Digi
/
dey-examples
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dey-examples/caam-blob-example
History
Gabriel Valcazar 35b859e87a caam-blob-example: fix the maximum input size to match the one in the driver 
It was believed that the CAAM was able to create blobs from files of up to
1 MiB, because in some cases, encrypting and decrypting a large file would
result in a file identical to the original one. In reality, the CAAM's job
descriptors use 16 bits to store input/output sizes, so any size that takes up
more than 16 bits either causes the operation to fail or makes the CAAM
continue with the operation, but truncating the size to its 16 least
significant bits.

Encryption and decryption cycles that seem to work with large files are
actually encrypting and decrypting part of the original file and storing the
output in the memory address where the original file was stored, making it seem
like the process was successful when it really isn't. It's also possible that,
even if both operations work fine, the final decrypted file will differ from the
original one because it contains the decrypted truncated blob plus whatever
comes after it in memory.

Fix the size limit, dynamically alter it during runtime depending on the
operation and exit if the limit is surpassed to avoid including unrelated
memory contents in the output.

https://jira.digi.com/browse/DEL-7378

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
 		2021-01-18 11:26:38 +01:00
..
Makefile caam-blob-example: add example demostrating CAAM blob usage 2019-06-12 13:14:18 +02:00
README.md caam-blob-example: fix the maximum input size to match the one in the driver 2021-01-18 11:26:38 +01:00
caam_keyblob.h caam-blob-example: add example demostrating CAAM blob usage 2019-06-12 13:14:18 +02:00
caam_ops.c caam-blob-example: fix build errors 2020-08-07 12:54:16 +02:00
caam_ops.h caam-blob-example: fix the maximum input size to match the one in the driver 2021-01-18 11:26:38 +01:00
main.c caam-blob-example: fix the maximum input size to match the one in the driver 2021-01-18 11:26:38 +01:00

README.md

CAAM blob Example Application

This example application shows how to encapsulate/decapsulate data to/from CAAM blobs. CAAM blobs are a way to protect sensitive data by encrypting their contents. You can think of CAAM blobs as data encrypted with an internal unreadable device-specific key which is protected by the hardware. Data encapsulated in a CAAM blob can only be decapsulated by the device that created it. When creating CAAM blobs, the input data size is limited to 65487 bytes. Note that CAAM blobs are slightly bigger than the input data (48 bytes bigger).

A key modifier may be used to further differentiate the key used in a particular blob.

WARNING: CAAM blobs are only secure if created in a secure boot enable device.

For more information about CAAM blobs, see 'Secure Storage' in the online documentation.

Note: This application is only supported when using a platform and Digi Embedded Yocto version that support Trustfence.

Running the application

The following example shows how to encrypt and decrypt and file in place:

~# echo "Test file" > test.txt
~# caam-blob-example -e test.txt
~# hexdump -C test.txt
00000000  01 ee 30 e3 31 6b 72 94  94 06 62 e2 ef 17 4e 05  |..0.1kr...b...N.|
00000010  34 c3 7b 96 58 35 ad b7  a2 89 b6 bc eb eb 81 39  |4.{.X5.........9|
00000020  3c b2 e7 d7 2d 93 7d ff  8b a8 80 bd 55 e9 70 cf  |<...-.}.....U.p.|
00000030  20 51 9f 15 9e c5 aa 68  b3 90                    | Q.....h..|
0000003a
~# caam-blob-example -d test.txt
~# hexdump -C test.txt
00000000  54 65 73 74 20 66 69 6c  65 0a                    |Test file.|
0000000a

You can also use the "-m" parameter to specify a key modifier. In that case, you also need the same key modifier to decrypt the data. The key modifier is a 16 byte value encoded as 32 hexadecimal characters. If you want to write the CAAM blob to a different file, add another positional argument.

~# caam-blob-example -e -m ff0102030405060708090a0b0c0d0e0f test.txt encrypted.bin
~# caam-blob-example -d encrypted.bin decrypted.txt
[ERROR] could not decrypt data.
[ERROR] Decryption failed
~# caam-blob-example -d -m ff0102030405060708090a0b0c0d0e0f encrypted.bin decrypted.txt
~# cat decrypted.txt
Test file

Compiling the application

This demo can be compiled using a Digi Embedded Yocto based toolchain. Make sure to source the corresponding toolchain of the platform you are using, for example, for ConnectCore 6UL:

~$ . <DEY-toolchain-path>/environment-setup-cortexa7hf-vfp-neon-dey-linux-gnueabi
~$ make

For more information, see the Digi Embedded Yocto online documentation.

License

Copyright 2019-2021, Digi International Inc.

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appears in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.