[Openswan Users] Netkey + Openswan + OCF && H/W accelerators drivers == kernel crash/panic

satpal parmar systems.satpal at gmail.com
Tue Oct 11 23:36:07 EDT 2011 

Please find my response below.

-SP

On Wed, Oct 12, 2011 at 12:52 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 11 Oct 2011, satpal parmar wrote:
>
>  2. Ping is first thing I am doing after boot up. So no load on CPU of any
>> kind. Ping works fine without
>> OCF (and cryptosoft, cryptodev) and H/W driver. In fact I am able to ping
>> with OCF + cryptosoft (see
>> log below). Only when I enable H/W accelerator support ping is
>> crashing.  So one may conclude driver is
>> the culprit. But I am able to do standalone testing of H/W accelerators
>> using drivers, cryptodev  and
>> cryptotest as mentioned in wiki entry. So my doubt is if the interface
>> for ipsec stack (NETKEY in my
>> case) is consistent with h/w driver I am using. I am not very confident of
>> my understanding of ipsec
>> (netkey) + OCF + h/w driver intersection and interfaces.
>>
>
> Are you saying it works without cryptodev but not with cryptodev?
> cryptodev is the /dev/crypto userland driver to accelerate userland
> crypto, and has nothing to do with the OCF kernel accelerated crypto
> (kinda)


Ok. Let me explain how I see it. There can be  four configuration for
running IPsec on my setup:

     a) No OCF. No cryptosoft, cryptodev patch. Just kernel + Netkey IPsec
stack + Openswan
         (Linux Openswan U2.6.33/K2.6.37(netkey) ). Ping works. I can see
ESP packet using wireshark.

     b) Apply TI OCF patch + H/W driver patch + OCF crypto-tool patch (dated
20100325). Disable H/W drivers.
         Ping works. So I conclude cryptosoft + Ipsec works. Hope this
conclusion is right.

     c) Now enable H/W accelerator drivers but disable cryptosoft (logic
being why use emulation whn i have h/w).
         But ping crash.

     d)  Use both H/w acceleration  + S/W emulation (cryptosoft). I am not
sure what should be the behavior here.

I understand /dev/crypto is userland interface. But I do not see any
userland crypto requirement when I am running IPsec. But now
I remember Pluto is userland and may need it. Not sure. Please confirm. What
would be behavior if it do not find any cryptodev?


>
>  3. I am not sure if I correctly understand what you mean when you said I
>> am using OCF or not. I think I
>> am using it correctly as mention in TI wiki entry. Here is snippet from my
>> config file and log from
>> board
>>
>> # OCF Configuration
>> #
>> CONFIG_OCF_OCF=m
>> # CONFIG_OCF_RANDOMHARVEST is not set
>> CONFIG_OCF_CRYPTODEV=m
>> CONFIG_OCF_CRYPTOSOFT=m
>>
>
> Note that if you need CONFIG_OCF_CRYPTODEV, the patch also patches other
> parts of the linux
> tree. That is, you cannot just have the CONFIG_OCF_CRYPTODEV as a module.

I agree. We got patch from vendor for testing of H/W accelerators using
OCF-linux and crypto-tools. And this testing was successful. Openswan was
not in picture from vendor point of view. I am assuming it will have full
OCF support. I will double check with them. Do Openswan expect anything
specific from OCF. Anyway to confirm what I have?

>
>  a) When I am not using OCF and H/W accelerator which
>> (s/w)crypto library is used by ipsec
>> for encryption ?
>>
>
> Two answers. for the kernel, either KLIPS (via cryptoapi or when not found
> via native crypto)
> For the userland, openswan uses either NSS (no OCF support AFAIK) or
> native/openssl (with OCF
> support).

So for IPsec running on linux kernel I need crypto (algorithm) support in
both kernel and user space. Kernel space is provided by crptoapi which
is already part of kernel (so no OCF required) and in userspace its provided
by NSS. Here I have a query: Will Openswan crib I do not have right (or
expected crypto support either in s/w or H/W) in kernel or userspace?

>
>  b) When we have support of both cryptosoft (software emulation of
>> H/W accelerators)  and
>> H/W accelerators (drivers ) how IPsec choose which one to use? Is it a
>> good practice? Do we have any
>> reason to do that?
>>
>
> I believe the HW takes precedence, but I know in the past that was not
> always the case.
> But when there is no klips, it has to go via cryptosoft to netkey to the
> hardware using native
> acceleration, not OCF, if I'm not mistaken.

Ok. Lets see if David have nay input on this.

>
>  c) Do I need cryptosoft or cryptodev when I am using h/w acclerators?
>> AFAIU I do not need cryptosoft
>> (why use s/w emulation when i have h/w !). But not sure about cryptodev if
>> it is used by OCF  to
>> provide interface to IPsec stack.
>>
>
> cryptosoft is used for accelerating kernel crypto (most important - many
> packets means much crypto)
> cryptodev is used to accelerate userland crypto (IPsec IKE) which per
> tunnel requires a few crypto
> operations per hour, so not *that* important. (in fact, having a good
> entropy device for DiffieHellman
> is probably more important for speed then the HW acceleration for IKE in
> userland)
>
So I conclude I need cryptodev interface for proper working of Openswan.


> Paul
>

-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111012/16d5a1ba/attachment.html

More information about the Users mailing list