[Openswan Users] Netkey + Openswan + OCF && H/W accelerators drivers == kernel crash/panic

satpal parmar systems.satpal at gmail.com
Wed Oct 12 09:58:58 EDT 2011


On Wed, Oct 12, 2011 at 9:41 AM, David McCullough <
david_mccullough at mcafee.com> wrote:

>
> Jivin satpal parmar lays it down ...
> > Please find my response below.
> >
> >
> > -SP
> >
> >
> > On Wed, Oct 12, 2011 at 12:52 AM, Paul Wouters <paul at xelerance.com>
> wrote:
> >
> >
> >       On Tue, 11 Oct 2011, satpal parmar wrote:
> >
> >
> >
> >               2. Ping is first thing I am doing after boot up. So no load
> on CPU of any kind. Ping works fine without
> >               OCF (and cryptosoft, cryptodev) and H/W driver. In fact I
> am able to ping with OCF + cryptosoft (see
> >               log below). Only when I enable H/W accelerator support ping
> is crashing.  So one may conclude driver is
> >               the culprit. But I am able to do standalone testing of H/W
> accelerators using drivers, cryptodev  and
> >               cryptotest as mentioned in wiki entry. So my doubt is if
> the interface for ipsec stack (NETKEY in my
> >               case) is consistent with h/w driver I am using. I am not
> very confident of my understanding of ipsec
> >               (netkey) + OCF + h/w driver intersection and interfaces.
> >
> >
> >
> >       Are you saying it works without cryptodev but not with cryptodev?
> >       cryptodev is the /dev/crypto userland driver to accelerate userland
> >       crypto, and has nothing to do with the OCF kernel accelerated
> crypto (kinda)
> >
> >
> > Ok. Let me explain how I see it. There can be  four configuration for
> running IPsec on my setup:
> >
> >      a) No OCF. No cryptosoft, cryptodev patch. Just kernel + Netkey
> IPsec stack + Openswan
> >          (Linux Openswan U2.6.33/K2.6.37(netkey) ). Ping works. I can see
> ESP packet using wireshark.
>
>
> yes
>
>
> >      b) Apply TI OCF patch + H/W driver patch + OCF crypto-tool patch
> (dated 20100325). Disable H/W drivers.
> >          Ping works. So I conclude cryptosoft + Ipsec works. Hope this
> conclusion is right.
>
>
> yes
>
>
> >      c) Now enable H/W accelerator drivers but disable cryptosoft (logic
> being why use emulation whn i have h/w).
> >          But ping crash.
>
>
> Ok,  you HW drivers are broken in my opinion.
>
>
> >      d)  Use both H/w acceleration  + S/W emulation (cryptosoft). I am
> not sure what should be the behavior here.
>
>
> My previous email should clear that up.
>
>
> > I understand /dev/crypto is userland interface. But I do not see any
> userland crypto requirement when I am running IPsec. But now I remember
> Pluto is userland and may need it. Not sure. Please confirm. What would be
> behavior if it do not find any cryptodev?
>
>
> You do not need cryptodev,  and it is not causing you any problems either
> way.
>
> >               3. I am not sure if I correctly understand what you mean
> when you said I am using OCF or not. I think I
> >               am using it correctly as mention in TI wiki entry. Here is
> snippet from my config file and log from
> >               board
> >
> >               # OCF Configuration
> >               #
> >               CONFIG_OCF_OCF=m
> >               # CONFIG_OCF_RANDOMHARVEST is not set
> >               CONFIG_OCF_CRYPTODEV=m
> >               CONFIG_OCF_CRYPTOSOFT=m
> >
> >
> >
> >       Note that if you need CONFIG_OCF_CRYPTODEV, the patch also patches
> other parts of the linux
> >       tree. That is, you cannot just have the CONFIG_OCF_CRYPTODEV as a
> module.
> >
> > I agree. We got patch from vendor for testing of H/W accelerators using
> OCF-linux and crypto-tools. And this testing was successful. Openswan was
> not in picture from vendor point of view. I am assuming it will have full
> OCF support. I will double check with them. Do Openswan expect anything
> specific from OCF. Anyway to confirm what I have?
> >
> >
> >               a) When I am not using OCF and H/W accelerator which
> (s/w)crypto library is used by ipsec
> >               for encryption ?
> >
> >
> >
> >       Two answers. for the kernel, either KLIPS (via cryptoapi or when
> not found via native crypto)
> >       For the userland, openswan uses either NSS (no OCF support AFAIK)
> or native/openssl (with OCF
> >       support).
> >
> > So for IPsec running on linux kernel I need crypto (algorithm) support in
> both kernel and user space. Kernel space is provided by crptoapi which is
> already part of kernel (so no OCF required) and in userspace its provided by
> NSS. Here I have a query: Will Openswan crib I do not have right (or
> expected crypto support either in s/w or H/W) in kernel or userspace?
> >
> >
> >               b) When we have support of both cryptosoft (software
> emulation of H/W accelerators)  and
> >               H/W accelerators (drivers ) how IPsec choose which one to
> use? Is it a good practice? Do we have any
> >               reason to do that?
> >
> >
> >
> >       I believe the HW takes precedence, but I know in the past that was
> not always the case.
> >       But when there is no klips, it has to go via cryptosoft to netkey
> to the hardware using native
> >       acceleration, not OCF, if I'm not mistaken.
> >
> > Ok. Lets see if David have nay input on this.
> >
> >
> >               c) Do I need cryptosoft or cryptodev when I am using h/w
> acclerators? AFAIU I do not need cryptosoft
> >               (why use s/w emulation when i have h/w !). But not sure
> about cryptodev if it is used by OCF  to
> >               provide interface to IPsec stack.
> >
> >
> >
> >       cryptosoft is used for accelerating kernel crypto (most important -
> many packets means much crypto)
> >       cryptodev is used to accelerate userland crypto (IPsec IKE) which
> per tunnel requires a few crypto
> >       operations per hour, so not *that* important. (in fact, having a
> good entropy device for DiffieHellman
> >       is probably more important for speed then the HW acceleration for
> IKE in userland)
> >
> >
> > So I conclude I need cryptodev interface for proper working of Openswan.
>
> No,  cryptodev is optional,  I would leave it out for now.
>
> The 2 options I think you have to choose from are:
>
> 1. use netkey + HW drivers (no cryptodev,  no OCF).
>
>   From what I can see above this is causing a crash for you.  I may be
>   wrong here though as you might be using openswan+cryptoAPI
>   (CONFIG_KLIPS_ALG=y, CONFIG_KLIPS_ENC_CRYPTOAPI=y)
>

No. For some reasons we decided to go with NETKEY. My kernel is KLIPS
virgin hence no KLIPS related flags.  I doubt 'No OCF' is a option for
reasons you mention in your previous mail. From Paul's response I understand
Pluto may be using crptodev for user land crypto . But not confirmed.(Yessss
it's very confusing!).

>
> 2. use klips + OCF + cryptosoft + HW drivers
>   Not sure you have cosen this option yet,  or of ot os what you are
>   using.  At least its an alternative that may work (given you
>   cryptodev/cryptotest testing worked).

Not plans for  KLIPS yet. Like to understand the root cause here as we all
agree that my current setup should work as far as support from kernel ,
IPsec stack (netkey), OCF, native Crytoapi, HW/ driver goes.

> Cheers,
> Davidm
>
>
> --
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111012/ab1d16ae/attachment-0001.html 


More information about the Users mailing list