Hardware Cryptography for Kirkwood

Guides written by the community, for the community, and only guides!

Re: Hardware Cryptography for Kirkwood

Postby janus » Fri Feb 24, 2012 11:50 pm

It seems openssl's cryptodev digest support was never operational. You can use the patch at: http://repo.or.cz/w/cryptodev-linux.git/blob/HEAD:/extras/openssl-digests.patch to fix the issue.
janus
 
Posts: 1
Joined: Fri Feb 24, 2012 11:46 pm

Re: Hardware Cryptography for Kirkwood

Postby firefoxPL » Sun Feb 26, 2012 6:36 pm

Hi, thank you for that, I will try that in a few days and I will update the guide, or in case of problems I will change it to include AF_ALG method. I'm moving to a different city and I only have a limited connection to the internet during last few days (and probably few more) therefore it might take me some time.
Pogo-P24 (new Pogoplug Classic) - ALARM on SATA (mediatomb, netatalk, avahi, time machine, swap, openvpn)
Pogo-E02 (v2 Pink) - ALARM on USB (netatalk, avahi, cryptodev-linux, getting ready for L2TP)
firefoxPL
 
Posts: 65
Joined: Thu Dec 08, 2011 1:49 pm

Re: Hardware Cryptography for Kirkwood

Postby devr » Mon Feb 27, 2012 1:03 pm

I can report that that patch really seems to help with my Plug. I was able to compile openssl with the cryptodev module loaded. Openssl no longer segfaults with certs (openssl s_client -showcerts -connect localhost:443). The command to test basic performance gain works well, as seen in other posts ( openssl speed -evp aes-128-cbc ):
Code: Select all
Doing aes-128-cbc for 3s on 16 size blocks: 60174 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 64 size blocks: 34673 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 256 size blocks: 51687 aes-128-cbc's in 0.13s
Doing aes-128-cbc for 3s on 1024 size blocks: 16999 aes-128-cbc's in 0.08s
Doing aes-128-cbc for 3s on 8192 size blocks: 6782 aes-128-cbc's in 0.02s


Also in my usage, nginx + openssl are working. I did make some quick hacks to the PKGBUILD file to include that patch. If there is interest, I could see about making it more than just a hack for general usage.

Thank you janus for the info on that patch.
devr
 
Posts: 87
Joined: Wed May 11, 2011 12:22 am

Re: Hardware Cryptography for Kirkwood

Postby Kurlon » Tue Feb 28, 2012 6:59 pm

firefoxPL wrote:9) because udev creates /dev/crypto with only root permitted to read/write to it, normal users can't use the device, this should be handled by apropriate udev rule (unfortunately I don't know how to create one), but in the meantime you can add this to /etc/rc.local
Code: Select all
chmod go+rw /dev/crypto


Code: Select all
[root@alarm ~]# ls -al /dev/crypto
crw-rw---- 1 root root 10, 58 Feb 28 13:56 /dev/crypto
[root@alarm ~]# cd /etc/udev/rules.d/
[root@alarm rules.d]# cat 99-cryptodev.rules
KERNEL=="crypto", MODE="0660"


What are appropriate permissions, as setting group rw just opens it up for people in group root?
Kurlon
 
Posts: 132
Joined: Fri Jan 06, 2012 10:05 pm

Re: Hardware Cryptography for Kirkwood

Postby Kurlon » Wed Feb 29, 2012 12:02 am

I've tweaked a PKGBUILD for openssl, got it pulled into ALARM's repo, then got it kicked out and into a separate package, openssl-cryptodev... So it's in github if you want to save some effort, just pull it down and makepkg/etc, no need to edit/patch anything.

I'll see if I can make a cryptodev PKGBUILD next, and if the ALARM dev team is still talking to me at that point get it accepted as a package?
Kurlon
 
Posts: 132
Joined: Fri Jan 06, 2012 10:05 pm

Re: Hardware Cryptography for Kirkwood

Postby Kurlon » Wed Feb 29, 2012 2:01 am

Kurlon
 
Posts: 132
Joined: Fri Jan 06, 2012 10:05 pm

Re: Hardware Cryptography for Kirkwood

Postby kmihelich » Wed Feb 29, 2012 2:48 am

I've already rolled cryptodev into the kernel package for kirkwood, this is the best way to do things in our multi-platform, multi-kernel ecosystem. After testing is good, you'll see an update to the 'linux' package for kirkwood.

Since enabling cryptodev in openssl change the code to needing it, the previous commit over the existing openssl package in git has been moved into the new openssl-cryptodev package within core. More changes are to come requiring the new kernel so that the package doesn't get used on platforms that don't have the module in the kernel yet. It will conflict with the openssl package, and replace it in whole.
Arch Linux ARM exists and continues to grow through community support, please donate today!
kmihelich
Developer
 
Posts: 1124
Joined: Tue Jul 20, 2010 6:55 am
Location: aka leming #archlinux-arm

Re: Hardware Cryptography for Kirkwood

Postby Kurlon » Wed Feb 29, 2012 4:08 am

Cool, lemmie know how I can help test, my GFN loves it some abuse.
Kurlon
 
Posts: 132
Joined: Fri Jan 06, 2012 10:05 pm

Re: Hardware Cryptography for Kirkwood

Postby firefoxPL » Wed Feb 29, 2012 2:35 pm

Hi, unfortunately the patch don't work for me, I still get the same errors while creating certificates for OpenVPN and after creating them without cryptodev OpenVPN fails to establish new connection (fails on certificate verification). I still need to try AF_ALG - maybe after the weekend.
Pogo-P24 (new Pogoplug Classic) - ALARM on SATA (mediatomb, netatalk, avahi, time machine, swap, openvpn)
Pogo-E02 (v2 Pink) - ALARM on USB (netatalk, avahi, cryptodev-linux, getting ready for L2TP)
firefoxPL
 
Posts: 65
Joined: Thu Dec 08, 2011 1:49 pm

Re: Hardware Cryptography for Kirkwood

Postby firefoxPL » Wed Feb 29, 2012 2:37 pm

Kurlon wrote:What are appropriate permissions, as setting group rw just opens it up for people in group root?

I believe that setting RW permissions for everyone is the way to go for /dev/crypto:
Code: Select all
99-cryptodev.rules
----------------------------------------
KERNEL=="crypto", MODE="0666"


btw. thank you for clearing things up with the udev rules
Pogo-P24 (new Pogoplug Classic) - ALARM on SATA (mediatomb, netatalk, avahi, time machine, swap, openvpn)
Pogo-E02 (v2 Pink) - ALARM on USB (netatalk, avahi, cryptodev-linux, getting ready for L2TP)
firefoxPL
 
Posts: 65
Joined: Thu Dec 08, 2011 1:49 pm

PreviousNext

Return to Community Guides

Who is online

Users browsing this forum: No registered users and 1 guest