Hardware Cryptography for Kirkwood

Guides written by the community, for the community, and only guides!

Re: Hardware Cryptography for Kirkwood

Postby vlad59 » Tue Apr 03, 2012 9:25 pm

Hi,

Thanks a lot for this post. I installed an ArchLinux especially for it ;).

If it can help I made a graphic to show the gain using these command lines :

openssl speed -elapsed -evp aes-128-cbc
openssl speed -elapsed -evp aes-256-cbc

Here is the graph :
Image

I also made a french howto on my blog : http://blog.slucas.fr/blog/dockstar-archlinux-cryptodev
vlad59
 
Posts: 10
Joined: Tue Apr 03, 2012 9:18 pm

Re: Hardware Cryptography for Kirkwood

Postby vlad59 » Thu Apr 05, 2012 6:27 am

Hi,

I don't know if I'm the only one but since I migrated to openssl-cryptodev I'm unable to use easy-rsa I always have an error when using ./build-key-server MyServer when it's verifying the signature

I followed this howto : https://wiki.archlinux.org/index.php/OpenVPN

Maybe there is some tricks to do to openssl.cnf ?
vlad59
 
Posts: 10
Joined: Tue Apr 03, 2012 9:18 pm

Re: Hardware Cryptography for Kirkwood

Postby firefoxPL » Thu Apr 05, 2012 6:50 am

Hi, make sure you have the latest release of openssl-cryptodev and openvpn. This was a major issue for me but since last update it has been resolved, I've generated all necessary certificates for opnevpn with easy-rsa and cryptodev enabled - altough I didn't test drive openvpn with this setup yet, I've only prepared certs and added following configuration to my to-do's :) (it's not that critical for me since I have setup all my day-to-day "server needs" on a pogo v3 which for now can't use cryptodev)
Pogo-P24 (new Pogoplug Classic) - ALARM on SATA (mediatomb, netatalk, avahi, time machine, swap, openvpn)
Pogo-E02 (v2 Pink) - ALARM on USB (netatalk, avahi, cryptodev-linux, getting ready for L2TP)
firefoxPL
 
Posts: 65
Joined: Thu Dec 08, 2011 1:49 pm

Re: Hardware Cryptography for Kirkwood

Postby hansarsch » Tue Jun 05, 2012 11:09 am

Hi,

I recently installed cryptodev on my E02 which I mostly use for SSL transfers via sabnzb. To do so I followed the edited instructions in the first post.

However, I see a massive performance DEcrease (from ~2.5 mb/s down to 400 kb/s). The performance test seems OK I guess:

$this->bbcode_second_pass_code('', '
openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 39330 aes-128-cbc's in 0.09s
Doing aes-128-cbc for 3s on 64 size blocks: 42815 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 256 size blocks: 16261 aes-128-cbc's in 0.04s
Doing aes-128-cbc for 3s on 1024 size blocks: 16304 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 8192 size blocks: 3617 aes-128-cbc's in 0.01s
')

Any ideas why I see this?

So to be able to pinpoint the drop to the cryptodev module I'd want to revert the system back to the previous state, i.e. let it use the conventional openssl package. Unfortunately, I'm not sure how.
Is this as easy as pacman -S openssl to re-install the old package and removing the cryptodev out of modules() in /etc/rc.conf?

Thanks,
HA
hansarsch
 
Posts: 11
Joined: Thu Apr 05, 2012 6:32 am

Re: Hardware Cryptography for Kirkwood

Postby WarheadsSE » Tue Jun 05, 2012 11:41 am

Essentially, yes, but use -Sy to be sure you get the latest copy.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm

