Is it possible to have the crypto extensions working?

Here is a tutorial to cross compile openssl from debian source to replace the original package to allow HW crypto. This will allow hw crypto extensions by default in all software depending on openssl, eg: openvpn

# Fetch Debian crossbuild package
$ sudo apt-get install crossbuild-essential-armhf gcc-arm-linux-gnueabihf libc6-armel-cross
# Fetch Debian source
$ apt-get source openssl
# Аdd build options "-DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS" by editing CONFARGS in the file debian/rules.
$ nano debian/rules
# Disable test when cross-building
$ export DEB_BUILD_OPTIONS=nocheck
# Add missing cryptodev header
$ wget https://raw.githubusercontent.com/nmav/cryptodev-linux/master/crypto/cryptodev.h -O crypto/cryptodev.h
# Export all cross comile toolchain
$ CROSS_COMPILE=arm-linux-gnueabihf-
# Compile
$ dpkg-buildpackage -us -uc -aarmhf 

Check:

# which openssl
/usr/bin/openssl
# /usr/bin/openssl version
OpenSSL 1.1.0f  25 May 2017
# /usr/bin/openssl engine
(cryptodev) BSD cryptodev engine
(dynamic) Dynamic engine loading support

Run a speed test with hw crypto:

# insmod /lib/modules/4.9.44-4.9_patched-00032-ga82755e2efa8/kernel/extras/cryptodev.ko
# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 85176 aes-128-cbc's in 0.16s
Doing aes-128-cbc for 3s on 64 size blocks: 75621 aes-128-cbc's in 0.05s
Doing aes-128-cbc for 3s on 256 size blocks: 75243 aes-128-cbc's in 0.18s
Doing aes-128-cbc for 3s on 1024 size blocks: 61137 aes-128-cbc's in 0.15s
Doing aes-128-cbc for 3s on 8192 size blocks: 34745 aes-128-cbc's in 0.04s
Doing aes-128-cbc for 3s on 16384 size blocks: 22890 aes-128-cbc's in 0.06s
OpenSSL 1.1.0f  25 May 2017

Remove hw cryptodev

# rmmod cryptodev

Re-run test without hw crypto:

# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 3361186 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 1119835 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 306370 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 78471 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 8192 size blocks: 9874 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 4940 aes-128-cbc's in 3.00s
OpenSSL 1.1.0f  25 May 2017

All good!

I am using mt7623 to do some network things, one of the important things is ipsec. I want to use the hardware crypto engine of Mt7623 to do the Encrypto or Decrypto.I try to use both Socket of AF_ALG and Cryptodev to kick off the engine,but none of them worked.They all use the software algorithm such as ‘sha1-generic’ instead of ‘mtk-sha1’.

I am sure about the kernel config’s “Mediateck’s Eip97 Driver …” is selected.

I add some print in function mtk_crypto_probe and the print msg can be seen after my system start.

did i miss something?

Did you read the discussion thread?

I have try to configure ipsec tunnle using iptoute2 (ip xfrm …). After the configure , the tunnle and traffic are both ok. But /proc/interupt shows that the crypto engine do not work. I have open the kernel configure item such as Mediateck’s Eip97 Driver and can see mtk’s items in /proc/crypto. Did i miss something?

Could you show your test commands and topology for ipsec test?

You should enable other configs not just EIP97.

is there any progress on this?

which options should be enabled in kernel?

I forgot which config I used to test IPsec, but at least you could enable these two configs for basic test.

CONFIG_CRYPTO_TEST CONFIG_CRYPTO_MANAGER_DISABLE_TESTS

Hello, I have the debian stretch image from frank with 14.4 kernel; In order to make cryptodev work for my distribution I followed your instructions but I had a problem with OpenSSL libraries 1.1. Instead of targeting the official package of OpenSSL for debian stretch I recompiled from this package: apt source libssl1.0.2 and it works. OpenVPN will start to support OpenSSL 1.1 from version 2.4.7.

In fact I correct my previous post, it does not work. I only managed to have openssl work wiith Cryptodev in Debian Stretch with libssl 1.1. OpenVPN fails to run when putting the option “engine cryptodev”. Also in Ubuntu Bionic, OpenVPN supports OpenSSL 1.1 but at startup there is this message: OpenSSL hardware crypto engine functionality is not available I give up. SW speed is acceptable…

https://forums.openvpn.net/viewtopic.php?p=75326&sid=5e93d78cbcc1a93769f848fa8be0e971#p75326

if this is true openvpn should use cryptodev in openssl by default…you can make a test and again without cryptodev loaded

