Thread: [Ocf-linux-users] AES hardware accelerator in OpenSSL with OCF
Brought to you by:
david-m
Menu
▾
▴
ocf-linux-users
|
From: Palacios, H. <Hec...@di...> - 2009-01-28 16:18:26
|
Greetings, I have a Netsilicon CPU (NS9215) which contains an AES accelerator which I want to use with OpenSSL. I have a Linux driver for this hardware AES module which uses the kernel 2.6.26 CryptoAPI. This driver basically registers the cbc(aes) and ecb(aes) ciphers. / # cat /proc/crypto name : cbc(aes) driver : ns921x-aes module : kernel priority : 0 refcnt : 1 type : ablkcipher async : yes blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 0 geniv : <default> name : ecb(aes) driver : ns921x-aes module : kernel priority : 400 refcnt : 1 type : ablkcipher async : yes blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 0 geniv : <default> I would like to have OpenSSL use this driver to accelerate encryption when using these ciphers. I'm using openssl-0.9.8g and have integrated the OCF patches for the 2.6.26 version and for OpenSSL 0.9.8g (similarly as done in http://www.docunext.com/wiki/My_Notes_on_Patching_2.6.22_with_OCF). It builds ok and I obtain several modules: ocf.ko, cryptodev.ko cryptosoft.ko. I load these three modules. The cryptosoft.ko loads my hardware AES driver. By executing the OpenSSL commands with option '-engine cryptodev', OpenSSL seems to be using this engine. However, just with that my specific driver functions are not being called. For example I have tried with: # openssl speed -engine cryptodev -evp aes128 and with # time openssl enc aes128 -engine cryptodev -in testfile -out /dev/null -k test I would appreciate any hint of how to tell OCF to call my driver functions. Many thanks -- Héctor Palacios |
|
From: David M. <Dav...@se...> - 2009-01-28 22:35:08
|
Jivin Palacios, Hector lays it down ... > Greetings, > > I have a Netsilicon CPU (NS9215) which contains an AES accelerator which I want to use with OpenSSL. I have a Linux driver for this hardware AES module which uses the kernel 2.6.26 CryptoAPI. > This driver basically registers the cbc(aes) and ecb(aes) ciphers. > > / # cat /proc/crypto > name : cbc(aes) > driver : ns921x-aes > module : kernel > priority : 0 > refcnt : 1 > type : ablkcipher > async : yes > blocksize : 16 > min keysize : 16 > max keysize : 32 > ivsize : 0 > geniv : <default> > > name : ecb(aes) > driver : ns921x-aes > module : kernel > priority : 400 > refcnt : 1 > type : ablkcipher > async : yes > blocksize : 16 > min keysize : 16 > max keysize : 32 > ivsize : 0 > geniv : <default> > > > I would like to have OpenSSL use this driver to accelerate encryption when using these ciphers. > Looking in the Internet I found the OCF project (http://ocf-linux.sourceforge.net/) which is supposed to do the link between the kernel CryptoAPI and OpenSSL by means of an engine called 'cryptodev' which makes use of device node /dev/crypto. > I'm using openssl-0.9.8g and have integrated the OCF patches for the 2.6.26 version and for OpenSSL 0.9.8g (similarly as done in http://www.docunext.com/wiki/My_Notes_on_Patching_2.6.22_with_OCF). It builds ok and I obtain several modules: ocf.ko, cryptodev.ko cryptosoft.ko. > > By executing the OpenSSL commands with option '-engine cryptodev', OpenSSL seems to be using this engine. However, just with that my specific driver functions are not being called. For example I have tried with: > # openssl speed -engine cryptodev -evp aes128 > and with > # time openssl enc aes128 -engine cryptodev -in testfile -out /dev/null -k test > I would appreciate any hint of how to tell OpenSSL or OCF to use my driver functions. Have you loaded the cryptosoft driver ? It is needed to talk to the cryptoAPI in the kernel. modprobe ocf modprobe cryptosoft modprobe cryptodev You can check that cryptosoft is being used by loading it with the debug parameter, or enabling debug later with: echo 1 > /sys/module/cryptosoft/parameters/swcr_debug Check your syslog (or console output) for driver messages from cryptosoft which will confirm it is being used when you run openssl. Also remember to add the "-elapsed" option to openssl speed tests or the results will look a little unusual to the causual observer. Cheers, Davidm -- David McCullough, dav...@se..., Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com |