Re: Hardware Cryptography for Kirkwood

Postby lulo » Sun Jun 24, 2012 1:44 am

$this->bbcode_second_pass_code('', '
lulojs@lulojs-ubuntu:~/Pulpit$ ssh lulo@alarm.dom
lulo@alarm.dom's password:
Last login: Sun Jun 24 02:58:03 2012 from lulojs-ubuntu.dom
[lulo@alarm ~]$ pacman -Ss openssl
Hasło:
core/openssl 1.0.1.c-1
The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
core/openssl-cryptodev 1.0.1.c-1 [zainstalowano]
The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
extra/perl-crypt-openssl-bignum 0.04-7
OpenSSL's multiprecision integer arithmetic
extra/perl-crypt-openssl-random 0.04-7
Interface to OpenSSL PRNG methods
extra/perl-crypt-openssl-rsa 0.28-3
Interface to OpenSSL RSA methods
extra/perl-crypt-ssleay 0.58-4 [zainstalowano]
OpenSSL glue that provides LWP https support
extra/perl-net-ssleay 1.48-2 [zainstalowano]
Perl extension for using OpenSSL
extra/pyopenssl 0.13-1
Python3 wrapper module around the OpenSSL library
extra/python2-pyopenssl 0.13-1
Python2 wrapper module around the OpenSSL library
community/luasec 0.4-3
Lua bindings for OpenSSL library to provide TLS/SSL communication.
community/tls 1.6-4
OpenSSL extension to Tcl
[lulo@alarm ~]$ openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 63730 aes-128-cbc's in 0.09s
Doing aes-128-cbc for 3s on 64 size blocks: 61937 aes-128-cbc's in 0.10s
Doing aes-128-cbc for 3s on 256 size blocks: 47936 aes-128-cbc's in 0.09s
Doing aes-128-cbc for 3s on 1024 size blocks: 25261 aes-128-cbc's in 0.08s
Doing aes-128-cbc for 3s on 8192 size blocks: 7015 aes-128-cbc's in 0.04s
OpenSSL 1.0.1c 10 May 2012
built on: Sat May 12 16:59:54 UTC 2012
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DHASH_MAX_LEN=64 -Wa,--noexecstack -march=armv5te -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -I/usr/src/linux-3.1.10-10-ARCH -DOPENSSL_NO_TLS1_2_CLIENT -DTERMIO -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 11329.78k 39639.68k 136351.29k 323340.80k 1436672.00k
[lulo@alarm ~]$ openssl speed -elapsed -evp aes-256-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-256-cbc for 3s on 16 size blocks: 41774 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 40246 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 34639 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 24992 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 6471 aes-256-cbc's in 3.00s
OpenSSL 1.0.1c 10 May 2012
built on: Sat May 12 16:59:54 UTC 2012
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DHASH_MAX_LEN=64 -Wa,--noexecstack -march=armv5te -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -I/usr/src/linux-3.1.10-10-ARCH -DOPENSSL_NO_TLS1_2_CLIENT -DTERMIO -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 222.79k 858.58k 2955.86k 8530.60k 17670.14k
[lulo@alarm ~]$ openssl genrsa -out privkey.pem 2048
Generating RSA private key, 2048 bit long modulus
..........+++
........................................................+++
e is 65537 (0x10001)
[lulo@alarm ~]$ openssl req -new -sha1 -x509 -key privkey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
[lulo@alarm ~]$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
.....++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[lulo@alarm ~]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[lulo@alarm ~]$ cp server.key server.key.org
[lulo@alarm ~]$ openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
[lulo@alarm ~]$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature verification error
1074025680:error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:a_verify.c:148:
[lulo@alarm ~]$
')

what is wrong ??? ...typicaly instruction generate certificate to apache ( http://www.akadia.com/services/ssh_test ... icate.html )... for my Iomega Iconnect Wireless...
Any ideas ?
lulo
 
Posts: 90
Joined: Mon Nov 28, 2011 1:19 am

Re: Hardware Cryptography for Kirkwood

Postby firefoxPL » Mon Aug 20, 2012 1:53 pm

$this->bbcode_second_pass_quote('hansarsch', 'H')i,

I recently installed cryptodev on my E02 which I mostly use for SSL transfers via sabnzb. To do so I followed the edited instructions in the first post.

However, I see a massive performance DEcrease (from ~2.5 mb/s down to 400 kb/s). The performance test seems OK I guess:

$this->bbcode_second_pass_code('', '
openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 39330 aes-128-cbc's in 0.09s
Doing aes-128-cbc for 3s on 64 size blocks: 42815 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 256 size blocks: 16261 aes-128-cbc's in 0.04s
Doing aes-128-cbc for 3s on 1024 size blocks: 16304 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 8192 size blocks: 3617 aes-128-cbc's in 0.01s
')

Any ideas why I see this?

So to be able to pinpoint the drop to the cryptodev module I'd want to revert the system back to the previous state, i.e. let it use the conventional openssl package. Unfortunately, I'm not sure how.
Is this as easy as pacman -S openssl to re-install the old package and removing the cryptodev out of modules() in /etc/rc.conf?

Thanks,
HA


Hi, actually the hardware engine outperforms software AES only for large block sizes (from what I remember starting from 4k+) so if in your case AES is working on smaller blocks then software solution will give you better throughput but it will also keep your CPU at high usage therefore making other threads run slower.
Pogo-P24 (new Pogoplug Classic) - ALARM on SATA (mediatomb, netatalk, avahi, time machine, swap, openvpn)
Pogo-E02 (v2 Pink) - ALARM on USB (netatalk, avahi, cryptodev-linux, getting ready for L2TP)
firefoxPL
 
Posts: 65
Joined: Thu Dec 08, 2011 1:49 pm

Re: Hardware Cryptography for Kirkwood

Postby dinjo » Mon Nov 05, 2012 2:37 pm

How does one gets improvement in performance just install right ? Since the instruction on 1st page is quite old I have Pogoplug Pro does sit work on that too ?
dinjo
 
Posts: 258
Joined: Mon Nov 28, 2011 5:59 am

Re: Hardware Cryptography for Kirkwood

Postby WarheadsSE » Mon Nov 05, 2012 5:48 pm

"for Kirkwood"

If you install it on a kirkwood, you would need to install the appropriate openssl-cryptodev & then be sure to load the cryptodev module at boot.

As the title suggests, this will now work on anything other than kirkwoods.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm

Re: Hardware Cryptography for Kirkwood

Postby moonman » Wed Nov 14, 2012 12:20 pm

Just an FYI, with systmemd the module does not get loaded automatically, so load it at boot:
$this->bbcode_second_pass_code('', 'echo "cryptodev" > /etc/modules-load.d/cryptodev.conf')
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

PreviousNext

Return to Community Guides

Who is online

Users browsing this forum: No registered users and 10 guests