openssl speed -evp aes-128-cbc -engine cryptodev
Hi, Ryder.Lee … I really desisted of using the hardware crypto extensions for LUKS in this case, as it was unstable. For that I only use the pure software option. Encryption it is a very sensitive thing; if your endianess it is different, or if there is a bit lost here or there or whatever, then everything it is different. The OpenSSL was OK.
Right now I am testing other things with AF_ALG, but with a Banana M2+ (no LUKS yet), and it works well in both directions. Maybe I could try that with the R2 later, to see how it works.
I used Debian 9 armv7l, with Kernel 4.9 patched from openwrt. I have the “<*> Mediatek Random Number Generator support” include in the kernel config as you can see wit the interrupts. You right i don’t have “ARM Accelerated Cryptographic Algorithms”, which one should i enable, all except ARMv8?
- SHA1 digest algorithm (ARM-asm)
- SHA1 digest algorithm (ARM NEON)
- SHA1 digest algorithm (ARM v8 Crypto Extensions)
- SHA-224/256 digest algorithm (ARM v8 Crypto Extensions)
- SHA-224/256 digest algorithm (ARM-asm and NEON)
- SHA-384/512 digest algorithm (ARM-asm and NEON)
- AES cipher algorithms (ARM-asm)
- Bit sliced AES using NEON instructions
- Accelerated AES using ARMv8 Crypto Extensions
- PMULL-accelerated GHASH using ARMv8 Crypto Extensions
I use Kernel 4.9 as it is the only kernel with all feature, eg: VLAN, DSA, 2GMAC, HWNAT.
i try again with all all crypto option include in the kernel and same result.
# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 3141900 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 1095190 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 304640 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 78367 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 9879 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 4942 aes-128-cbc's in 3.00s
OpenSSL 1.1.0f 25 May 2017
built on: reproducible build, date unspecified
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/arm-linux-gnueabihf/engines-1.1\""
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 16756.80k 23364.05k 25995.95k 26749.27k 26976.26k 26989.91k
Load module crypto dev
# insmod /lib/modules/4.9.44-4.9_patched-00030-g328e50a6cb09/kernel/extras/cryptodev.ko
dmesg:
[ 107.794025] cryptodev: driver 1.9 loaded.
[ 141.926055] random: crng init done
Re-try with engine:
# openssl speed -evp aes-128-cbc -engine cryptodev
invalid engine "cryptodev"
3069338560:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:113:filename(/usr/lib/arm-linux-gnueabihf/engines-1.1/cryptodev.so): /usr/lib/arm-linux-gnueabihf/engines-1.1/cryptodev.so: cannot open shared object file: No such file or directory
3069338560:error:25070067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:161:
3069338560:error:260B6084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:414:
3069338560:error:2606A074:engine routines:ENGINE_by_id:no such engine:../crypto/engine/eng_list.c:339:id=cryptodev
3069338560:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:113:filename(libcryptodev.so): libcryptodev.so: cannot open shared object file: No such file or directory
3069338560:error:25070067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:161:
3069338560:error:260B6084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:414:
...
Okay, I didn’t test LUKS before but just tested network security - and everything was going well.
What type of cipher did you use? There’s a known issue - we cannot encrypt zero length plaintext when using AES-GCM.
How do we enable HW encryption? What is missing?
I can only share my experience in openwrt environment. Beside enabling eip97 driver, please also enable below configuraton in kernel module and application package.
> With cryptodev-linux
> * kmod-crypto-core: m
> * kmod-cryptodev: m
>
> Adding /dev/crypto support to crypto libraries
> Libraries → SSL
> * libopenssl: m
> * Crypto acceleration support: y
> * libgnutls: m
> * enable /dev/crypto support: yThanks, i compare the config from 4.4 official and the 4.9. there is no such driver in the kernel for eip97 in neither of the kernel. However enable the ARM Neon. I try with both kernel the official 4.4 and my 4.9 both have the same result 3.0. How do i have crypto extensions working?
