New IT forum
27 June 2022, 11:24:22 am *
Welcome, %1$s. Please login or register.

: CubieBoard 2 and Cubietruck both now in stock.
 
Pages: [1]

Author Topic: [HOWTO] Hardware cryptographic acceleration with OpenSSL  (Read 60190 times)

klockren

  • Newbie
  • *
  • Posts: 4

*******************
HOWTO is in the reply!
*******************

Hi,
We are using the Debian build and kernel (2.6.33.6) from http://code.google.com/p/dreamplug/downloads/list
Now, we are VERY eager to get hardware crypto acceleration working!
As I have understood, as OpenSSL lacks an engine for MV_CESA (the Marvell AES hardware acceleration), I will have to apply kernel patches for OCF (OpenBSD Cryptographic Framework), to make a /dev/crypto device and then patch OpenSSL to use OCF through a cryptodev engine.
Kernel patching:
Code: [Select]
vpnserver:/usr/src/linux# patch -p1 < crypto/ocf/patches/linux-2.6.33-ocf.patchBut the kernel make fails building OCF kernel modules
Code: [Select]
 LD      crypto/ocf/built-in.o
  CC [M]  crypto/ocf/crypto.o
  CC [M]  crypto/ocf/criov.o
  CC [M]  crypto/ocf/random.o
  CC [M]  crypto/ocf/rndtest.o
  LD [M]  crypto/ocf/ocf.o
  CC [M]  crypto/ocf/cryptodev.o
  CC [M]  crypto/ocf/cryptosoft.o
  CC [M]  crypto/ocf/ocf-bench.o
  LD      crypto/ocf/kirkwood/built-in.o
  CC [M]  crypto/ocf/kirkwood/cesa/mvCesa.o
In file included from crypto/ocf/kirkwood/cesa/mvCesa.h:77,
                 from crypto/ocf/kirkwood/cesa/mvCesa.c:65:
crypto/ocf/kirkwood/mvHal/linux_oss/mvOs.h:34:28: error: linux/autoconf.h: No such file or directory
In file included from crypto/ocf/kirkwood/mvHal/kw_family/ctrlEnv/mvCtrlEnvSpec.h:69,
                 from crypto/ocf/kirkwood/cesa/mvCesa.h:81,
                 from crypto/ocf/kirkwood/cesa/mvCesa.c:65:
crypto/ocf/kirkwood/mvHal/mvSysHwConfig.h:34:48: error: ../../../../include/linux/autoconf.h: No such file or directory
make[3]: *** [crypto/ocf/kirkwood/cesa/mvCesa.o] Error 1
make[2]: *** [crypto/ocf/kirkwood] Error 2
make[1]: *** [crypto/ocf] Error 2
make: *** [crypto] Error 2

And OpenSSL 0.9.8n (the latest version where OCF patches exist) fails to patch.

Has anyone successfully built OCF kernel modules and OpenSSL with cryptodev engine? Can you share your code with me?

Thanks!!!
« Last Edit: 04 May 2011, 07:50:15 am by klockren »
Logged

klockren

  • Newbie
  • *
  • Posts: 4
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #1 on: 04 May 2011, 07:48:28 am »

OK, I think that I solved it.

I skipped the OCF kernel patch, and instead built the CryptoDev module.
I also succeeded to patch and build OpenSSL 0.9.8n.

This is my how-to:
Code: [Select]
#!/bin/sh
mkdir -p /root/build; cd /root/build
wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.0.tar.gz; tar xzf cryptodev-linux-1.0.tar.gz; cd cryptodev-linux-1.0
make; make install; cd ..
echo "cryptodev" >> /etc/modules
modprobe cryptodev
wget http://sourceforge.net/projects/ocf-linux/files/ocf-linux/20100325/ocf-linux-20100325.tar.gz/download -O ocf-linux-20100325.tar.gz; tar xzf ocf-linux-20100325.tar.gz
wget http://www.openssl.org/source/openssl-0.9.8n.tar.gz; tar xzf openssl-0.9.8n.tar.gz; cd openssl-0.9.8n
patch -p1 < ../ocf-linux-20100325/openssl-0.9.8n.patch
rm makefile
./config shared threads --with-cryptodev --openssldir=/etc/ssl --libdir=/lib --prefix=/usr
make depend; make; make install

This is my OpenSSL speed test before this procedure:
Code: [Select]
vpnclient:~# openssl version
OpenSSL 0.9.8o 01 Jun 2010

vpnclient:~# openssl engine
(dynamic) Dynamic engine loading support

vpnclient:~# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 1542949 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 452743 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 118531 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 1024 size blocks: 29949 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 3755 aes-128-cbc's in 3.00s
OpenSSL 0.9.8o 01 Jun 2010
built on: Thu Feb 10 21:19:23 UTC 2011
options:bn(64,32) md2(int) rc4(ptr,int) des(idx,risc1,4,long) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc       8229.06k     9658.52k    10148.47k    10222.59k    10253.65k