|
From: Palacios, H. <Hec...@di...> - 2009-01-29 08:08:49
|
Hi David, > -----Original Message----- > From: David McCullough [mailto:Dav...@se...] > Sent: Wednesday, January 28, 2009 11:35 PM > To: Palacios, Hector > Cc: ocf...@li... > Subject: Re: [Ocf-linux-users] AES hardware accelerator in OpenSSL with > OCF > Have you loaded the cryptosoft driver ? It is needed to talk to the > cryptoAPI in the kernel. > > modprobe ocf > modprobe cryptosoft > modprobe cryptodev > > You can check that cryptosoft is being used by loading it with the > debug > parameter, or enabling debug later with: > > echo 1 > /sys/module/cryptosoft/parameters/swcr_debug > > Check your syslog (or console output) for driver messages from > cryptosoft > which will confirm it is being used when you run openssl. Yes, I load the cryptosoft module which eventually resolves and loads my hw driver: / # modprobe cryptosoft ns921x-aes ns921x-aes.1: NS921x AES encryption/decryption module at 0xc187c000 (irq: 2) / # lsmod Module Size Used by Tainted: P ecb 1920 0 aes_generic 33160 0 ns921x_aes 5716 0 cbc 2464 0 crypto_blkcipher 12580 3 ecb,ns921x_aes,cbc cryptomgr 2048 0 crypto_algapi 10752 6 ecb,aes_generic,ns921x_aes,cbc,crypto_blkcipher,cryptomgr cryptosoft 9192 0 cryptodev 10916 0 ocf 18496 2 cryptosoft,cryptodev / # Do I have somehow to link the cbc(aes) and ecb(aes) to my driver functions? > Also remember to add the "-elapsed" option to openssl speed tests or > the > results will look a little unusual to the causual observer. I'll take note, thanks. -- Héctor Palacios |
|
From: David M. <Dav...@se...> - 2009-01-29 13:01:42
|
Jivin Palacios, Hector lays it down ... > Hi David, > > > -----Original Message----- > > From: David McCullough [mailto:Dav...@se...] > > Sent: Wednesday, January 28, 2009 11:35 PM > > To: Palacios, Hector > > Cc: ocf...@li... > > Subject: Re: [Ocf-linux-users] AES hardware accelerator in OpenSSL with > > OCF > > Have you loaded the cryptosoft driver ? It is needed to talk to the > > cryptoAPI in the kernel. > > > > modprobe ocf > > modprobe cryptosoft > > modprobe cryptodev > > > > You can check that cryptosoft is being used by loading it with the > > debug > > parameter, or enabling debug later with: > > > > echo 1 > /sys/module/cryptosoft/parameters/swcr_debug > > > > Check your syslog (or console output) for driver messages from > > cryptosoft > > which will confirm it is being used when you run openssl. > > Yes, I load the cryptosoft module which eventually resolves and loads my hw driver: > / # modprobe cryptosoft > ns921x-aes ns921x-aes.1: NS921x AES encryption/decryption module at 0xc187c000 (irq: 2) > / # lsmod > Module Size Used by Tainted: P > ecb 1920 0 > aes_generic 33160 0 > ns921x_aes 5716 0 > cbc 2464 0 > crypto_blkcipher 12580 3 ecb,ns921x_aes,cbc > cryptomgr 2048 0 > crypto_algapi 10752 6 ecb,aes_generic,ns921x_aes,cbc,crypto_blkcipher,cryptomgr > cryptosoft 9192 0 > cryptodev 10916 0 > ocf 18496 2 cryptosoft,cryptodev > / # > > Do I have somehow to link the cbc(aes) and ecb(aes) to my driver functions? No, but you should probably make sure you have your driver loaded before loading cryptosoft. Something like: modprobe your-driver modprobe ocf modprobe cryptosoft modprobe cryptodev Just to be sure the algs are there when cryptosoft checks for them. What functions does you driver provide ? You can see the list that cryptosoft in the crypto_details table in cryptosoft.c I am not an expert on how the kernel crypto API matches up cbc(aes) to a driver so I can't help you there. > > Also remember to add the "-elapsed" option to openssl speed tests or > > the > > results will look a little unusual to the causual observer. > > I'll take note, thanks. Cheers, Davidm -- David McCullough, dav...@se..., Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com |
|
From: Hector P. <hec...@di...> - 2009-01-29 16:30:27
|
