Full datasheet can be obtained only on Marvell agreement and unfortunately we can’t provide it to non-CZ.NIC employees. This is sadly limitation of using pretty beefy procesor. There might be some slimmed down version of datasheet available from alternative sources but I am not aware of it.
Thanks for the link. I figured that the datasheet was NDA only. Very annoying
I am still looking for the details on the turris-mox-rwtm module. It seems that it can sign, but I’d like to know in what formats it is signing.
I did read the module source at build_dir/target-aarch64_cortex-a53_musl/linux-mvebu_cortexa53/linux-4.14.180/drivers/crypto/turris-mox-rwtm.c but it doesn’t tell me anything about what is coming out.
The functional specification document for Armada 3720 is under NDA.
But on Mox we are running custom firmware on the Secure Processor (this firmware is derived from Marvell’s). You can find the sources in the mox-boot-builder repository, in directory wtmi. See file main.c, at the bottom the various commands are registered via call to mbox_register_cmd.
The turris-mox-rwtm kernel driver communicates via mailbox with this firmware.
Ah, it was not obvious (since I have no datasheet…) that these were calls into a secure enclave (vs a hardware function), and that the code is available. Wunderbar! I see that it is doing ECDSA signatures, and I am sure that I can decode the result, and make it useable for signing stuff. I would guess that will be at least as fast as any other CPU code, so making this work as an openssl engine (well, they changed the nomenclature for 3.0) would mean that we could use the built-in private key for HTTPS.
Thanks for that spec sheet. Block diagrams are always interesting. I used to play a Verilog hacker on TV, back in 2000. Given the firmware image, I will look rather to the TrustZone documents that I have somewhere.