Utilize CAAM hardware cryptographic engine CESA co-processor

[Hedda]

Hope it is OK if I add this request for tracking here:

i.MX 6 SoC contain CAAM (Cryptographic Acceleration and Assurance Module) hardware engine supporting ARM's TrustZone can be used to hardware accelerate cryptographic decryption decipher and encryption cipher.

Best real-world examples to advantage of hardware accelerators for this on XBMC's Linux distros are transparently using it for dependent libraries like OpenSSL, OpenSSH, GnuTLS, dm-crypt, kcryptd, dm-mod, and/or luks via cryptodev library API

http://cryptodev-linux.org (Comparisons: http://cryptodev-linux.org/comparison.html )

Utilize hardware cryptographic engine CESA co-processor for hardware acceleration encryption / decryption crypto and ciphers calculations tasks such as SSL, SCP, SSH, AES, TLS, DES, 3DES, SHA-1, MD5, hashes, dm-crypt, luks, etc. (such as hardware decryption with OpenSSL, OpenSSH, and GnuTLS libraries via CryptoDev to offload cryptographic tasks from CPU and therefore every dependency module that XBMC utilizes which support CryptoDev cryptographic accelerator drivers via /dev/crypto)

The old CuBox usage example: http://www.solid-run.com/archive/phpbb/viewtopic.php?f=9&t=634

[wolfgar]

Hi Hedda,

I basically totally agree that using crypto hw engine would just be fine.

I have the following remarks :

• I think it is not about TrustZone : Trustzone is a dedicated ARM concept. It is not a crypto engine as it. You should rather think about it as a kind of hypervisor mechanism. Yet there is definitively a crypto engine in imx6 which is called CAAM (Cryptographic Acceleration and Assurance Module) : It does exactly what you want. Linux drivers are available. Yet I do not know if there is a proper integration with standard libraries such as openssl (I think no but I may be over pessimistic...)
• Also it is not about XBMC : You should rather post this request to imx6 distro. Please understand I don't want to be rude and I am very fine speaking about it with you and about keeping this request for exchanges. But proper use of imx6 crypto engine in standard libs has to be tackled at another level...

Kind regards Stéphan

[CrawX]

I agree with @wolfgar, this issue doesn't really belong to xbmc.

Still, I tested CAAM some time ago and ran some benchmarks.

My result was (copied from this particular thread): "So while CAAM could be useful in terms of power-usage (I did not test this), its not very useful for performance (for now...)."

This conclusion only relates to the raw performance figures, I did not include the effort needed to actually get it integrated into applications (which mostly use openssl). IIRC openssl-cryptodev kinda worked but I remember having some problems...

Cheers

[Hedda]

Ok so maybe this request more belongs to upstream kernel and downstream Linux distros then or?

@wolfgar, standard libraries do not have support, instead have to use via cryptodev or NCR API's http://cryptodev-linux.org http://cryptodev-linux.org/ncr.html

[wolfgar]

Hi @CrawX : Thanks for your link and testing. I was definitively too pessimistic : If I understand properly, contrary to 3.0.35 drivers, the 3.10.17 drivers can be used through cryptodev and thus openssl benefits from them. Yet, Your figures are indeed disappointing. At least if it is not about being faster, using caam off loads the CPU which can do something else by the time...

@Hedda : If my understanding is correct, caam drivers are all good in 3.10.17 so it would be only about the distro and packaging cryptodev ...

[piotrasd]

this could by useful for descrabling channels - latest tvheadend with SAT>IP using AES over openssl lib ,less CPU load