAM/SEC 4.x functions for handling key-generation jobs
caamalg.c	CAAM support for crypto API
caamhash.c	CAAM support for hash functions of crypto API
caam_keyblob.c	CAAM support for general memory keyblob encryption and decryption
caamrng.c	CAAM support for hw_random
sm_store.c	CAAM secure memory storage interface
secvio.c	SNVS security violation handler
key_gen.c	CAAM/SEC 4.x functions for handling key-generation jobs

File

Description

ctrl.c

CAAM control-plane driver backend

jr.c

CAAM/SEC 4.x functions for handling key-generation jobs

caamalg.c

CAAM support for crypto API

caamhash.c

CAAM support for hash functions of crypto API

caam_keyblob.c

CAAM support for general memory keyblob encryption and decryption

caamrng.c

CAAM support for hw_random

sm_store.c

CAAM secure memory storage interface

secvio.c

SNVS security violation handler

key_gen.c

CAAM/SEC 4.x functions for handling key-generation jobs

Device tree bindings and customization

The CAAM device tree binding is documented at Documentation/devicetree/bindings/crypto/fsl-sec4.txt.

User space usage

True Random Number Generator (TRNG)

Digi Embedded Yocto uses the hardware TRNG inside the CAAM to feed both /dev/random and /dev/urandom. Applications should use /dev/random and /dev/urandom as normal.

Cryptographic authentication

You can list the encryption algorithms supported by the system with cat /proc/crypto:

~# cat /proc/crypto
...
name : cbc(aes)
driver : cbc-aes-caam
module : kernel
priority : 3000
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : eseqiv
...

For each algorithm you get a set of properties, including:

name: the name of the algorithm
driver: the driver that provides this support. If the driver contains caam it means the CAAM hardware engine provides support for this encryption algorithm.
priority: the higher the value, the higher the priority. Normally hardware-accelerated algorithms have higher priority over software algorithms.

To verify if an encryption or hashing operation is using the CAAM, you can check the interruption count for the jr (job ring) devices. The example below shows how the interruption count for 2142000.jr1 increases when performing AES CBC encryption with OpenSSL (which uses the CAAM).

~# cat /proc/interrupts  | grep jr
305:          2       GPC 105 Level     2141000.jr0
306:          0       GPC 106 Level     2142000.jr1
307:          0       GPC  46 Level     2143000.jr2
~# openssl enc -in input.txt -out encrypted.bin -e -k mypassword -aes-128-cbc
~# cat /proc/interrupts  | grep jr
305:          2       GPC 105 Level     2141000.jr0
306:        116       GPC 106 Level     2142000.jr1
307:          0       GPC  46 Level     2143000.jr2

Digi Embedded Yocto uses the cryptodev user space support that, in turn, uses the crypto API in the Linux kernel:

Port of the OpenBSD Cryptographic Framework
/dev/crypto character device interface
Not part of the kernel (must be built out of tree)

The following user space cryptographic libraries use the cryptodev support through /dev/crypto:

OpenSSL
GnuTLS

The caam_keyblob driver creates a char device under /dev/caam_kb that can be used with the standard Linux API (open, close, ioctl) to perform encryption and decryption of data blobs.