Skip to content

Hardware crypto acceleration

Jump to bottom Edit New page
xelerance edited this page Feb 4, 2013 · 2 revisions

Hardware Crypto Acceleration

There are two methods for crypto hardware acceleration. The most complete one is the Open Cryptographic Framework (“OCF”), a port of the OpenBSD code. A newer more native implementation is the CryptoAPI async interface. The latter implementation is still extremely limited. It does not have many drivers yet nor a rich API for userland. It is currently recommended to use OCF for crypto acceleration.

OCF http://ocf-linux.sourceforge.net/

supported hardware

  • Hifn
    – Hifn 7951
    – Hifn 7956
  • Safenet
    – SafeXcel 1741
    – SafeXcel 1142
  • Intel
    – IXP465
    – IXP425
    – IXP422
  • Freescale SEC
    – The Talitos driver uses Freescale’s SEC for hardware acceleration.
    – Paul: I believe this is also the bsec driver used on Linksys WRT54g, AsusWL500g?)
  • PA Semi
    – PA Semi PWRficient DMA Crypto Engine.
  • Intel EP80579
    – Driver for the Intel QuickAssist enabled EP80579 Integrated Processor Product Line
  • PMC Sierra MSP-8520
    – Driver code not in OCF, contact PMC?
  • Cavium
    – Octeon
  • Software
    By using the existing Linux CryptoAPI, the cryptodev software driver provides a fallback mechanism when hardare support is not available. It also allows performance gains on SMP systems and can even help on systems with a small cache or memory (all the common crypto code is in one place, and thus smaller and more cache friendly)

Anything supported by OCF (des, 3des, aes, md5, sha1, …) can be accelerated via OCF if the hardware supports it.

Requires kernel patch

Apply the OCF kernel patch to your kernel and rebuild with OCF support and cryptoapi/async support enabled. Build with modules if you can, especially the cryptosoft driver, as it might otherwise end up taking precedence over your hardware driver.

OCF support in Openswan

Build KLIPS as you normally would, but ensure to enable CONFIG_KLIPS_OCF=y and to disable CONFIG_KLIPS_ALG. You will also need to recompile the userland with HAVE_OCF=yes.

David: Do we properly attempt to load the OCF modules in startklips/startnetkey ?

CryptoAPI / async

OCF can also use these cryptoapi/async drivers via the OCF cryptosoft driver.

supports userland crypto acceleration (eg openssl). See OCF website for more details

You can also load OCF with the cryptosoft driver and have it use the same hardware at the same time to provide userspace (openssl/openvpn/…) acceleration.

NETKEY is not supported with OCF

CryptoAPI / async acceleration

NETKEY uses the CryptoAPI / async interface. NETKEY cannot use any OCF drivers. However, if there is a CryptoAPI / async driver, the NETKEY stack is accelerated via that. No configuration or recompiling is necessary.

The only HW acceleration that KLIPS can truly take advantage of is OCF, and OCF can be layered on top of cryptoapi or use it’s own drivers.
KLIPS doesn’t (yet) have full async support via cryptoapi, it can use cryptoapi to get HW acceleration where the async interface is not required. Some drivers can do this but most HW acceleration needs you to use the async API.

Supported hardware

Add list from latest kernel here

Add a custom footer
Add a custom sidebar
Clone this wiki locally