Hardware Cryptography for Kirkwood

Guides written by the community, for the community, and only guides!

Re: Hardware Cryptography for Kirkwood

Postby doomjrjg7 » Thu Feb 28, 2013 6:59 pm

I'm running Kirkwood 3.7-10, latest crypto-dev and openssl-cryptodev-1.0.1.e-3 module and am experiencing some SSL issues.

When I use wget with an https connection, I get the following error:

Code: Select all
 Connecting to aur.archlinux.org (aur.archlinux.org)|78.46.78.247|:443... connected.
OpenSSL: error:0606C06E:digital envelope routines:EVP_VerifyFinal:wrong public key type
OpenSSL: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature
Unable to establish SSL connection.


With the standard openssl-1.0.1.e-3 package, the file transfer works fine.
doomjrjg7
 
Posts: 1
Joined: Thu Feb 28, 2013 6:42 pm

Re: Hardware Cryptography for Kirkwood

Postby rhester72 » Wed May 01, 2013 4:15 pm

Something isn't clear to me.

Is the only diference between the openssl and openssl-cryptodev packages the inclusion of the cryptodev driver, or is OpenSSL itself also recompiled to use it?

I saw mention earlier in the thread (from over a year ago) that the linux-kirkwood kernel (i.e. the Kirkwood-specific one) includes the cryptodev module, which will conflict with the one in openss-cryptodev.

If I'm running the Kirkwood-specific kernel, and it includes (and I load) the cryptodev module, will "bare" openssl be accelerated?

Rodney
rhester72
 
Posts: 35
Joined: Tue Apr 30, 2013 4:24 pm

Re: Hardware Cryptography for Kirkwood

Postby rhester72 » Thu May 02, 2013 6:05 pm

Answered my own question - the cryptodev module is part of linux-kirkwood, but openssl-cryptodev is needed to leverage it (i.e. you need both, plus custom configuration for ssh(d), OpenVPN, and anything else you want to use it with...).

Rodney
rhester72
 
Posts: 35
Joined: Tue Apr 30, 2013 4:24 pm

Re: Hardware Cryptography for Kirkwood

Postby moonman » Fri May 03, 2013 5:08 am

1) You don't need linux-kirkwood package specifically, the linux package has the cryptodev module as well.

2)You need to load the module at boot:
Code: Select all
echo "cryptodev" > /etc/modules-load.d/cryptodev.conf

or manually with "modprobe cryptodev"

3) You do need openssl-cryptodev package as it is compiled with cryptodev support, no special configuration is required for other applications as they are all linked to openssl which makes use of cryptodev.
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Re: Hardware Cryptography for Kirkwood

Postby devr » Mon May 06, 2013 11:58 pm

Curious if anything has changed recently ? On a tonidoplug2:

# uname -a
Linux slim 3.8.11-1-ARCH #1 PREEMPT Fri May 3 00:46:39 UTC 2013 armv5tel GNU/Linux
# pacman -Qi openssl-cryptodev
Name : openssl-cryptodev
Version : 1.0.1.e-3
# lsmod
Module Size Used by
cryptodev 30534 0

yet following a self-signed cert how-to I see the following:
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature verification error
3066545360:error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:a_verify.c:154:
devr
 
Posts: 87
Joined: Wed May 11, 2011 12:22 am

Re: Hardware Cryptography for Kirkwood

Postby moonman » Thu Jul 11, 2013 11:58 pm

There is a typo in the instructions on the first page:

Code: Select all
echo '"KERNEL=="crypto", MODE="0666"' > /etc/udev/rules.d/99-cryptodev.rules


should be:

Code: Select all
echo 'KERNEL=="crypto", MODE="0666"' > /etc/udev/rules.d/99-cryptodev.rules


There shouldn't be an extra quotation mark in front of KERNEL, otherwise it results in this error:
systemd-udevd[98]: unknown key '"KERNEL' in /etc/udev/rules.d/99-cryptodev.rules:1
and some things don't work (for me yaourt wouldn't work)

EDIT: nvm, yaourt -Suya still doesn't work.
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Re: Hardware Cryptography for Kirkwood

Postby nicebloom » Thu Jul 18, 2013 12:04 pm

This leads to DATA CORRUPTION in memory.
At least for me.
It also happens with mv_cesa for doing HW accelerated filesystem stuff.
Don't use it on recent kernels! It will also stop you from using Openssl in some cases, for example aur...

See for example: http://forum.doozan.com/read.php?2,5560,6084#msg-6084

I have recreated my install 10 times before i discovered this problem. First I i concluded the USB stick in use was faulty, but it isn't.
nicebloom
 
Posts: 6
Joined: Fri Jan 06, 2012 10:18 pm

Re: Hardware Cryptography for Kirkwood

Postby moonman » Tue Dec 17, 2013 12:35 am

Just FYI to everybody following this thread: openssl-cryptodev has been fixed and works as exptected now. Please open a different thread if you have any questions or problems.
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Previous

Return to Community Guides

Who is online

Users browsing this forum: No registered users and 0 guests