David McCullough wrote: > What functions does you driver provide ? You can see the list that > cryptosoft in the crypto_details table in cryptosoft.c My driver provides cbc(aes) and ecb(aes) encryption algorithms for 128, 192, and 256 key lengths. The crypto_details table in cryptosoft lists cbc(aes) among others, but not ecb(aes). Does this table list the software algorithms provided by OCF? Must I include somehow my algorithms to this list? Or at least ecb(aes)? > I am not an > expert on how the kernel crypto API matches up cbc(aes) to a driver > so I can't help you there. Thanks anyway. |
|
From: David M. <Dav...@se...> - 2009-01-30 00:00:50
|
Jivin Hector Palacios lays it down ... > David McCullough wrote: > >What functions does you driver provide ? You can see the list that > >cryptosoft in the crypto_details table in cryptosoft.c > > My driver provides cbc(aes) and ecb(aes) encryption algorithms for 128, > 192, and 256 key lengths. > The crypto_details table in cryptosoft lists cbc(aes) among others, but > not ecb(aes). > Does this table list the software algorithms provided by OCF? No, just the ones supported by the cryptosoft driver, which is basically an OCF to cryptoAPI wrapper. > Must I include somehow my algorithms to this list? Or at least ecb(aes)? Most of the OCF supported algs are already in there, so probably not. OCF doesn't current support ECB algs (at least I don't see it). > > I am not an > > expert on how the kernel crypto API matches up cbc(aes) to a driver > > so I can't help you there. > > Thanks anyway. Try putting the kernel AES module in, turning on debug in the cryptosoft driver and see if that is getting used: insert aes module modprobe ocf modprobe cryptosoft swcr_debug=1 modprobe cryptodev openssl speed -elapsed -evp aes check kernel log/console output for crytosoft debug output. If that works then there must be some way for you driver to take over cbc(aes) that you are missing. Perhaps the normal crypto API SW driver is getting priority ? Cheers, Davidm -- David McCullough, dav...@se..., Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com |
|
From: Hector P. <hec...@di...> - 2009-01-30 08:33:47
|
David McCullough wrote: > Try putting the kernel AES module in, turning on debug in the > cryptosoft driver and see if that is getting used: > > insert aes module > modprobe ocf > modprobe cryptosoft swcr_debug=1 > modprobe cryptodev > openssl speed -elapsed -evp aes > > check kernel log/console output for crytosoft debug output. The output doesn't look very good... / # openssl speed -elapsed -evp aes -engine cryptodev No requested driver; select based on crid flags. No requested driver; select based on crid flags. No requested driver; select based on crid flags. No requested driver; select based on crid flags. aes is an unknown cipher or digest / # cat /proc/crypto name : cbc(aes) driver : cbc(aes-generic) module : cbc priority : 100 refcnt : 1 type : blkcipher blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : <default> name : aes driver : aes-generic module : aes_generic priority : 100 refcnt : 1 type : cipher blocksize : 16 min keysize : 16 max keysize : 32 I must pass -evp aes128|aes192|aes256 instead (or use 'aes' alone, without the '-evp' parameter), but i think it is using internal OpenSSL algorithms rather than OCF, as I still get the errors: / # openssl speed -elapsed -evp aes128 -engine cryptodev No requested driver; select based on crid flags. No requested driver; select based on crid flags. No requested driver; select based on crid flags. No requested driver; select based on crid flags. No requested driver; select based on crid flags. No requested driver; select based on crid flags. No requested driver; select based on crid flags. No requested driver; select based on crid flags. engine "cryptodev" set. You have chosen to measure elapsed time instead of user CPU time. To get the most accurate results, try to run this program when this computer is idle. Doing aes-128-cbc for 3s on 16 size blocks: 81672 aes-128-cbc's in 0.00s Doing aes-128-cbc for 3s on 64 size blocks: 20311 aes-128-cbc's in 0.00s Doing aes-128-cbc for 3s on 256 size blocks: 5546 aes-128-cbc's in 0.00s Doing aes-128-cbc for 3s on 1024 size blocks: 1432 aes-128-cbc's in 0.00s ... Regards, -- Hector Palacios |
|
From: Hector P. <hec...@di...> - 2009-01-30 13:02:51
|
