Cryptographic Accelerator and Assurance Module (CAAM)

The i.MX8M Nano CPU offers modular and scalable hardware encryption through NXP’s Cryptographic Accelerator and Assurance Module (CAAM, also known as SEC4).

Features

The CAAM on the i.MX8M Nano CPU includes the following features:

Kernel configuration

You can manage the CAAM support through the following kernel configuration options:

Cryptographic API (CONFIG_CRYPTO)
Hardware crypto devices (CONFIG_CRYPTO_HW)
Freescale CAAM-Multicore driver backend (CONFIG_CRYPTO_DEV_FSL_CAAM)

which are enabled as built-in on the default ConnectCore 8M Nano kernel configuration file.

The set of kernel configuration options depending on CRYPTO_DEV_FSL_CAAM further configures CAAM support.

Kernel driver

The CAAM drivers are located at drivers/crypto/caam:

File Description

File	Description
`ctrl.c`	CAAM control-plane driver backend
`jr.c`	CAAM/SEC 4.x functions for handling key-generation jobs
`caamalg.c`	CAAM support for crypto API
`caamhash.c`	CAAM support for hash functions of crypto API
`caam_keyblob.c`	CAAM support for general memory keyblob encryption and decryption
`caamrng.c`	CAAM support for hw_random
`sm_store.c`	CAAM secure memory storage interface
`secvio.c`	SNVS security violation handler
`key_gen.c`	CAAM/SEC 4.x functions for handling key-generation jobs

ctrl.c

CAAM control-plane driver backend

jr.c

CAAM/SEC 4.x functions for handling key-generation jobs

caamalg.c

CAAM support for crypto API

caamhash.c

CAAM support for hash functions of crypto API

caam_keyblob.c

CAAM support for general memory keyblob encryption and decryption

caamrng.c

CAAM support for hw_random

sm_store.c

CAAM secure memory storage interface

secvio.c

SNVS security violation handler

key_gen.c

CAAM/SEC 4.x functions for handling key-generation jobs

Device tree bindings and customization

The CAAM device tree binding is documented at Documentation/devicetree/bindings/crypto/fsl-sec4.txt.

User space usage

True Random Number Generator (TRNG)

Digi Embedded Yocto uses the hardware TRNG inside the CAAM to feed both /dev/random and /dev/urandom. Applications should use /dev/random and /dev/urandom as normal.

Cryptographic and authentication algorithms

You can list the encryption algorithms supported by the system with cat /proc/crypto:

# cat /proc/crypto
...
name : cbc(aes)
driver : cbc-aes-caam
module : kernel
priority : 3000
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : eseqiv
...

For each algorithm you get a set of properties, including:

name: the name of the algorithm
driver: the driver that provides this support. If the driver contains caam it means the CAAM hardware engine provides support for this encryption algorithm.
priority: the higher the value, the higher the priority. Normally hardware-accelerated algorithms have higher priority over software algorithms.

To verify if an encryption or hashing operation is using the CAAM, you can check the interruption count for the jr (job ring) devices.

# grep -E "jr|CPU0" /proc/interrupts
           CPU0       CPU1       CPU2       CPU3
 69:        587          0          0          0     GICv3 138 Level     30902000.jr

CAAM blobs

The caam_keyblob driver creates a char device under /dev/caam_kb that can be used with the standard Linux API (open, close, ioctl) to perform encryption and decryption of CAAM blobs.

See Secure storage for more information about CAAM blobs.