Cryptodev-linux is implemented as a standalone module (opensource) that requires no dependencies other than a stock linux kernel: http://cryptodev-linux.org/
First of all, you should include/build that module in your kernel source so that the userspace applications could access it through the node: /dev/crypto (please take a look at https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/full_papers/keromytis/keromytis_html/node8.html).
Second, please enable OpenSSL hardware acceleration (just in case you build it from source).
Finally, you can use the below command to test HW (please take a look at WIKI for more details - https://wiki.openwrt.org/doc/hardware/cryptographic.hardware.accelerators):
#openssl speed -evp aes-128-cbc -engine cryptodev
Thanks for the feedback. Cryptodev-linux is implemented and compile as a module for the kernel. I do have the node: /dev/crypto I cross compile openssl and cryptodev tests tools:
# ./speed
Testing NULL cipher:
Encrypting in chunks of 512 bytes: done. 385.09 MB in 5.00 secs: 77.02 MB/sec
Encrypting in chunks of 1024 bytes: done. 770.84 MB in 5.00 secs: 154.17 MB/sec
Encrypting in chunks of 2048 bytes: done. 1.54 GB in 5.00 secs: 0.31 GB/sec
Encrypting in chunks of 4096 bytes: done. 1.93 GB in 5.00 secs: 0.39 GB/sec
Encrypting in chunks of 8192 bytes: done. 2.81 GB in 5.00 secs: 0.56 GB/sec
Encrypting in chunks of 16384 bytes: done. 3.68 GB in 5.00 secs: 0.74 GB/sec
Encrypting in chunks of 32768 bytes: done. 4.35 GB in 5.00 secs: 0.87 GB/sec
Encrypting in chunks of 65536 bytes: done. 4.80 GB in 5.00 secs: 0.96 GB/sec
Testing AES-128-CBC cipher:
Encrypting in chunks of 512 bytes: done. 66.34 MB in 5.00 secs: 13.27 MB/sec
Encrypting in chunks of 1024 bytes: done. 132.48 MB in 5.00 secs: 26.50 MB/sec
Encrypting in chunks of 2048 bytes: done. 256.77 MB in 5.00 secs: 51.35 MB/sec
Encrypting in chunks of 4096 bytes: done. 382.03 MB in 5.00 secs: 76.40 MB/sec
Encrypting in chunks of 8192 bytes: done. 608.71 MB in 5.00 secs: 121.74 MB/sec
Encrypting in chunks of 16384 bytes: done. 860.21 MB in 5.00 secs: 172.04 MB/sec
Encrypting in chunks of 32768 bytes: done. 1.08 GB in 5.00 secs: 0.22 GB/sec
Encrypting in chunks of 65536 bytes: done. 1.27 GB in 5.00 secs: 0.25 GB/sec
And now i have the same performance
# LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/openssl speed -evp aes-128-cbc -engine cryptodev
engine "cryptodev" set.
Doing aes-128-cbc for 3s on 16 size blocks: 76896 aes-128-cbc's in 0.05s
Doing aes-128-cbc for 3s on 64 size blocks: 68630 aes-128-cbc's in 0.10s
Doing aes-128-cbc for 3s on 256 size blocks: 68630 aes-128-cbc's in 0.04s
Doing aes-128-cbc for 3s on 1024 size blocks: 68319 aes-128-cbc's in 0.17s
Doing aes-128-cbc for 3s on 8192 size blocks: 43901 aes-128-cbc's in 0.04s
Doing aes-128-cbc for 3s on 16384 size blocks: 31179 aes-128-cbc's in 0.05s
OpenSSL 1.1.0f 25 May 2017
Here is a tutorial to cross compile openssl from debian source to replace the original package to allow HW crypto. This will allow hw crypto extensions by default in all software depending on openssl, eg: openvpn
# Fetch Debian crossbuild package
$ sudo apt-get install crossbuild-essential-armhf gcc-arm-linux-gnueabihf libc6-armel-cross
# Fetch Debian source
$ apt-get source openssl
# Аdd build options "-DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS" by editing CONFARGS in the file debian/rules.