David McCullough wrote: > insert aes module > modprobe ocf > modprobe cryptosoft swcr_debug=1 > modprobe cryptodev > openssl speed -elapsed -evp aes > > check kernel log/console output for crytosoft debug output. > > If that works then there must be some way for you driver to take over > cbc(aes) that you are missing. Perhaps the normal crypto API SW driver > is getting priority ? Hi David, I have seen that, if I load the kernel's aes_generic.ko and cbc.ko, then cryptosoft module reports that cbc(aes) algorithm is supported: ... crypto_register(id=0x3, alg=11, maxoplen=0, flags=0x0) ... and it eventually calls the kernel's aes_generic.c crypto functions (this seem to work, as you said). On the other hand, if I simply load my driver, cryptosoft reports that the cbc(aes) algorithm is not supported: ... cryptosoft_init:BLKCIPHER algorithm 11:'cbc(aes)' not supported ... I don't see many differences between the way aes_generic loads the algorithm and the way my driver does it. The main difference is that aes_generic cra_flags is CRYPTO_ALG_TYPE_CIPHER while my driver is CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC. In other words, my driver uses .cra_u.ablkcipher to define the crypto functions while the aes_generic uses .cra_u.cipher. Do you know if this makes any difference to OCF layer? -- Hector Palacios |
|
From: Palacios, H. <Hec...@di...> - 2009-02-05 16:36:47
Attachments:
ablkciphers_cryptosoft.patch
|
> -----Original Message----- > From: Hector Palacios [mailto:hec...@di...] > Sent: Friday, January 30, 2009 12:16 PM > To: David McCullough > Cc: ocf...@li... > Subject: Re: [Ocf-linux-users] AES hardware accelerator in OpenSSL with > OCF > > I don't see many differences between the way aes_generic loads the > algorithm and the way my driver does it. The main difference is that > aes_generic cra_flags is CRYPTO_ALG_TYPE_CIPHER while my driver is > CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC. > In other words, my driver uses .cra_u.ablkcipher to define the crypto > functions while the aes_generic uses .cra_u.cipher. Do you know if this > makes any difference to OCF layer? Hello, I have solved the problem to make OCF work with my hw acceleration driver. My driver is developed as an async block cipher (ablkcipher) and OCF did not have support but for blockciphers (sync). I have done some really "quick & dirty" hacks to include support for ablkciphers in cryptosoft.c module. They are really "dirty" because I don't know the internals of OCF, but they do the magic of linking my driver to OpenSSL which is what I wanted. I attach here the patch I did to cryptosoft.c just in case anybody finds it interesting. Regards, -- Héctor Palacios |
|
From: David M. <Dav...@se...> - 2009-02-05 23:05:52
|
Jivin Palacios, Hector lays it down ... > > -----Original Message----- > > From: Hector Palacios [mailto:hec...@di...] > > Sent: Friday, January 30, 2009 12:16 PM > > To: David McCullough > > Cc: ocf...@li... > > Subject: Re: [Ocf-linux-users] AES hardware accelerator in OpenSSL with > > OCF > > > > I don't see many differences between the way aes_generic loads the > > algorithm and the way my driver does it. The main difference is that > > aes_generic cra_flags is CRYPTO_ALG_TYPE_CIPHER while my driver is > > CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC. > > In other words, my driver uses .cra_u.ablkcipher to define the crypto > > functions while the aes_generic uses .cra_u.cipher. Do you know if this > > makes any difference to OCF layer? > > Hello, > > I have solved the problem to make OCF work with my hw acceleration driver. > My driver is developed as an async block cipher (ablkcipher) and OCF did not have support but for blockciphers (sync). > I have done some really "quick & dirty" hacks to include support for ablkciphers in cryptosoft.c module. > They are really "dirty" because I don't know the internals of OCF, but they do the magic of linking my driver to OpenSSL which is what I wanted. > I attach here the patch I did to cryptosoft.c just in case anybody finds it interesting. Great, thanks for that. I'll see if I can merge that in when I get some cycles, Cheers, Davidm -- David McCullough, dav...@se..., Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X