Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft
openssl speed -evp des-ede3-cbc -engine cryptodev works! thanks Brian. looking for that patch now... 2009/5/19 Patrick Lamaizière patf...@davenulle.org: Le Tue, 19 May 2009 14:25:24 +0100, Brendan Kennedy brendan.kenn...@gmail.com: Agreed! The driver doesn't seem to be getting executed through OpenSSH/OpenSSL for ssh session setup either (it used to work that way on FreeBSD 6.2, I don't know if this feature has been left up to the user to enable in FreeBSD 7.x??). This is a known problem, you must patch openssl to make it work with cryptodev on FreeBSD 7.x (8.x). There are some patchs, but I don't find them right now... Check the PR database and the mailing lists. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft
Agreed! The driver doesn't seem to be getting executed through OpenSSH/OpenSSL for ssh session setup either (it used to work that way on FreeBSD 6.2, I don't know if this feature has been left up to the user to enable in FreeBSD 7.x??). thanks for the tools, I'll give them a go. The driver is being accessed properly from 'cryptotest', so I guess that's something. 2009/5/19 Brian Seklecki sekle...@noc.cfi.pgh.pa.us: The openssl speed sub-command is a real PITA: Try: $ openssl speed -elapsed -evp aes-128-cbc (or des-ede3) Also goto /usr/src/tools/tools/crypto/ make Run those utils to extract useful statistics out of the driver's kernel data structures. ~BAS On Mon, 2009-05-18 at 11:21 +0100, Brendan Kennedy wrote: Hi Brian, Patrick, Thanks for your responses. I agree that it looks like a bug! I'm a bit of a newb to FreeBSD. Where should I go to log this? I ran (as root ;) ) openssl engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support (cryptodev) BSD cryptodev engine [RSA, DSA, DH] It can be seen only PKE functions are being shown as accelerated. 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto' compiled as part of the kernel. I have found another issue here also - although 'openssl engine -c' shows correct accelerated functionality of the hardware driver, running a speed test (e.g. openssl speed des-ede3 -engine cryptodev) does not result in any messages being sent to the driver apart from the initial check for available algorithms. It seems only accelerated PKE functions are run through the driver. It may be that the symmetric functions are being run through the software device driver (cryptosoft)... Could it be down to cryptodev engine being loaded twice in OpenSSL? Or would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not set? Regards, Brendan 2009/5/15 Brian A. Seklecki sekle...@noc.cfi.pgh.pa.us: On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote: Hi All, I'm trying to test a hardware crypto driver, but want to run my tests through the software driver first (and possibly use the software driver to validate results). I have set the following in my GENERIC conf file: What does kldstat(8) / openssl(1) return? % sudo openssl engine (dynamic) Dynamic engine loading support $ openssl engine (cryptodev) BSD cryptodev engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support $ kldstat |egrep -i 'cry|ub' 3 3 0xc0e06000 25b78 crypto.ko 7 1 0xc64c9000 4000 cryptodev.ko 8 1 0xc6546000 a000 ubsec.ko Return? ~BAS device crypto device enc options IPSEC I have rebuilt the kernel, rebooted and set the kern.cryptodevallowsoft kernel variable to 1: FreeBSD_26# sysctl -a | grep crypto kern.cryptodevallowsoft: 1 However, when I try a test, I get the following: FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des cipher 3des keylen 24 CIOCGSESSION: Invalid argument FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des cipher des keylen 8 CIOCGSESSION: Invalid argument It seems the software crypto device is not available. Do I need to do any other steps to enable it? Is there another config option that makes sure it is build as part of Opencrypto framework? Do I need to build some other software driver instead? Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org This mail was sent via Mail-SeCure System. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft
Le Tue, 19 May 2009 14:25:24 +0100, Brendan Kennedy brendan.kenn...@gmail.com: Agreed! The driver doesn't seem to be getting executed through OpenSSH/OpenSSL for ssh session setup either (it used to work that way on FreeBSD 6.2, I don't know if this feature has been left up to the user to enable in FreeBSD 7.x??). This is a known problem, you must patch openssl to make it work with cryptodev on FreeBSD 7.x (8.x). There are some patchs, but I don't find them right now... Check the PR database and the mailing lists. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft
