[Openswan Users] Netkey + Openswan + OCF && H/W accelerators drivers == kernel crash/panic

Paul Wouters paul at xelerance.com
Tue Oct 11 15:22:27 EDT 2011

On Tue, 11 Oct 2011, satpal parmar wrote:

> 2. Ping is first thing I am doing after boot up. So no load on CPU of any kind. Ping works fine without
> OCF (and cryptosoft, cryptodev) and H/W driver. In fact I am able to ping with OCF + cryptosoft (see
> log below). Only when I enable H/W accelerator support ping is crashing.  So one may conclude driver is
> the culprit. But I am able to do standalone testing of H/W accelerators using drivers, cryptodev  and
> cryptotest as mentioned in wiki entry. So my doubt is if the interface for ipsec stack (NETKEY in my
> case) is consistent with h/w driver I am using. I am not very confident of my understanding of ipsec
> (netkey) + OCF + h/w driver intersection and interfaces. 

Are you saying it works without cryptodev but not with cryptodev?
cryptodev is the /dev/crypto userland driver to accelerate userland
crypto, and has nothing to do with the OCF kernel accelerated crypto (kinda)

> 3. I am not sure if I correctly understand what you mean when you said I am using OCF or not. I think I
> am using it correctly as mention in TI wiki entry. Here is snippet from my config file and log from
> board 
> # OCF Configuration
> #

Note that if you need CONFIG_OCF_CRYPTODEV, the patch also patches other parts of the linux
tree. That is, you cannot just have the CONFIG_OCF_CRYPTODEV as a module.

> a) When I am not using OCF and H/W accelerator which (s/w)crypto library is used by ipsec
> for encryption ?

Two answers. for the kernel, either KLIPS (via cryptoapi or when not found via native crypto)
For the userland, openswan uses either NSS (no OCF support AFAIK) or native/openssl (with OCF

> b) When we have support of both cryptosoft (software emulation of H/W accelerators)  and
> H/W accelerators (drivers ) how IPsec choose which one to use? Is it a good practice? Do we have any
> reason to do that?

I believe the HW takes precedence, but I know in the past that was not always the case.
But when there is no klips, it has to go via cryptosoft to netkey to the hardware using native
acceleration, not OCF, if I'm not mistaken.

> c) Do I need cryptosoft or cryptodev when I am using h/w acclerators? AFAIU I do not need cryptosoft
> (why use s/w emulation when i have h/w !). But not sure about cryptodev if it is used by OCF  to
> provide interface to IPsec stack. 

cryptosoft is used for accelerating kernel crypto (most important - many packets means much crypto)
cryptodev is used to accelerate userland crypto (IPsec IKE) which per tunnel requires a few crypto
operations per hour, so not *that* important. (in fact, having a good entropy device for DiffieHellman
is probably more important for speed then the HW acceleration for IKE in userland)


More information about the Users mailing list