User Tools

Site Tools


doc:hardware:cryptographic.hardware.accelerators

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:hardware:cryptographic.hardware.accelerators [2013/03/25 21:15]
valentt
doc:hardware:cryptographic.hardware.accelerators [2014/10/24 22:19] (current)
nmav
Line 1: Line 1:
 ====== Cryptographic Hardware Accelerators ====== ====== Cryptographic Hardware Accelerators ======
 A Cryptographic Hardware Accelerator can be  A Cryptographic Hardware Accelerator can be 
-  * an [[wp>​Template:​Multimedia_extensions|ISA extension]] like e.g. [[wp>AES instruction set]] and thus integral part of the CPU 
   * integrated into the [[doc:​hardware:​SoC]] as a separate processor, as special purpose CPU (aka Core).   * integrated into the [[doc:​hardware:​SoC]] as a separate processor, as special purpose CPU (aka Core).
   * integrated in a [[wp>​Coprocessor]] on the circuit board   * integrated in a [[wp>​Coprocessor]] on the circuit board
   * contained on a Chip on an extension circuit board, this can be connected to the mainboard via some BUS, e.g. PCI   * contained on a Chip on an extension circuit board, this can be connected to the mainboard via some BUS, e.g. PCI
 +  * an [[wp>​Template:​Multimedia_extensions|ISA extension]] like e.g. [[wp>AES instruction set]] and thus integral part of the CPU (in that case a kernel driver in not needed)
  
 The purpose is to load off the very computing intensive tasks of encryption/​decryption and compression/​decompression.\\ The purpose is to load off the very computing intensive tasks of encryption/​decryption and compression/​decompression.\\
 As can be seen in this [[wp>AES instruction set]] article, the acceleration is usually achieved by doing certain arithmetic calculation in hardware. As can be seen in this [[wp>AES instruction set]] article, the acceleration is usually achieved by doing certain arithmetic calculation in hardware.
 +
 +When the acceleration is not in the instruction set of the CPU, it is supported via a kernel driver (/​dev/​crypto).
 +There are two drivers offering /dev/crypto in OpenWRT:
 +  * [[https://​github.com/​openwrt/​packages/​tree/​master/​utils/​cryptodev-linux|Cryptodev-linux]] kernel module, which utilizes the Linux kernel crypto drivers
 +  * OCF (OpenBSD Crypto Framework), which utilizes the OpenBSD crypto drivers
 +
 +Both ways result to a /dev/crypto device which can be used by userspace crypto applications (e.g., the ones that utilize openssl or gnutls).
  
 ===== Performance ===== ===== Performance =====
Line 14: Line 21:
   * you could attach a USB drive to your device and mount a [[doc/​howto/​usb.storage|local filesystem]] like ext3 from it. Then you want to read from and write to this filesystem from the Internet over a secured protocol. Let's use ''​sshfs''​. You would set up a  [[doc:​howto:​sshfs.server]] on your device and a [[doc:​howto:​sshfs.client]] on the other end. Now how fast can you read/write to this with and without Cryptographic Hardware Accelerators. If the other end, the client, is a "fully grown PC" with a 2GHz CPU, it will probably perform fast enough to use the entire bandwidth of your Internet connection. If the server side is some embedded device, with let's say some 400MHz MIPS CPU, it could benefit highly from some integrated (and supported!) acceleration. You probably want enough performance,​ that you can use your entire bandwidth. Well, now go and find some benchmark showing you precisely the difference with enabled/​disabled acceleration. Because you will not be able to extrapolate this information from specifications you find on this page or on the web.   * you could attach a USB drive to your device and mount a [[doc/​howto/​usb.storage|local filesystem]] like ext3 from it. Then you want to read from and write to this filesystem from the Internet over a secured protocol. Let's use ''​sshfs''​. You would set up a  [[doc:​howto:​sshfs.server]] on your device and a [[doc:​howto:​sshfs.client]] on the other end. Now how fast can you read/write to this with and without Cryptographic Hardware Accelerators. If the other end, the client, is a "fully grown PC" with a 2GHz CPU, it will probably perform fast enough to use the entire bandwidth of your Internet connection. If the server side is some embedded device, with let's say some 400MHz MIPS CPU, it could benefit highly from some integrated (and supported!) acceleration. You probably want enough performance,​ that you can use your entire bandwidth. Well, now go and find some benchmark showing you precisely the difference with enabled/​disabled acceleration. Because you will not be able to extrapolate this information from specifications you find on this page or on the web.
  
-  * you could want to run an OpenVPN server on your router/​embedded device, instead of using WEP/​WPA/​WPA2. There will be no reading from/​writing to a USB device. Find benchmarks that show you exactly the performance for this purpose. You won't be able to extrapolate this information from other benchmarks.+  * you could want to run an OpenVPN ​or an OpenConnect ​server on your router/​embedded device, instead of using WEP/​WPA/​WPA2. There will be no reading from/​writing to a USB device. Find benchmarks that show you exactly the performance for this purpose. You won't be able to extrapolate this information from other benchmarks.
  
   * think of other practical uses, and find specific benchmarks.   * think of other practical uses, and find specific benchmarks.
  
 +===== Enabling /dev/crypto =====
 +Run ''​make menuconfig''​ and select
  
 +==== With cryptodev-linux ====
 +  * kmod-crypto-core:​ m
 +    * kmod-cryptodev:​ m
  
-===== Examples ===== +==== With OCF ==== 
-==== Soekris vpn1411 ==== +This must not be combined with cryptodev-linux. 
-  * [[http://​www.soekris.com/​vpn1401.htm]]+ 
 +Kernel modules -> Cryptographic API modules 
 +  * kmod-crypto-core
 +    * kmod-crypto-ocf:​ m 
 + 
 +Utilities 
 +  * ocf-crypto-headers:​ m
  
-Run ''​make menuconfig''​ and select 
  
 +===== Adding /dev/crypto support to crypto libraries =====
 Libraries -> SSL Libraries -> SSL
  
   * libopenssl: m   * libopenssl: m
     * Crypto acceleration support: y     * Crypto acceleration support: y
 +  * libgnutls: m
 +    * enable /dev/crypto support: y
 +
 +Note that there are some known issues with [[http://​rt.openssl.org/​Ticket/​Display.html?​id=2770&​user=guest&​pass=guest|openssl'​s /dev/crypto support]].
 +
 +===== Enabling specific hardware driver =====
 +==== Soekris vpn1411 ====
 +  * [[http://​www.soekris.com/​vpn1401.htm]]
 +
 +Run ''​make menuconfig''​ and select
  
 Kernel modules -> Cryptographic API modules Kernel modules -> Cryptographic API modules
Line 37: Line 65:
     * kmod-crypto-des:​ m     * kmod-crypto-des:​ m
     * kmod-crypto-hw-hifn-795x:​ m     * kmod-crypto-hw-hifn-795x:​ m
-    * kmod-crypto-ocf:​ m 
- 
-Utilities 
- 
-  * ocf-crypto-headers:​ m 
-  * openssl-util:​ m 
  
  
doc/hardware/cryptographic.hardware.accelerators.1364242552.txt.bz2 · Last modified: 2013/03/25 21:15 by valentt