Hi Brian, Patrick, Thanks for your responses. I agree that it looks like a bug! I'm a bit of a newb to FreeBSD. Where should I go to log this? I ran (as root ;) ) openssl engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support (cryptodev) BSD cryptodev engine [RSA, DSA, DH] It can be seen only PKE functions are being shown as accelerated. 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto' compiled as part of the kernel. I have found another issue here also - although 'openssl engine -c' shows correct accelerated functionality of the hardware driver, running a speed test (e.g. openssl speed des-ede3 -engine cryptodev) does not result in any messages being sent to the driver apart from the initial check for available algorithms. It seems only accelerated PKE functions are run through the driver. It may be that the symmetric functions are being run through the software device driver (cryptosoft)... Could it be down to cryptodev engine being loaded twice in OpenSSL? Or would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not set? Regards, Brendan 2009/5/15 Brian A. Seklecki sekle...@noc.cfi.pgh.pa.us: On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote: Hi All, I'm trying to test a hardware crypto driver, but want to run my tests through the software driver first (and possibly use the software driver to validate results). I have set the following in my GENERIC conf file: What does kldstat(8) / openssl(1) return? % sudo openssl engine (dynamic) Dynamic engine loading support $ openssl engine (cryptodev) BSD cryptodev engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support $ kldstat |egrep -i 'cry|ub' 3 3 0xc0e06000 25b78 crypto.ko 7 1 0xc64c9000 4000 cryptodev.ko 8 1 0xc6546000 a000 ubsec.ko Return? ~BAS device crypto device enc options IPSEC I have rebuilt the kernel, rebooted and set the kern.cryptodevallowsoft kernel variable to 1: FreeBSD_26# sysctl -a | grep crypto kern.cryptodevallowsoft: 1 However, when I try a test, I get the following: FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des cipher 3des keylen 24 CIOCGSESSION: Invalid argument FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des cipher des keylen 8 CIOCGSESSION: Invalid argument It seems the software crypto device is not available. Do I need to do any other steps to enable it? Is there another config option that makes sure it is build as part of Opencrypto framework? Do I need to build some other software driver instead? Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft
The openssl speed sub-command is a real PITA: Try: $ openssl speed -elapsed -evp aes-128-cbc (or des-ede3) Also goto /usr/src/tools/tools/crypto/ make Run those utils to extract useful statistics out of the driver's kernel data structures. ~BAS On Mon, 2009-05-18 at 11:21 +0100, Brendan Kennedy wrote: Hi Brian, Patrick, Thanks for your responses. I agree that it looks like a bug! I'm a bit of a newb to FreeBSD. Where should I go to log this? I ran (as root ;) ) openssl engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support (cryptodev) BSD cryptodev engine [RSA, DSA, DH] It can be seen only PKE functions are being shown as accelerated. 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto' compiled as part of the kernel. I have found another issue here also - although 'openssl engine -c' shows correct accelerated functionality of the hardware driver, running a speed test (e.g. openssl speed des-ede3 -engine cryptodev) does not result in any messages being sent to the driver apart from the initial check for available algorithms. It seems only accelerated PKE functions are run through the driver. It may be that the symmetric functions are being run through the software device driver (cryptosoft)... Could it be down to cryptodev engine being loaded twice in OpenSSL? Or would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not set? Regards, Brendan 2009/5/15 Brian A. Seklecki sekle...