[Openswan Users] Netkey + Openswan + OCF && H/W accelerators drivers == kernel crash/panic

Paul Wouters paul at xelerance.com
Fri Oct 14 00:17:05 EDT 2011 

On Fri, 14 Oct 2011, satpal parmar wrote:

> Yes,  if you want openssl (and openssl linked apps) or openswans pluto to
> use the drivers (no point for openswan in my opinion). 

If the device is an embedded system, and the HW driver can deliver entropy via OCF,
then there is a very good reason to use it!

> If you use klips,  OCF is the best way to accelerate it.  If you use netkey
> then you do not need OCF at all.

netkey does not split 1 IPsec SA over multiple CPU's. When using 1 single tunnel
with over then 1 CPU's worth of crypto, it will actually be faster to use
KLIPS with OCF and cryptosoft.

You would also need OCF if there is an OCF hardware driver, but no native cryptoapi
or async hardware driver that netkey could use.

> > No plans for KLIPS. My kernel is KLIPS virgin.
> 
> Then you do not need OCF unless you want userspace to use your HW drivers.

Correct.

> Well I was not very lucky. I tried pinging after removing OCF completely. Still getting the same crash.

Guess it means it was not OCF. So very lucky :)

> Also,  I may have confused you earlier,  I thought you had an OCF driver for
> some reason.  I was wrong,  its a cryptoAPI driver that you have and it has
> very little to do with OCF really, except that OCF can use it via cryptosoft ;-)
> 
> So we can conclude our discussion as: H/w accelerator drivers I am using are based on 2.6 native crypto API. Since this
> crypto API is designed to be used with in-kernel IPsec stack  Netkey I do not need anything  extra to glue things.
> This arrangement should work on its own. They introduce OCF to test it from userspace using Openssl/Cryptotest tool which
> uses Cryptodev.

Yes.

> Cryptosoft do many thing one of them is translation for userland utilities so that they can talk
> with scatter list based Native Crypto API used to support NETKEY the default IP stack in 2.6 kernel.  

You mean "cryptodev" here, not "cryptosoft"?

> From my testing we have:
> 
> 1. cryptotest--->cryptodev--->cryptosoft--->Native crypto API--->driver--->H/W accelerator path working.
> 
> 2. Ping--->netkey---->native crypto API---> drivers ----> H/W accelerators path crashing.  Its crashing even when I ping
> from other machine to this machine. 

That's something for the driver writers or the kernel people....

Paul

More information about the Users mailing list