OpenSSL+engine

M

mahdieh

Hello
I'm pretty newcomer to FreeBSD. I have FreeBSD-9.0-RELEASE installed on my system. I wanted to use OCF framework sofware engine(I mean /dev/crypto) through OpenSSL engine. But when I execute the command:
[cmd=]openssl speed -evp aes-128-cbc -engien cryptodev[/cmd]

I get the following error
Code: 
cryptodev engine not found.
error: engine routines: Dynamic_Load: dso not found: /usr/src/secure/lib/libcrypto/../../../crypto/engine/eng-dyn 
...
my OpenSSL version is 1.0.0_7

kldstat(8) shows that I don't have crypto.ko, how should I load cryto.ko module?
Can anyone give a step by step way of activating engine for OpenSSL on FreeBSD?


Thanks
 
I want to know if using cryptodev engine without any hardware could cause acceleration in cryptography? I tested
openssl -speed
and
openssl speed -engine cryptodev

But the results were almost the same,Although somewhere it has claimed that it can cause acceleration.
 
cryptodev use /dev/crypto and /dev/crypto operates in an ioctl(2) based model (query device capabilities, submit transactions, and get results). In my experience ioctl(2) deal with Hardware.There's some facts about cryptographic hardware, kernel and userland on ioctl(2), cryptodev(4) and crypto(9). So,
mahdieh said:
I want to know if using cryptodev engine without any hardware could cause acceleration in cryptography?
Click to expand...

In my opinion/experience: No, but I'm not 100% sure.
 
Hardware Crypto is ported (With some Important Modifications) from OpenBSD Cryptographic Framework (OCF) to FreeBSD Project.

OCF is a service virtualization layer that provide a uniform interface to cryptographic resources and a device interface for user-level access to hardware-accelerated cryptographic operations, by hiding card-specific details behind a API.

OCF is comprised of three components:
  1. Core crypto support: that manages a registry of crypto device drivers, dispatches crypto operations to drivers, and coordinates the return of results from drivers to the submitter.
  2. Crypto device drivers: that submit crypto operations to hardware devices and return results to the crypto core.
    These drivers register the algorithms supported by the device and export the appropriate callback functions to the OCF.
  3. /dev/crypto pseudo-device driver: that provides linkage between user-level software and the Core crypto support.
    /dev/crypto abstracts all the OCF functionality and provides a command set that can be used by OpenSSL or other software that uses /dev/crypto.
    /dev/crypto is based on ioctl(2) calls.

Conclusion:
cryptodev(4) manage cryptographic hardware accelerator cards by FreeBSD.

Reference:
crypto(4), crypto(9), crypto(3), ioctl(2)
Cryptographic Device Support for FreeBSD by Samuel J. Leffler
The Design of the OpenBSD Cryptographic Framework by Angelos D. Keromytis, Jason L. Wright and Theo de Raadt
 
I have already read the two references you mentioned. But what made me think that it should accelerate cryptography are the results in Table9 in the first article.
it has compared doing cryptography on the software on the host with doing that with 5822 and doing that without any hardware accelerator.
 
There's no comparable results (Empty/Dashed) available in even columns (2, 4, ...), because the tests failed to complete for OpenBSD system.
Just FreeBSD system passed the test Successfully.
Both testing system have used Broadcom BCM5822 cryto-card.
 
YES, thank you. I was wrong.
But another reason is that in the article it has said OCF reduces the context switches in FreeBSD and this is also applied when using just the cryptodev engine without any hardware.
 
You must log in or register to reply here.
Back
Top