FreeBSD 7.1 opencrypto --> kern.cryptodevallowsoft

Brendan Kennedy brendan.kennedy at gmail.com
Tue May 19 13:25:38 UTC 2009 

Agreed! The driver doesn't seem to be getting executed through
OpenSSH/OpenSSL for ssh session setup either (it used to work that way
on FreeBSD 6.2, I don't know if this feature has been left up to the
user to enable in FreeBSD 7.x??).

thanks for the tools, I'll give them a go. The driver is being
accessed properly from 'cryptotest', so I guess that's something.

2009/5/19 Brian Seklecki <seklecki at noc.cfi.pgh.pa.us>:
> The openssl speed sub-command is a real PITA:
>
> Try:
>
>  $ openssl speed -elapsed -evp aes-128-cbc (or des-ede3)
>
> Also goto /usr/src/tools/tools/crypto/ && make
>
> Run those utils to extract useful statistics out of the driver's kernel
> data structures.
>
> ~BAS
>
> On Mon, 2009-05-18 at 11:21 +0100, Brendan Kennedy wrote:
>> Hi Brian, Patrick,
>>
>> Thanks for your responses. I agree that it looks like a bug! I'm a bit
>> of a newb to FreeBSD. Where should I go to log this?
>>
>> I ran (as root ;) )
>>
>> > openssl engine
>> (padlock) VIA PadLock (no-RNG, no-ACE)
>> (dynamic) Dynamic engine loading support
>> (cryptodev) BSD cryptodev engine
>>                              [RSA, DSA, DH]
>>
>> It can be seen only PKE functions are being shown as accelerated.
>> 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto'
>> compiled as part of the kernel.
>>
>> I have found another issue here also - although 'openssl engine -c'
>> shows correct accelerated functionality of the hardware driver,
>> running a speed test (e.g. openssl speed des-ede3 -engine cryptodev)
>> does not result in any messages being sent to the driver apart from
>> the initial check for available algorithms. It seems only accelerated
>> PKE functions are run through the driver. It may be that the symmetric
>> functions are being run through the software device driver
>> (cryptosoft)...
>>
>> Could it be down to cryptodev engine being loaded twice in OpenSSL? Or
>> would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not
>> set?
>>
>> Regards,
>> Brendan
>>
>>
>> 2009/5/15 Brian A. Seklecki <seklecki at noc.cfi.pgh.pa.us>:
>> > On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote:
>> >> Hi All,
>> >>
>> >> I'm trying to test a hardware crypto driver, but want to run my tests
>> >> through the software driver first (and possibly use the software
>> >> driver to validate results).
>> >> I have set the following in my GENERIC conf file:
>> >>
>> >
>> > What does kldstat(8) / openssl(1) return?
>> >
>> > % sudo openssl engine
>> > (dynamic) Dynamic engine loading support
>> >
>> > $ openssl engine
>> > (cryptodev) BSD cryptodev engine
>> > (padlock) VIA PadLock (no-RNG, no-ACE)
>> > (dynamic) Dynamic engine loading support
>> >
>> > $ kldstat |egrep -i 'cry|ub'
>> >  3    3 0xc0e06000 25b78    crypto.ko
>> >  7    1 0xc64c9000 4000     cryptodev.ko
>> >  8    1 0xc6546000 a000     ubsec.ko
>> >
>> >
>> > Return?
>> >
>> > ~BAS
>> >
>> >
>> >> device          crypto
>> >> device          enc
>> >> options         IPSEC
>> >>
>> >> I have rebuilt the kernel, rebooted and set the
>> >> kern.cryptodevallowsoft kernel variable to 1:
>> >>
>> >> FreeBSD_26# sysctl -a | grep crypto
>> >> kern.cryptodevallowsoft: 1
>> >>
>> >> However, when I try a test, I get the following:
>> >>
>> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des
>> >> cipher 3des keylen 24
>> >> CIOCGSESSION: Invalid argument
>> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des
>> >> cipher des keylen 8
>> >> CIOCGSESSION: Invalid argument
>> >>
>> >> It seems the software crypto device is not available. Do I need to do
>> >> any other steps to enable it? Is there another config option that
>> >> makes sure it is build as part of Opencrypto framework? Do I need to
>> >> build some other software driver instead?
>> >>
>> >> Best Regards,
>> >> Brendan
>> >> _______________________________________________
>> >> freebsd-questions at freebsd.org mailing list
>> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>> >
>> >
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
>
>
>
> This mail was sent via Mail-SeCure System.
>
>
>

More information about the freebsd-questions mailing list