@noc.cfi.pgh.pa.us: On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote: Hi All, I'm trying to test a hardware crypto driver, but want to run my tests through the software driver first (and possibly use the software driver to validate results). I have set the following in my GENERIC conf file: What does kldstat(8) / openssl(1) return? % sudo openssl engine (dynamic) Dynamic engine loading support $ openssl engine (cryptodev) BSD cryptodev engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support $ kldstat |egrep -i 'cry|ub' 33 0xc0e06000 25b78crypto.ko 71 0xc64c9000 4000 cryptodev.ko 81 0xc6546000 a000 ubsec.ko Return? ~BAS device crypto device enc options IPSEC I have rebuilt the kernel, rebooted and set the kern.cryptodevallowsoft kernel variable to 1: FreeBSD_26# sysctl -a | grep crypto kern.cryptodevallowsoft: 1 However, when I try a test, I get the following: FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des cipher 3des keylen 24 CIOCGSESSION: Invalid argument FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des cipher des keylen 8 CIOCGSESSION: Invalid argument It seems the software crypto device is not available. Do I need to do any other steps to enable it? Is there another config option that makes sure it is build as part of Opencrypto framework? Do I need to build some other software driver instead? Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org This mail was sent via Mail-SeCure System. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft
On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote: Hi All, I'm trying to test a hardware crypto driver, but want to run my tests through the software driver first (and possibly use the software driver to validate results). I have set the following in my GENERIC conf file: What does kldstat(8) / openssl(1) return? % sudo openssl engine (dynamic) Dynamic engine loading support $ openssl engine (cryptodev) BSD cryptodev engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support $ kldstat |egrep -i 'cry|ub' 33 0xc0e06000 25b78crypto.ko 71 0xc64c9000 4000 cryptodev.ko 81 0xc6546000 a000 ubsec.ko Return? ~BAS device crypto device enc options IPSEC I have rebuilt the kernel, rebooted and set the kern.cryptodevallowsoft kernel variable to 1: FreeBSD_26# sysctl -a | grep crypto kern.cryptodevallowsoft: 1 However, when I try a test, I get the following: FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des cipher 3des keylen 24 CIOCGSESSION: Invalid argument FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des cipher des keylen 8 CIOCGSESSION: Invalid argument It seems the software crypto device is not available. Do I need to do any other steps to enable it? Is there another config option that makes sure it is build as part of Opencrypto framework? Do I need to build some other software driver instead? Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft
Le Tue, 12 May 2009 19:14:38 +0100, Brendan Kennedy brendan.kenn...@gmail.com: Hi All, Hello, FreeBSD_26# sysctl -a | grep crypto kern.cryptodevallowsoft: 1 However, when I try a test, I get the following: FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des cipher 3des keylen 24 CIOCGSESSION: Invalid argument FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des cipher des keylen 8 CIOCGSESSION: Invalid argument It seems the software crypto device is not available. Do I need to do any other steps to enable it? Is there another config option that makes sure it is build as part of Opencrypto framework? Do I need to build some other software driver instead? Cryptodev fails because it checks that the requested crypto driver provides hardware crypto. function checkforsoftware in cryptodev.c And it does not take care about the sysctl kern.cryptodevallowsoft. Looks like a bug and not a feature. OpenBSD's cryptodev seems to take care about the sysctl and i think you can use the cryptosoft driver with it. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft
Hi All, I'm trying to test a hardware crypto driver, but want to run my tests through the software driver first (and possibly use the software driver to validate results). I have set the following in my GENERIC conf file: device crypto device enc options IPSEC I have rebuilt the kernel, rebooted and set the kern.cryptodevallowsoft kernel variable to 1: FreeBSD_26# sysctl -a | grep crypto kern.cryptodevallowsoft: 1 However, when I try a test, I get the following: FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des cipher 3des keylen 24 CIOCGSESSION: Invalid argument FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des cipher des keylen 8 CIOCGSESSION: Invalid argument It seems the software crypto device is not available. Do I need to do any other steps to enable it? Is there another config option that makes sure it is build as part of Opencrypto framework? Do I need to build some other software driver instead? Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org