Hello,

How can I cross compile openssl 1.1.1 with cryptodev support on Debian Buster ? I think there were some changes from version 1.1.1.and up. I was trying to follow the steps highlighted here http://trac.gateworks.com/wiki/linux/crypto#BuildingOpenSSLversions1.1.1andlaterwithcryptodevsupport but at some point it fails because of some missing libraries

make[1]: Entering directory '/home/sysadmin/openssl-1.1.1/openssl-1.1.1c'
sed -i '/^udeb: libssl/s/libcrypto1.1-udeb/libssl1.1-udeb/' debian/libssl1.1/DEBIAN/shlibs
dh_shlibdeps -a -L libssl1.1
dpkg-shlibdeps: error: cannot find library libdl.so.2 needed by debian/openssl/usr/bin/openssl (ELF format: 'elf32-littlearm' abi: '0101002800000000'; RPATH: '')
dpkg-shlibdeps: error: cannot find library libpthread.so.0 needed by debian/openssl/usr/bin/openssl (ELF format: 'elf32-littlearm' abi: '0101002800000000'; RPATH: '')
dpkg-shlibdeps: error: cannot find library libc.so.6 needed by debian/openssl/usr/bin/openssl (ELF format: 'elf32-littlearm' abi: '0101002800000000'; RPATH: '')
dpkg-shlibdeps: error: cannot find library ld-linux-armhf.so.3 needed by debian/openssl/usr/bin/openssl (ELF format: 'elf32-littlearm' abi: '0101002800000000'; RPATH: '')
dpkg-shlibdeps: error: cannot continue due to the errors listed above
Note: libraries are not searched in other binary packages that do not have any shlibs or symbols file.
To help dpkg-shlibdeps find private libraries, you might need to use -l.
dh_shlibdeps: dpkg-shlibdeps -Tdebian/openssl.substvars -Sdebian/libssl1.1 debian/openssl/usr/bin/openssl returned exit code 2
dh_shlibdeps: Aborting due to earlier error
make[1]: *** [debian/rules:150: override_dh_shlibdeps] Error 25
make[1]: Leaving directory '/home/sysadmin/openssl-1.1.1/openssl-1.1.1c'
make: *** [debian/rules:49: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2

All the files which the compiler complains missing are available. Do I need to set some PATH or environment variable for the compiler to be able access them ?

Update: I found some advice on a forum to edit the debian/rules file and add the LD_LIBRARY_PATH there and then compilation completed wit success.

root@bpi-r2:~# openvpn --show-engines

OpenSSL Crypto Engines

/dev/crypto engine [devcrypto]

Dynamic engine loading support [dynamic]

btw. i started to add openssl building some time ago to my repo, just take a look on openssl.sh

https://github.com/frank-w/BPI-R2-4.14/tree/4.19-main/utils

i expect building on r2 is much slower and not everybody wants compile-tools on a router

you could also look for cryptodev to use hardware-acceleration in openssl

i don’t know if the scripts were complete, but maybe you can help here if they aren’t working

It seems that after loading cryptodev openssl module SSH connections using OpenSSH 7.9p on Debian 10 do not work anymore.

I saw there is a bug opened on Debian bug tracker for this issue: https://www.mail-archive.com/[email protected]/msg1686025.html

As a workaround I have switched to Dropbear which does not seem to be affected by this bug.

Hi,

I just tried to use your script to build openssl with cryptodev and it compiles ok but the checkinstall command when trying to build he deb package fails at the step of building the file list and generates a very small deb file 724 bytes which contains only an openssl config file.

Can checkinstall be done for different arch? Imho you need to do make install and some kind of fakeroot/dpkg-buildpackage

btw. Where did you try cryptodev? imho it needs a dts-node i have added only in 4.14

i have tried in 4.19-main branch. this is the output from the script

======================== Installation successful ==========================

Copying files to the temporary directory...OK

Stripping ELF binaries and libraries...OK

Compressing man pages...OK

Building file list... FAILED!

Building Debian package...OK

NOTE: The package will not be installed

Erasing temporary files...OK

Writing backup package...OK
OK

Deleting temp dir...OK


**********************************************************************

 Done. The new package has been saved to

 /home/sysadmin/bpir2-4.19/utils/openssl/openssl_20190829-1_armhf.deb
 You can install it in your system anytime using:

      dpkg -i openssl_20190829-1_armhf.deb

**********************************************************************

Mhm…package is names armhf…but error occours in building file list…i don’t know checkinstall very well…maybe there is any debug-mode to get a clearer message?

@frank-w I have copied the utils folder from 4.14-main repository to 5.4-main branch and I tried to compile cryptodev (I saw you updated it to version 1.9) but it fails. When I ran ./build.sh cryptodev it throws the below compilation error

Building modules, stage 2.
  MODPOST 1 modules
ERROR: "crypto_givcipher_type" [/home/sysadmin/bpi-r2_5.4/utils/cryptodev/cryptodev-linux/cryptodev.ko] undefined!
ERROR: "sys_close" [/home/sysadmin/bpi-r2_5.4/utils/cryptodev/cryptodev-linux/cryptodev.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:94: __modpost] Error 1
make[1]: *** [Makefile:1609: modules] Error 2
make[1]: Leaving directory '/home/sysadmin/bpi-r2_5.4'
make: *** [Makefile:27: build] Error 2

Look where crypto_givcipher_type and sys_close are defined and make sure file with implementation is linked by makefile.