1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
README - ocf-linux-20071215
---------------------------
This README provides instructions for getting ocf-linux compiled and
operating in a generic linux environment. For other information you
might like to visit the home page for this project:
http://ocf-linux.sourceforge.net/
Adding OCF to linux
-------------------
Not much in this file for now, just some notes. I usually build
the ocf support as modules but it can be built into the kernel as
well. To use it:
* mknod /dev/crypto c 10 70
* to add OCF to your kernel source, you have two options. Apply
the kernel specific patch:
cd linux-2.4*; gunzip < ocf-linux-24-XXXXXXXX.patch.gz | patch -p1
cd linux-2.6*; gunzip < ocf-linux-26-XXXXXXXX.patch.gz | patch -p1
if you do one of the above, then you can proceed to the next step,
or you can do the above process by hand with using the patches against
linux-2.4.35 and 2.6.23 to include the ocf code under crypto/ocf.
Here's how to add it:
for 2.4.35 (and later)
cd linux-2.4.35/crypto
tar xvzf ocf-linux.tar.gz
cd ..
patch -p1 < crypto/ocf/patches/linux-2.4.35-ocf.patch
for 2.6.23 (and later), find the kernel patch specific (or nearest)
to your kernel versions and then:
cd linux-2.6.NN/crypto
tar xvzf ocf-linux.tar.gz
cd ..
patch -p1 < crypto/ocf/patches/linux-2.6.NN-ocf.patch
It should be easy to take this patch and apply it to other more
recent versions of the kernels. The same patches should also work
relatively easily on kernels as old as 2.6.11 and 2.4.18.
* under 2.4 if you are on a non-x86 platform, you may need to:
cp linux-2.X.x/include/asm-i386/kmap_types.h linux-2.X.x/include/asm-YYY
so that you can build the kernel crypto support needed for the cryptosoft
driver.
* For simplicity you should enable all the crypto support in your kernel
except for the test driver. Likewise for the OCF options. Do not
enable OCF crypto drivers for HW that you do not have (for example
ixp4xx will not compile on non-Xscale systems).
* make sure that cryptodev.h (from ocf-linux.tar.gz) is installed as
crypto/cryptodev.h in an include directory that is used for building
applications for your platform. For example on a host system that
might be:
/usr/include/crypto/cryptodev.h
* patch your openssl-0.9.8i code with the openssl-0.9.8i.patch.
(NOTE: there is no longer a need to patch ssh). The patch is against:
openssl-0_9_8e
If you need a patch for an older version of openssl, you should look
to older OCF releases. This patch is unlikely to work on older
openssl versions.
openssl-0.9.8i.patch
- enables --with-cryptodev for non BSD systems
- adds -cpu option to openssl speed for calculating CPU load
under linux
- fixes null pointer in openssl speed multi thread output.
- fixes test keys to work with linux crypto's more stringent
key checking.
- adds MD5/SHA acceleration (Ronen Shitrit), only enabled
with the --with-cryptodev-digests option
- fixes bug in engine code caching.
* build crypto-tools-XXXXXXXX.tar.gz if you want to try some of the BSD
tools for testing OCF (ie., cryptotest).
How to load the OCF drivers
---------------------------
First insert the base modules:
insmod ocf
insmod cryptodev
You can then install the software OCF driver with:
insmod cryptosoft
and one or more of the OCF HW drivers with:
insmod safe
insmod hifn7751
insmod ixp4xx
...
all the drivers take a debug option to enable verbose debug so that
you can see what is going on. For debug you load them as:
insmod ocf crypto_debug=1
insmod cryptodev cryptodev_debug=1
insmod cryptosoft swcr_debug=1
You may load more than one OCF crypto driver but then there is no guarantee
as to which will be used.
You can also enable debug at run time on 2.6 systems with the following:
echo 1 > /sys/module/ocf/parameters/crypto_debug
echo 1 > /sys/module/cryptodev/parameters/cryptodev_debug
echo 1 > /sys/module/cryptosoft/parameters/swcr_debug
echo 1 > /sys/module/hifn7751/parameters/hifn_debug
echo 1 > /sys/module/safe/parameters/safe_debug
echo 1 > /sys/module/ixp4xx/parameters/ixp_debug
...
Testing the OCF support
-----------------------
run "cryptotest", it should do a short test for a couple of
des packets. If it does everything is working.
If this works, then ssh will use the driver when invoked as:
ssh -c 3des username@host
to see for sure that it is operating, enable debug as defined above.
To get a better idea of performance run:
cryptotest 100 4096
There are more options to cryptotest, see the help.
It is also possible to use openssl to test the speed of the crypto
drivers.
openssl speed -evp des -engine cryptodev -elapsed
openssl speed -evp des3 -engine cryptodev -elapsed
openssl speed -evp aes128 -engine cryptodev -elapsed
and multiple threads (10) with:
openssl speed -evp des -engine cryptodev -elapsed -multi 10
openssl speed -evp des3 -engine cryptodev -elapsed -multi 10
openssl speed -evp aes128 -engine cryptodev -elapsed -multi 10
for public key testing you can try:
cryptokeytest
openssl speed -engine cryptodev rsa -elapsed
openssl speed -engine cryptodev dsa -elapsed
David McCullough
david_mccullough@securecomputing.com
|