...and after!
Code: [Select]
vpnclient:~# openssl version
OpenSSL 0.9.8n 24 Mar 2010

vpnclient:~# openssl engine
(cryptodev) BSD cryptodev engine
(dynamic) Dynamic engine loading support

vpnclient:~# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 79372 aes-128-cbc's in 0.19s
Doing aes-128-cbc for 3s on 64 size blocks: 77040 aes-128-cbc's in 0.08s
Doing aes-128-cbc for 3s on 256 size blocks: 64088 aes-128-cbc's in 0.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 39626 aes-128-cbc's in 0.03s
Doing aes-128-cbc for 3s on 2048 size blocks: 23609 aes-128-cbc's in 0.01s
OpenSSL 0.9.8n 24 Mar 2010
built on: Tue May  3 12:51:36 UTC 2011
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   2048 bytes
aes-128-cbc       6683.96k    61632.00k  1640652.80k  1352567.47k  4835123.20k

Quite amazing, isn't it?

IMPORTANT! If the script above fails, make sure that you have:
  • Installed build tools, apt-get -y install build-essential
  • Downloaded the kernel sources from http://code.google.com/p/dreamplug/downloads/list to /usr/src/linux-2.6.3x.y and symlinked it to /usr/src/linux
  • Symlinked /lib/modules/2.6.33.6/build to /usr/src/linux-2.6.33.6
  • Symlinked /lib/modules/2.6.33.6/source to /usr/src/linux-2.6.33.6
Logged

Confusticated

  • New IT customer
  • Hero Member
  • *
  • Posts: 663
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #2 on: 06 May 2011, 07:54:34 pm »

Thanks for posting this, been meaning to get off my butt and look into it, now I don't have an excuse to delay any longer  ;)
Logged
Advocatus Diaboli - My agenda is not to give you the answer, but to guide your thoughts so you derive it for yourself!

dp

  • Newbie
  • *
  • Posts: 32
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #3 on: 08 May 2011, 11:06:25 am »

Hi,

I followed the Howto described by Klockren but didn't succeed in compiling cryptodev.

I installed Debian Lenny and upgraded to Squeeze (6.0.1), keeping the same kernel 2.6.33.6.
I created the various symlinks.
I installed build-essential packages and tried to compile the kernel as indicated but didn't find the .config with the original kernel configurations.
Using "make oldconfig && make prepare" forced me to use default kernel configurations, which is not what I wanted.
With my newly compiled kernel (with perharps wrong directives), I tried to compile the cryptodev module and got this message:

debian:~/build/cryptodev-linux-1.0# make
make -C /lib/modules/2.6.33.6/build SUBDIRS=`pwd` modules
make[1]: Entering directory `/usr/src/linux-2.6.33.6'

  WARNING: Symbol version dump /usr/src/linux-2.6.33.6/Module.symvers
           is missing; modules will have no dependencies and modversions.

  CC [M]  /root/build/cryptodev-linux-1.0/cryptodev_main.o
  CC [M]  /root/build/cryptodev-linux-1.0/cryptodev_cipher.o
  LD [M]  /root/build/cryptodev-linux-1.0/cryptodev.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/build/cryptodev-linux-1.0/cryptodev.mod.o
/root/build/cryptodev-linux-1.0/cryptodev.mod.c:8: error: variable â__this_modul
eâ has initializer but incomplete type
/root/build/cryptodev-linux-1.0/cryptodev.mod.c:9: error: unknown field ânameâ s
pecified in initializer
...
make[2]: *** [/root/build/cryptodev-linux-1.0/cryptodev.mod.o] Error 1
make[1]: *** [modules] Error 2
make[1]: Leaving directory `/usr/src/linux-2.6.33.6'
make: *** [build] Error 2
debian:~/build/cryptodev-linux-1.0#

Have you got an idea about the problem ?

Thanks in advance.
Logged

tummen

  • Newbie
  • *
  • Posts: 13
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #4 on: 08 May 2011, 07:11:17 pm »

Does someone know if this acceleration hardware also is possible to use with OpenVPN?
and ubuntu.
Logged

Confusticated

  • New IT customer
  • Hero Member
  • *
  • Posts: 663
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #5 on: 09 May 2011, 10:51:14 pm »

As far as I am aware OpenVPN normally sits atop OpenSSL, so if OpenSSL is using cryptodev..... :)
Check the OpenVPN binaries to make sure they dynamically link to your 'custom' OpenSSL.
Logged
Advocatus Diaboli - My agenda is not to give you the answer, but to guide your thoughts so you derive it for yourself!

klockren

  • Newbie
  • *
  • Posts: 4
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #6 on: 16 May 2011, 09:46:18 am »

@dp: To get the config for the running kernel, I just did
Code: [Select]
# cd /usr/src/linux
# cp /proc/config.gz .
# gunzip config.gz
# mv config .config
# make menuconfig
# make
# make modules_install
# cp arch/arm/boot/uImage </dev/sda1 mount point>
« Last Edit: 17 May 2011, 06:38:53 am by klockren »
Logged

klockren

  • Newbie
  • *
  • Posts: 4
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #7 on: 16 May 2011, 09:47:43 am »

Does someone know if this acceleration hardware also is possible to use with OpenVPN?
and ubuntu.

