LayerscapeのトピックRe: Hardware offloading with OpenSSL-3.0.2

Hardware offloading with OpenSSL-3.0.2

sheikfaaruk — Fri, 29 Jul 2022 09:01:25 GMT

I am working with LS1046ARDB Evaluation Board to develop a network based application. I have started my project with Flex-builder(flexbuild_lsdk2108), Flex-installer(version: 1.13.2108) and Codewarrior IDE.

user@localhost:~$ openssl version -a
openssl: symbol lookup error: openssl: undefined symbol: EVP_mdc2, version OPENSSL_1_1_0
user@localhost:~$

Then i refer below URL to resolve the openssl version 1.1.1 and openssl working well
#https://community.nxp.com/t5/Layerscape/Hardware-Offloading-of-NXP-CAAM-using-OpenSSL-in-LS1046A/m-p/1494462#M1092

user@localhost:~$ openssl version -a
OpenSSL 1.1.1d 10 Sep 2019
built on: Fri May 27 07:03:31 2022 UTC
platform: linux-aarch64
options: bn(64,64) rc4(char) des(int) idea(int) blowfish(ptr)
compiler: aarch64-linux-gnu-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_e
OPENSSLDIR: "/usr/local/lib/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific
user@localhost:~$

Now CAAM hardware will offloaded into OpenSSL:

user@localhost:~$ sudo modprobe cryptodev
[sudo] password for user:

user@localhost:~$ ls /dev/crypto
/dev/crypto

user@localhost:~$ openssl engine
(devcrypto) /dev/crypto engine
(dynamic) Dynamic engine loading support

Successfully CAAM hardware was offloanded into Openssl-1.1.1d.

But our project requirement Key-Based key derivation function "SP 800-108 compliant" to achive the function we are using openssl version 3.0
So i refered "9.1.1.2 Manual Build of OpenSSL with Cryptodev Engine Support" from below URL :#https://www.nxp.com/docs/en/user-guide/LSDKUG_Rev21.08.pdf

In that manual we taken git repo of openssl version 3.0.2 by below command with tag option:

$ git clone -b openssl-3.0.2 --single-branch https://source.codeaurora.org/external/qoriq/qoriq-components/openssl

after sudo make command we additional tested "sudo make test" end up with error "30-test_afalg.t (Wstat: 256 Tests: 1 Failed: 1)" and i attach the error log also "openssl_make_test_log.txt".after that "$ sudo make install" done and Openssl-3.0.2 installed successfully

user@localhost:~$ openssl version -a
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
built on: Fri Jul 29 06:49:57 2022 UTC
platform: linux-aarch64
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -I./include
OPENSSLDIR: "/usr/local/lib/ssl"
ENGINESDIR: "/usr/local/lib/engines-3"
MODULESDIR: "/usr/local/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_armcap=0xbf

Now CAAM hardware will offloaded into OpenSSL:
user@localhost:$ sudo modprobe caam
user@localhost:$ sudo modprobe cryptodev
user@localhost:$ ls /dev/crypto
/dev/crypto
user@localhost:$ openssl engine
(dynamic) Dynamic engine loading support
user@localhost:$

"(devcrypto) /dev/crypto engine" log message not display in console .
OpenSSL Hardware offloading issue is due to following factors,
1. Configuration or linker path is not did correctly
2. OpenSSL 3.0.2 is not supporting the NXP CAAM to get offload

Provide us a neccessary solution to overcome the offloading issue in OpenSSL 3.0.2.

Re: Hardware offloading with OpenSSL-3.0.2

yipingwang — Wed, 03 Aug 2022 08:48:56 GMT

Since OpenSSL is upgraded to 3.0, the command line for "openssl -xxx xxx -x -engine devcrypto" ; must include the string -engine devcrypto.

Please refer to the following.

root@localhost:~/git# cat /proc/interrupts | grep jr
78: 75 0 0 0 GICv2 103 Level 1710000.jr
79: 48 0 0 0 GICv2 104 Level 1720000.jr
80: 0 0 0 0 GICv2 105 Level fsl-jr0
root@localhost:~/git# openssl enc -aes-256-cfb -pbkdf2 -engine devcrypto
Engine "devcrypto" set.
enter AES-256-CFB encryption password:
Verifying - enter AES-256-CFB encryption password:
Error setting cipher AES-256-CFB
C0A6CE97FFFF0000:error:13000092:engine routines:ENGINE_get_cipher:unimplemented cipher:crypto/engine/tb_cipher.c:78:
C0A6CE97FFFF0000:error:03000086:digital envelope routines:evp_cipher_init_internal:initialization error:crypto/evp/evp_enc.c:277:
Segmentation fault
root@localhost:~/git# cat /proc/interrupts | grep jr
78: 101 0 0 0 GICv2 103 Level 1710000.jr
79: 72 0 0 0 GICv2 104 Level 1720000.jr
80: 0 0 0 0 GICv2 105 Level fsl-jr0
root@localhost:~/git#

Re: Hardware offloading with OpenSSL-3.0.2

sheikfaaruk — Tue, 09 Aug 2022 12:12:49 GMT

Thank you for your reply

I offloaded CAAM hardware with OpenSSL version 3.0.2 .Then I tested the openssl in NXP board

Following List of algorithm are tested in NXP board

genpkey

RSA

AES-256-CBC

AES-256-CFB

rand

enc

ecparam SECP256K1

ecparam SECP384R1

ecparam SECP521R1

while offload and test the openssl I getting "Segmentation fault" in NXP board And also I atteach the manual which i followed the steps to installation ,configuration and testing the openssl in nxp board

The think is i have questions about openssl offloading in SEC hardware

While excuting openssl commands i am getting output in .key formate file but it is showing "Segmentation fault" after excuting ever command
is this affect my project because openssl 3.0.2 version which i am currently using for project development ?
what are the crypto algorithm will supported by SEC hardware in openssl 3.0.2 ?

And also guide us for openssl future developemnt

Re: Hardware offloading with OpenSSL-3.0.2

jgelinske — Fri, 01 Sep 2023 13:26:54 GMT

@sheikfaaruk For us upgrading to 3.0.8 resolved the issue (https://github.com/openssl/openssl/issues/17995).