mirror of
git://git.openwrt.org/openwrt/openwrt.git
synced 2025-11-04 06:54:27 -05:00
00dd85d8f6
Fixes problem with TFM allocation in cryptosoft.c Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> Hauke: * remove ubsec_ssb package and take it from ocf-linux * use patches from ocf-linux package * refresh all patches * readd some build fixes for OpenWrt. * readd CRYPTO_MANAGER dependency SVN-Revision: 27753
247 lines
8.1 KiB
Plaintext
247 lines
8.1 KiB
Plaintext
###########################
|
|
README - ocf-linux-20100530
|
|
###########################
|
|
|
|
This README provides instructions for getting ocf-linux compiled and
|
|
operating in a generic linux environment. Other information on the project
|
|
can be found at the home page:
|
|
|
|
http://ocf-linux.sourceforge.net/
|
|
|
|
Embedded systems and applications requiring userspace acceleration will need
|
|
to patch the kernel source to get full OCF support. See "Adding OCF to
|
|
linux source" below. Otherwise the "OCF Quickstart" that follows is the
|
|
easiest way to get started.
|
|
|
|
If your goal is to accelerate Openswan on Ubuntu or CentOS, you may find
|
|
that the required binaries are already available on openswan.org:
|
|
|
|
ftp://ftp.openswan.org/ocf/
|
|
ftp://ftp.openswan.org/openswan/binaries/ubuntu/
|
|
|
|
#####################################################
|
|
OCF Quickstart for Ubuntu/Others (including Openswan)
|
|
#####################################################
|
|
|
|
This section provides instructions on how to quickly add kernel only support
|
|
for OCF to a GNU/Linux system. It is only suitable for in-kernel use such as
|
|
Openswan MAST/KLIPS.
|
|
|
|
If the target is an embedded system, or, userspace acceleration of
|
|
applications such as OpenVPN and OpenSSL, the section below titled
|
|
"Adding OCF to linux source" is more appropriate.
|
|
|
|
Before building kernel only support for OCF ensure that the appropriate
|
|
linux-headers package is installed:
|
|
|
|
cd ocf
|
|
make ocf_modules
|
|
sudo make ocf_install
|
|
OCF_DIR=`pwd` # remember where OCF sources were built
|
|
|
|
At this point the ocf, cryptosoft, ocfnull, hifn7751 and ocf-bench modules
|
|
should have been built and installed. The OCF installation can be tested
|
|
with the following commands:
|
|
|
|
modprobe ocf
|
|
modprobe cryptosoft
|
|
modprobe ocf-bench
|
|
dmesg | tail -5
|
|
|
|
The final modprobe of ocf-bench will fail, this is intentional as ocf-bench
|
|
is a short lived module that tests in-kernel performance of OCF. If
|
|
everything worked correctly the "dmesg | tail -5" should include a line
|
|
like:
|
|
|
|
[ 583.128741] OCF: 45133 requests of 1488 bytes in 251 jiffies (535.122 Mbps)
|
|
|
|
This shows the in-kernel performance of OCF using the cryptosoft driver.
|
|
For addition driver load options, see "How to load the OCF modules" below.
|
|
|
|
If the intention is to run an OCF accelerated Openswan (KLIPS/MAST) then use
|
|
these steps to compile openswan downloaded from openswan.org (2.6.34 or later).
|
|
|
|
tar xf openswan-2.6.34.tar.gz
|
|
cd openswan-2.6.34
|
|
make programs
|
|
make KERNELSRC=/lib/modules/`uname -r`/build \
|
|
KBUILD_EXTRA_SYMBOLS=$OCF_DIR/Module.symvers \
|
|
MODULE_DEF_INCLUDE=`pwd`/packaging/ocf/config-all.hmodules \
|
|
MODULE_DEFCONFIG=`pwd`/packaging/ocf/defconfig \
|
|
module
|
|
sudo make KERNELSRC=/lib/modules/`uname -r`/build \
|
|
KBUILD_EXTRA_SYMBOLS=$OCF_DIR/Module.symvers \
|
|
MODULE_DEF_INCLUDE=`pwd`/packaging/ocf/config-all.hmodules \
|
|
MODULE_DEFCONFIG=`pwd`/packaging/ocf/defconfig \
|
|
install minstall
|
|
|
|
The rest of this document is only required for more complex build
|
|
requirements.
|
|
|
|
##########################
|
|
Adding OCF to linux source
|
|
##########################
|
|
|
|
It is recommended that OCF be built as modules as it increases the
|
|
flexibility and ease of debugging the system.
|
|
|
|
Ensure that the system has /dev/crypto for userspace access to OCF:
|
|
|
|
mknod /dev/crypto c 10 70
|
|
|
|
Generate the kernel patches and apply the appropriate one.
|
|
|
|
cd ocf
|
|
make patch
|
|
|
|
This will provide three files:
|
|
|
|
linux-2.4.*-ocf.patch
|
|
linux-2.6.*-ocf.patch
|
|
ocf-linux-base.patch
|
|
|
|
If either of the first two patches applies to the targets kernel, then one
|
|
of the following as required:
|
|
|
|
cd linux-2.X.Y; patch -p1 < linux-2.4.*-ocf.patch
|
|
cd linux-2.6.Y; patch -p1 < linux-2.6.*-ocf.patch
|
|
|
|
Otherwise, locate the appropriate kernel patch in the patches directory and
|
|
apply that as well as the ocf-linux-base.patch using '-p1'.
