Re: [Cryptodev-linux-devel] Question regarding cryptodev using hardware acceleration for FIPS validation

2017-02-02 Thread Chirag Shahani 
The accelerated algo. is in use when the code is run on a h/w box which has
the C2xxx SoC with QAT 1.5.

*O/p from /proc/crypto*:

name : authenc(hmac(sha512),cbc(des3_ede))
driver   : icp_qat_des3_cbc_sha512_hmac
module   : icp_qat_netkey
priority : 4001
refcnt   : 1
selftest : passed
type : aead
async: yes
blocksize: 8
ivsize   : 8
maxauthsize  : 64
geniv: 




*Now, in case where the code in run on linux box:*name :
authenc(hmac(sha256),cbc(aes))
driver   : authenc(hmac(sha256-generic),cbc(aes-asm))
module   : authenc
priority : 2000
refcnt   : 9
selftest : passed
type : aead
async: no
blocksize: 16
ivsize   : 16
maxauthsize  : 32
geniv: 


I will rephrase my question. I think it was not asked clearly in the
previous email.

So, I have used cryptodev-linux module (http://cryptodev-linux.org/) for
FIPS validation to access the /dev/crypto interface and running user space
code (example under cryptodev-linux-1.8/examples/ ). This took car of the
FIPs validation when the code was running on the linux box as the linux
kernel code did the encrypt decrypt.

I need to do the same FIPS validation on the h/w box which has C2xxx SoC
with QAT 1.5. I am not sure how to access drivers to get o/p for fips
validation for various alogo's.

I was under the impression, using cryptodev-linux module would do it by
detecting the code is run on h/w and the kernel would handoff the
encrypt/decrypt operations to the h/w.

In short, can we use cryptodev-linux module to access C2xxx SoC. or any
other library like cryptodev-linux to access it?

Thank you,
--
Chirag

On Thu, Feb 2, 2017 at 7:39 AM, Phil Sutter  wrote:

> Hi,
>
> On Thu, Feb 02, 2017 at 06:53:55AM -0800, Chirag Shahani wrote:
> > Thanks for your reply.
> >
> > Yes. The QAT 1.5 module is loaded. I verified that by:
> >
> > cat /proc/icp_c2xxx_dev0/version
> > +--+
> > | Hardware and Software versions for device 0
> > |
> > +--+
> > Hardware Version: B0 SKU1
> > Firmware Version:
> > 1.3.0
> > MMP Version:
> > 1.0.0
> > Driver Version:
> > 1.3.0
> > +--+
> >
> > lsmod also shows the o/p, that the driver is loaded.
> > lsmod | grep icp
> > The following is displayed:
> > # icp_qat_netkey 6748 0
> > # icp_qa_al 1334748 2 icp_qat_netkey
> >
> > Also, when I started IPSec traffic, the counters were increasing.
> >
> > How can I confirm that the upstream has support for C2xxx?
> > It would be great if you can point me to the piece of code in upstream
> > which has support for any other acceleration. I can maybe research from
> > there on how can I add support for C2xxx?
>
> To see whether some accelerated algorithm is in use, have a look at
> /proc/crypto (ideally compare before loading the module and after your
> IPsec test). QAT drivers reside within drivers/crypto/qat within Linux
> kernel sources. You might want to have a look if something in there
> supports your engine.
>
> Cheers, Phil
>
___
Cryptodev-linux-devel mailing list
Cryptodev-linux-devel@gna.org
https://mail.gna.org/listinfo/cryptodev-linux-devel

Re: [Cryptodev-linux-devel] Question regarding cryptodev using hardware acceleration for FIPS validation

2017-02-02 Thread Phil Sutter 
Hi,

On Thu, Feb 02, 2017 at 06:53:55AM -0800, Chirag Shahani wrote:
> Thanks for your reply.
> 
> Yes. The QAT 1.5 module is loaded. I verified that by:
> 
> cat /proc/icp_c2xxx_dev0/version
> +--+
> | Hardware and Software versions for device 0
> |
> +--+
> Hardware Version: B0 SKU1
> Firmware Version:
> 1.3.0
> MMP Version:
> 1.0.0
> Driver Version:
> 1.3.0
> +--+
> 
> lsmod also shows the o/p, that the driver is loaded.
> lsmod | grep icp
> The following is displayed:
> # icp_qat_netkey 6748 0
> # icp_qa_al 1334748 2 icp_qat_netkey
> 
> Also, when I started IPSec traffic, the counters were increasing.
> 
> How can I confirm that the upstream has support for C2xxx?
> It would be great if you can point me to the piece of code in upstream
> which has support for any other acceleration. I can maybe research from
> there on how can I add support for C2xxx?

To see whether some accelerated algorithm is in use, have a look at
/proc/crypto (ideally compare before loading the module and after your
IPsec test). QAT drivers reside within drivers/crypto/qat within Linux
kernel sources. You might want to have a look if something in there
supports your engine.

Cheers, Phil

___
Cryptodev-linux-devel mailing list
Cryptodev-linux-devel@gna.org
https://mail.gna.org/listinfo/cryptodev-linux-devel

Re: [Cryptodev-linux-devel] Question regarding cryptodev using hardware acceleration for FIPS validation

2017-02-02 Thread Phil Sutter 
Hi Chirag,

On Tue, Jan 31, 2017 at 10:58:15AM -0800, Chirag Shahani wrote:
[...]
> However, when I running the same user space program on a box which has SoC
> C2000 co-processor (QAT-1.5), I was expecting the code to* NOT *print
> printf("Note: This is not an accelerated cipher\n").
> 
> 
> 
> *if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) {
> printf("Note: This is not an accelerated cipher\n");}*
> 
> Could anyone please let me know what I am missing and what is required to
> make sure the accelerated cipher is used iso of the linux kernel to do the
> encrypt/ decrypt functions.

Looks like you're missing a kernel driver for the crypto engine. Is any
of the qat_* modules loaded? Do you see any accelerated ciphers in
/proc/crypto? I didn't have a closer look, but it looks like upstream
doesn't support the C2xxx series at all.

Cheers, Phil

___
Cryptodev-linux-devel mailing list
Cryptodev-linux-devel@gna.org
https://mail.gna.org/listinfo/cryptodev-linux-devel