Crypto API for Device Drivers#

Driver specific code shall use some sort of crypto API providing support for basic cryptographic operations which can be used to implement device-specific authentication state machine. Using IMX728 and IMX623 Sony sensors drivers as an example (provided by default in DriveOS), following basic crypto operations are used in driver implementation:

  • Initialize a crypto session

  • Find a key object in secure storage

  • Basic X509 certificate parsing

  • Digest SHA256 and Verify ECDSA secp256r1 (for X509 certificate verification)

  • GenerateKey (EC private+public keypair, AES keys)

  • DeriveKey (ECDHE, SP800 mechanisms)

  • Wrap/Sign operations

  • Decrypt AES_CBC

SIPL does not mandate device drivers to use any specific crypto APIs: this is left at the sole discretion of a camera device driver developer. Nevertheless, SIPL CDI layer implements convenient APIs for the functionality listed above – all the basic crypto operations which are required to authenticate Sony sensors. These APIs use PKCS11 library internally (basically they are just wrappers on top of PKCS11 calls).

DevBlk CDI Crypto APIs#

Existing DevBlk crypto APIs can be used by a custom driver developer, if desired, the same way as the APIs are used by existing Sony drivers. The available DevBlk crypto functionality is part of CDI component and is described in the NVIDIA DriveOS API Reference.

PKCS11 Crypto APIs#

DriveOS provides an implementation of PKCS11 crypto API specification which uses hardware crypto engine for acceleration.

Custom SIPL drivers can use PKCS11 crypto APIs directly. DriveOS provides corresponding header files with API description

#include <nvpkcs11.h>

#include <nvpkcs11_public_defs.h>

If using PKCS11 interface – driver binary needs to be linked with libvnpkcs11.so during build.

NVIDIA does not implement full PKCS11 specification in libnvpkcs11 library.

Additional Crypto APIs#

Custom SIPL device driver can use any other crypto interface. For example, openssl library can be used, any other standard software crypto library or even direct implementation of basic crypto operations in driver code itself. It is the responsibility of a driver developer to ensure appropriate security and safety compliance levels for a driver code in this case.

On this page