|
|
|
|
When using a linux-2.4 system on a non-x86 platform, the following may be
|
|
required to build cryptosoft:
|
|
|
|
cp linux-2.X.x/include/asm-i386/kmap_types.h linux-2.X.x/include/asm-YYY
|
|
|
|
When using cryptosoft, for simplicity, enable all the crypto support in the
|
|
kernel except for the test driver. Likewise for the OCF options. Do not
|
|
enable OCF crypto drivers for HW that is not present (for example the ixp4xx
|
|
driver will not compile on non-Xscale systems).
|
|
|
|
Make sure that cryptodev.h from the ocf directory is installed as
|
|
crypto/cryptodev.h in an include directory that is used for building
|
|
applications for the target platform. For example on a host system that
|
|
might be:
|
|
|
|
/usr/include/crypto/cryptodev.h
|
|
|
|
Patch the openssl-0.9.8r code the openssl-0.9.8r.patch from the patches
|
|
directory. There are many older patch versions in the patches directory
|
|
if required.
|
|
|
|
The openssl patches provide the following functionality:
|
|
|
|
* enables --with-cryptodev for non BSD systems
|
|
* adds -cpu option to openssl speed for calculating CPU load under linux
|
|
* fixes null pointer in openssl speed multi thread output.
|
|
* fixes test keys to work with linux crypto's more stringent key checking.
|
|
* adds MD5/SHA acceleration (Ronen Shitrit), only enabled with the
|
|
--with-cryptodev-digests option
|
|
* fixes bug in engine code caching.
|
|
|
|
Build the crypto-tools directory for the target to obtain a userspace
|
|
testing tool call cryptotest.
|
|
|
|
###########################
|
|
How to load the OCF modules
|
|
###########################
|
|
|
|
First insert the base modules (cryptodev is optional, it is only used
|
|
for userspace acceleration):
|
|
|
|
modprobe ocf
|
|
modprobe cryptodev
|
|
|
|
Load the software OCF driver with:
|
|
|
|
modprobe cryptosoft
|
|
|
|
and zero or more of the OCF HW drivers with:
|
|
|
|
modprobe safe
|
|
modprobe hifn7751
|
|
modprobe ixp4xx
|
|
...
|
|
|
|
All the drivers take a debug option to enable verbose debug so that
|
|
OCF operation may be observed via "dmesg" or the console. For debug
|
|
load the modules as:
|
|
|
|
modprobe ocf crypto_debug=1
|
|
modprobe cryptodev cryptodev_debug=1
|
|
modprobe cryptosoft swcr_debug=1
|
|
|
|
More than one OCF crypto driver may be loaded but then there is no
|
|
guarantee as to which will be used (other than a preference for HW
|
|
drivers over SW drivers by most applications).
|
|
|
|
It is also possible to enable debug at run time on linux-2.6 systems
|
|
with the following:
|
|
|
|
echo 1 > /sys/module/ocf/parameters/crypto_debug
|
|
echo 1 > /sys/module/cryptodev/parameters/cryptodev_debug
|
|
echo 1 > /sys/module/cryptosoft/parameters/swcr_debug
|
|
echo 1 > /sys/module/hifn7751/parameters/hifn_debug
|
|
echo 1 > /sys/module/safe/parameters/safe_debug
|
|
echo 1 > /sys/module/ixp4xx/parameters/ixp_debug
|
|
...
|
|
|
|
The ocf-bench driver accepts the following parameters:
|
|
|
|
request_q_len - Maximum number of outstanding requests to OCF
|
|
request_num - run for at least this many requests
|
|
request_size - size of each request (multiple of 16 bytes recommended)
|
|
request_batch - enable OCF request batching
|
|
request_cbimm - enable OCF immediate callback on completion
|
|
|
|
For example:
|
|
|
|
modprobe ocf-bench request_size=1024 request_cbimm=0
|
|
|
|
#######################
|
|
Testing the OCF support
|
|
#######################
|
|
|
|
run "cryptotest", it should do a short test for a couple of
|
|
des packets. If it does everything is working.
|
|
|
|
If this works, then ssh will use the driver when invoked as:
|
|
|
|
ssh -c 3des username@host
|
|
|
|
to see for sure that it is operating, enable debug as defined above.
|
|
|
|
To get a better idea of performance run:
|
|
|
|
cryptotest 100 4096
|
|
|
|
There are more options to cryptotest, see the help.
|
|
|
|
It is also possible to use openssl to test the speed of the crypto
|
|
drivers.
|
|
|
|
openssl speed -evp des -engine cryptodev -elapsed
|
|
openssl speed -evp des3 -engine cryptodev -elapsed
|
|
openssl speed -evp aes128 -engine cryptodev -elapsed
|
|
|
|
and multiple threads (10) with:
|
|
|
|
openssl speed -evp des -engine cryptodev -elapsed -multi 10
|
|
openssl speed -evp des3 -engine cryptodev -elapsed -multi 10
|
|
openssl speed -evp aes128 -engine cryptodev -elapsed -multi 10
|
|
|
|
for public key testing you can try:
|
|
|
|
cryptokeytest
|
|
openssl speed -engine cryptodev rsa -elapsed
|
|
openssl speed -engine cryptodev dsa -elapsed
|
|
|
|
|
|
#############################
|
|
#
|
|
# David McCullough
|
|
# david_mccullough@mcafee.com
|
|
#
|
|
#############################
|