search

vschagen / mt7628-aes

33 stars 24 forks source link

Engine not used with latest OpenWrt snapshot (w. openssl v1.1.1) #5

Open knoelli opened 5 years ago

knoelli commented 5 years ago

Hi,

I recently stumbled upon your module and tried to implement it in the snapshot version of OpenWrt for my Netgear R6120 which is equiped with a MediaTek MT7628an CPU.

I set up the build system and added your engine as a custom package. I also made sure to enable hardware support for the openssl library, but things are a little bit different due to OpenWrt having upgraded openssl to v1.1.1 in the latest snapshot.

Compilation and installation were no problem, the crypto module is initialized on bootup:

root@OpenWrt:~# dmesg | grep crypt
[   13.769493] cryptodev: driver 1.10 loaded.
[   13.851929] mtk-aes 10004000.crypto: HW verson: 04
[   13.861542] mtk-aes 10004000.crypto: IRQ 21 assigned to handler
[   13.873314] mtk-aes 10004000.crypto: TX Ring : 031E5000
[   13.883695] mtk-aes 10004000.crypto: RX Ring : 033FE000
[   13.894061] mtk-aes 10004000.crypto: Rec Ring : 031E8000
[   13.904602] mtk-aes 10004000.crypto: Register: cbc(aes)
[   13.959344] mtk-aes 10004000.crypto: Register: ecb(aes)
[   13.969995] mtk-aes 10004000.crypto: Initialized.

The hardware acceleration is available according to /proc/crypto: [shortened]

root@OpenWrt:~# cat /proc/crypto
name         : ecb(aes)
driver       : ecb(aes-generic)
module       : ecb
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : blkcipher
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 0
geniv        : <default>

name         : ecb(aes)
driver       : ecb-aes-mt7628
module       : crypto_hw_mtk_aes
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 0
geniv        : <default>

name         : cbc(aes)
driver       : cbc-aes-mt7628
module       : crypto_hw_mtk_aes
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16
geniv        : <default>

name         : ecb(cipher_null)
driver       : ecb-cipher_null
module       : crypto_null
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : blkcipher
blocksize    : 1
min keysize  : 0
max keysize  : 0
ivsize       : 0
geniv        : <default>

name         : aes
driver       : aes-generic
module       : kernel
priority     : 100
refcnt       : 10
selftest     : passed
internal     : no
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

OpenSSL uses the /dev/crypto engine:

root@OpenWrt:~# openssl engine -t -c
(dynamic) Dynamic engine loading support
     [ unavailable ]
(devcrypto) /dev/crypto engine
     [ available ]

but it doesn't list any supported ciphers there...

Additional information from openssl about the cyphers and digest supported:

root@OpenWrt:~# openssl engine -pre DUMP_INFO devcrypto
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, CIOCGSESSION (session open call) failed
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, CIOCGSESSION (session open call) failed
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, CIOCGSESSION (session open call) failed
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, CIOCGSESSION (session open call) failed
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, CIOCGSESSION (session open call) failed
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, CIOCGSESSION (session open call) failed
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, CIOCGSESSION (session open call) failed
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, CIOCGSESSION (session open call) failed
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, CIOCGSESSION (session open call) failed
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, driver=ecb-aes-mt7628 (software)
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, driver=ecb-aes-mt7628 (software)
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, driver=ecb-aes-mt7628 (software)

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=md5-generic (software), CIOCCPHASH capable
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=unknown. CIOCGSESSION (session open) failed
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-generic (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=sha256-generic (software), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=unknown. CIOCGSESSION (session open) failed

[Success]: DUMP_INFO

As a result, benchmarks are comparable to those I had before:

root@OpenWrt:~# openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 681895 aes-256-cbc's in 2.05s
Doing aes-256-cbc for 3s on 64 size blocks: 190770 aes-256-cbc's in 1.92s
Doing aes-256-cbc for 3s on 256 size blocks: 37423 aes-256-cbc's in 1.42s
Doing aes-256-cbc for 3s on 1024 size blocks: 15586 aes-256-cbc's in 2.36s
Doing aes-256-cbc for 3s on 8192 size blocks: 956 aes-256-cbc's in 1.20s
Doing aes-256-cbc for 3s on 16384 size blocks: 803 aes-256-cbc's in 2.00s
OpenSSL 1.1.1c  28 May 2019
built on: Fri Jul 12 14:12:01 2019 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr)
compiler: mipsel-openwrt-linux-musl-gcc -fPIC -pthread -mabi=32 -Wa,--noexecstack -Wall -O3 -pipe -mno-branch-likely -mips32r2 -mtune=24kc -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -msoft-float -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DAES_ASM -DNDEBUG -DOPENSSL_PREFER_CHACHA_OVER_GCM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-cbc       5322.11k     6359.00k     6746.68k     6762.74k     6526.29k     6578.18k

As I mentioned before, I think this might be related due to the update of openssl to v1.1.1, however, I can't just use the stable version of OpenWrt 18.06 (which still uses openssl 1.0.4), as that version does not yet support my Netgear router.

Azq2 commented 3 years ago

New cryptodev requires CRYPTO_ALG_KERN_DRIVER_ONLY flag for HW acceleration.

You need manualy add CRYPTO_ALG_KERN_DRIVER_ONLY to cra_flags.

Or try this PR: https://github.com/vschagen/mt7628-aes/pull/7