| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
 | ###########################
README - ocf-linux-20100530
###########################
This README provides instructions for getting ocf-linux compiled and
operating in a generic linux environment.  Other information on the project
can be found at the home page:
    http://ocf-linux.sourceforge.net/
Embedded systems and applications requiring userspace acceleration will need
to patch the kernel source to get full OCF support.  See "Adding OCF to
linux source" below.  Otherwise the "OCF Quickstart" that follows is the
easiest way to get started.
If your goal is to accelerate Openswan on Ubuntu or CentOS,  you may find
that the required binaries are already available on openswan.org:
    ftp://ftp.openswan.org/ocf/
    ftp://ftp.openswan.org/openswan/binaries/ubuntu/
#####################################################
OCF Quickstart for Ubuntu/Others (including Openswan)
#####################################################
This section provides instructions on how to quickly add kernel only support
for OCF to a GNU/Linux system.  It is only suitable for in-kernel use such as
Openswan MAST/KLIPS.
If the target is an embedded system, or, userspace acceleration of
applications such as OpenVPN and OpenSSL, the section below titled
"Adding OCF to linux source" is more appropriate.
Before building kernel only support for OCF ensure that the appropriate
linux-headers package is installed:
    cd ocf
    make ocf_modules
    sudo make ocf_install
    OCF_DIR=`pwd`            # remember where OCF sources were built
At this point the ocf, cryptosoft, ocfnull, hifn7751 and ocf-bench modules
should have been built and installed.  The OCF installation can be tested
with the following commands:
    modprobe ocf
    modprobe cryptosoft
    modprobe ocf-bench
    dmesg | tail -5
The final modprobe of ocf-bench will fail,  this is intentional as ocf-bench
is a short lived module that tests in-kernel performance of OCF.  If
everything worked correctly the "dmesg | tail -5" should include a line
like:
    [  583.128741] OCF: 45133 requests of 1488 bytes in 251 jiffies (535.122 Mbps)
This shows the in-kernel performance of OCF using the cryptosoft driver.
For addition driver load options,  see "How to load the OCF modules" below.
If the intention is to run an OCF accelerated Openswan (KLIPS/MAST) then use
these steps to compile openswan downloaded from openswan.org (2.6.34 or later).
    tar xf openswan-2.6.34.tar.gz
    cd openswan-2.6.34
    make programs
    make KERNELSRC=/lib/modules/`uname -r`/build \
        KBUILD_EXTRA_SYMBOLS=$OCF_DIR/Module.symvers \
        MODULE_DEF_INCLUDE=`pwd`/packaging/ocf/config-all.hmodules \
        MODULE_DEFCONFIG=`pwd`/packaging/ocf/defconfig \
        module
    sudo make KERNELSRC=/lib/modules/`uname -r`/build \
        KBUILD_EXTRA_SYMBOLS=$OCF_DIR/Module.symvers \
        MODULE_DEF_INCLUDE=`pwd`/packaging/ocf/config-all.hmodules \
        MODULE_DEFCONFIG=`pwd`/packaging/ocf/defconfig \
        install minstall
The rest of this document is only required for more complex build
requirements.
##########################
Adding OCF to linux source
##########################
It is recommended that OCF be built as modules as it increases the
flexibility and ease of debugging the system.
Ensure that the system has /dev/crypto for userspace access to OCF:
    mknod /dev/crypto c 10 70
Generate the kernel patches and apply the appropriate one.
    cd ocf
    make patch
This will provide three files:
    linux-2.4.*-ocf.patch
    linux-2.6.*-ocf.patch
    ocf-linux-base.patch
If either of the first two patches applies to the targets kernel,  then one
of the following as required:
    cd linux-2.X.Y; patch -p1 < linux-2.4.*-ocf.patch
    cd linux-2.6.Y; patch -p1 < linux-2.6.*-ocf.patch
Otherwise,  locate the appropriate kernel patch in the patches directory and
apply that as well as the ocf-linux-base.patch using '-p1'.