I specified
Code: [Select]
engine cryptodevin the /etc/openvpn/openvpn.conf file.

When starting OpenVPN from a shell, this message will appear
Code: [Select]
Initializing OpenSSL support for engine 'cryptodev'
When setting the 'cipher' and the 'auth' parameters in the openvpn config, remember that the mv_cesa kernel module only accelerates AES ciphers and not any digest algorithm such as SHAx. I used 128 bit AES as cipher and set auth to none to achieve the best performance. I am not satisfied with the performance in OpenVPN, though  :'(
« Last Edit: 17 May 2011, 06:36:43 am by klockren »
Logged

Hanntac

  • Newbie
  • *
  • Posts: 1
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #8 on: 15 February 2012, 05:59:19 pm »

Hi folks ! Not sure wether I can post in such an old thread, but I had some trouble with this and want to help people with the same problem.
The kernel part held me, sources weren't shipped with my rootfs, got to download and configure them, etc.
So, having a Debian Squeeze's 2.6.38.8 kernel I could not copy-paste instructions from ortizaudio below (furthermore some links don't seem to work anymore). Took me some time (not a week-long search, but still) to get cryptodev working, so I thought this could be useful to someone.

Thanks to this thread and http://ortizaudio.blogspot.com/2011/10/using-dreamplugs-crypto-chip.html ,here is a ready-to-go script to install cryptodev on a Debian Squeeze Dreamplug, kernel 2.6.38.8 with huge available space on /tmp (apart from mounting a disk to /tmp, this is the default config of the squeeze new IT's image) :

Code: [Select]
#!/bin/bash
# Run this as root !
# The process takes some time to run.
# Be aware of space : kernel sources will be downloaded.
# (I symlinked /tmp to an external HDD on my own setup.)
apt-get install build-essential
cd /tmp
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.38.8.tar.bz2
tar -xjf linux-2.6.38.8.tar.bz2
ln -s /tmp/linux-2.6.38.8 /usr/src/
ln -s /tmp/linux-2.6.38.8 /usr/src/linux
rm /lib/modules/2.6.38.8/build
rm /lib/modules/2.6.38.8/source
ln -s /tmp/linux-2.6.38.8 /lib/modules/2.6.38.8/build
ln -s /tmp/linux-2.6.38.8 /lib/modules/2.6.38.8/source
cd linux-2.6.38.8
wget http://archlinuxarm.org/mirror/with-linux/kernel/2/2.6/2.6.38/2.6.38.8/sheeva-2.6.38.8.config
zcat /proc/config.gz > .config
make uImage # Got an error on this one, but it ran a while, maybe necessary
make modules
cd /tmp
wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.0.tar.gz
tar -xzf cryptodev-linux-1.0.tar.gz
cd cryptodev-linux-1.0
make; make install
echo "cryptodev" >> /etc/modules
modprobe cryptodev
wget http://sourceforge.net/projects/ocf-linux/files/ocf-linux/20110530/ocf-linux-20110530.tar.gz/download -O ocf-linux-20110530.tar.gz
tar -xzf ocf-linux-20110530.tar.gz
wget http://www.openssl.org/source/openssl-0.9.8r.tar.gz
tar -xzf openssl-0.9.8r.tar.gz
cd openssl-0.9.8r
patch -p1 < ../ocf-linux-20110530/patches/openssl-0.9.8r.patch
./config shared threads zlib --with-cryptodev --openssldir=/etc/ssl --libdir=/usr/lib --prefix=/usr
make depend && make && make install

exit 0;
Logged

rgsk

  • Newbie
  • *
  • Posts: 1
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #9 on: 13 September 2013, 10:02:44 am »

"Quite amazing, isn't it?"

Sorry to re-start this thread. Came across this and just got curious...

klockren - Are you trying to say that AES compuatation using cryptodev was faster than doing it in OpenSSL libs?
Logged

Confusticated

  • New IT customer
  • Hero Member
  • *
  • Posts: 663
Re: [HOWTO] Hardware cryptographic acceleration with OpenSSL
« Reply #10 on: 15 September 2013, 07:08:14 pm »

As klockren hasn't been active since mid 2011 I shall answer...

Using dedicated cryptography hardware is faster than doing it in software, also significantly reduces CPU load, I use it with ssh for remote access to my plugs.
Logged
Advocatus Diaboli - My agenda is not to give you the answer, but to guide your thoughts so you derive it for yourself!
Pages: [1]
 
 

Powered by MySQL Powered by PHP SMF 2.0.10 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!