$ nano debian/rules
# Disable test when cross-building
$ export DEB_BUILD_OPTIONS=nocheck
# Add missing cryptodev header
$ wget https://raw.githubusercontent.com/nmav/cryptodev-linux/master/crypto/cryptodev.h -O crypto/cryptodev.h
# Export all cross comile toolchain
$ CROSS_COMPILE=arm-linux-gnueabihf-
# Compile
$ dpkg-buildpackage -us -uc -aarmhf
Check:
# which openssl
/usr/bin/openssl
# /usr/bin/openssl version
OpenSSL 1.1.0f 25 May 2017
# /usr/bin/openssl engine
(cryptodev) BSD cryptodev engine
(dynamic) Dynamic engine loading support
Run a speed test with hw crypto:
# insmod /lib/modules/4.9.44-4.9_patched-00032-ga82755e2efa8/kernel/extras/cryptodev.ko
# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 85176 aes-128-cbc's in 0.16s
Doing aes-128-cbc for 3s on 64 size blocks: 75621 aes-128-cbc's in 0.05s
Doing aes-128-cbc for 3s on 256 size blocks: 75243 aes-128-cbc's in 0.18s
Doing aes-128-cbc for 3s on 1024 size blocks: 61137 aes-128-cbc's in 0.15s
Doing aes-128-cbc for 3s on 8192 size blocks: 34745 aes-128-cbc's in 0.04s
Doing aes-128-cbc for 3s on 16384 size blocks: 22890 aes-128-cbc's in 0.06s
OpenSSL 1.1.0f 25 May 2017
Remove hw cryptodev
# rmmod cryptodev
Re-run test without hw crypto:
# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 3361186 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 1119835 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 306370 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 78471 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 8192 size blocks: 9874 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 4940 aes-128-cbc's in 3.00s
OpenSSL 1.1.0f 25 May 2017
All good!
3 Likes
I am using mt7623 to do some network things, one of the important things is ipsec. I want to use the hardware crypto engine of Mt7623 to do the Encrypto or Decrypto.I try to use both Socket of AF_ALG and Cryptodev to kick off the engine,but none of them worked.They all use the software algorithm such as ‘sha1-generic’ instead of ‘mtk-sha1’.
I am sure about the kernel config’s “Mediateck’s Eip97 Driver …” is selected.
I add some print in function mtk_crypto_probe and the print msg can be seen after my system start.
did i miss something?
Did you read the discussion thread?
I have try to configure ipsec tunnle using iptoute2 (ip xfrm …). After the configure , the tunnle and traffic are both ok. But /proc/interupt shows that the crypto engine do not work. I have open the kernel configure item such as Mediateck’s Eip97 Driver and can see mtk’s items in /proc/crypto. Did i miss something?
Could you show your test commands and topology for ipsec test?
You should enable other configs not just EIP97.
is there any progress on this?
which options should be enabled in kernel?
I forgot which config I used to test IPsec, but at least you could enable these two configs for basic test.
CONFIG_CRYPTO_TEST CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
Hello, I have the debian stretch image from frank with 14.4 kernel; In order to make cryptodev work for my distribution I followed your instructions but I had a problem with OpenSSL libraries 1.1. Instead of targeting the official package of OpenSSL for debian stretch I recompiled from this package: apt source libssl1.0.2 and it works. OpenVPN will start to support OpenSSL 1.1 from version 2.4.7.
In fact I correct my previous post, it does not work. I only managed to have openssl work wiith Cryptodev in Debian Stretch with libssl 1.1. OpenVPN fails to run when putting the option “engine cryptodev”. Also in Ubuntu Bionic, OpenVPN supports OpenSSL 1.1 but at startup there is this message: OpenSSL hardware crypto engine functionality is not available I give up. SW speed is acceptable…