When using a linux-2.4 system on a non-x86 platform,  the following may be
required to build cryptosoft:
    cp linux-2.X.x/include/asm-i386/kmap_types.h linux-2.X.x/include/asm-YYY
When using cryptosoft, for simplicity, enable all the crypto support in the
kernel except for the test driver.  Likewise for the OCF options.  Do not
enable OCF crypto drivers for HW that is not present (for example the ixp4xx
driver will not compile on non-Xscale systems).
Make sure that cryptodev.h from the ocf directory is installed as
crypto/cryptodev.h in an include directory that is used for building
applications for the target platform.  For example on a host system that
might be:
    /usr/include/crypto/cryptodev.h
Patch the openssl-0.9.8r code the openssl-0.9.8r.patch from the patches
directory.  There are many older patch versions in the patches directory
if required.
The openssl patches provide the following functionality:
    * enables --with-cryptodev for non BSD systems
    * adds -cpu option to openssl speed for calculating CPU load under linux
    * fixes null pointer in openssl speed multi thread output.
    * fixes test keys to work with linux crypto's more stringent key checking.
    * adds MD5/SHA acceleration (Ronen Shitrit), only enabled with the
      --with-cryptodev-digests option
    * fixes bug in engine code caching.
Build the crypto-tools directory for the target to obtain a userspace
testing tool call cryptotest.
###########################
How to load the OCF modules
###########################
First insert the base modules (cryptodev is optional,  it is only used
for userspace acceleration):
    modprobe ocf
    modprobe cryptodev
Load the software OCF driver with:
    modprobe cryptosoft
and zero or more of the OCF HW drivers with:
    modprobe safe
    modprobe hifn7751
    modprobe ixp4xx
    ...
All the drivers take a debug option to enable verbose debug so that
OCF operation may be observed via "dmesg" or the console.  For debug
load the modules as:
    modprobe ocf crypto_debug=1
    modprobe cryptodev cryptodev_debug=1
    modprobe cryptosoft swcr_debug=1
More than one OCF crypto driver may be loaded but then there is no
guarantee as to which will be used (other than a preference for HW
drivers over SW drivers by most applications).
It is also possible to enable debug at run time on linux-2.6 systems
with the following:
    echo 1 > /sys/module/ocf/parameters/crypto_debug
    echo 1 > /sys/module/cryptodev/parameters/cryptodev_debug
    echo 1 > /sys/module/cryptosoft/parameters/swcr_debug
    echo 1 > /sys/module/hifn7751/parameters/hifn_debug
    echo 1 > /sys/module/safe/parameters/safe_debug
    echo 1 > /sys/module/ixp4xx/parameters/ixp_debug
    ...
The ocf-bench driver accepts the following parameters:
    request_q_len - Maximum number of outstanding requests to OCF
    request_num   - run for at least this many requests
    request_size  - size of each request (multiple of 16 bytes recommended)
    request_batch - enable OCF request batching
    request_cbimm - enable OCF immediate callback on completion
For example:
    modprobe ocf-bench request_size=1024 request_cbimm=0
#######################
Testing the OCF support
#######################
run "cryptotest",  it should do a short test for a couple of
des packets.  If it does everything is working.
If this works,  then ssh will use the driver when invoked as:
    ssh -c 3des username@host
to see for sure that it is operating, enable debug as defined above.
To get a better idea of performance run:
    cryptotest 100 4096
There are more options to cryptotest,  see the help.
It is also possible to use openssl to test the speed of the crypto
drivers.
    openssl speed -evp des -engine cryptodev -elapsed
    openssl speed -evp des3 -engine cryptodev -elapsed
    openssl speed -evp aes128 -engine cryptodev -elapsed
and multiple threads (10) with:
    openssl speed -evp des -engine cryptodev -elapsed -multi 10
    openssl speed -evp des3 -engine cryptodev -elapsed -multi 10
    openssl speed -evp aes128 -engine cryptodev -elapsed -multi 10
for public key testing you can try:
    cryptokeytest
    openssl speed -engine cryptodev rsa -elapsed
    openssl speed -engine cryptodev dsa -elapsed
#############################
#
# David McCullough
# david_mccullough@mcafee.com
#
#############################
 |