LayerscapeのトピックRe: Enabling CAAM RSA Hardware Offload via User-Space (AF_ALG) on LS1046ARDB

Enabling CAAM RSA Hardware Offload via User-Space (AF_ALG) on LS1046ARDB

figure-it-out — Thu, 09 Apr 2026 11:29:52 GMT

Overview

I am attempting to offload RSA operations to the integrated CAAM (Security Engine 5.4) on an LS1046ARDB platform. While symmetric hardware acceleration is functional, I am unable to access asymmetric (RSA) capabilities from user-space via OpenSSL.
System Environment

Hardware: LS1046ARDB (LS1046A Quad-core ARM Cortex-A72).

Software: Custom Linux based on LSDK 25.06 (Kernel 5.x/6.x).

Interface Goal: OpenSSL 3.x using the AF_ALG interface (avoiding DPDK and legacy cryptodev-linux).

Current Progress & Verification

The kernel appears to recognize the PKC (Public Key Cryptography) unit, as shown in dmesg:

caam 1700000.crypto: caam pkc algorithms registered in /proc/crypto driver : rsa-caam is present in /proc/crypto

The Roadblocks
1. Kernel Configuration (Kconfig) Issues

I am unable to enable CONFIG_CRYPTO_USER_API_AKCIPHER=y.

It does not appear in menuconfig.

Manual entry in .config is overwritten during the build process.

Requirement: What are the exact hidden dependencies (selects/depends on) required to expose the Asymmetric Key Cipher User API?

2. Driver & Hardware Specifics

Is CONFIG_CRYPTO_DEV_FSL_CAAM_PKC the definitive driver for LS1046A RSA offloading, and are there known regressions in recent LSDK versions for this SoC?

Are there mandatory Device Tree (DTS) nodes or properties required for the PKC unit specifically, beyond the standard CAAM and Job Ring nodes?

3. OpenSSL 3.x Integration

How should OpenSSL 3.x be configured to utilize rsa-caam via AF_ALG?

I am looking for a working openssl.conf snippet or initialization steps that bridge the OpenSSL Provider/Engine to the CAAM asymmetric backend without relying on the DPDK stack.

Summary of Questions

Which Kconfig symbols must be enabled to make CONFIG_CRYPTO_USER_API_AKCIPHER selectable?

Are there specific DTS requirements for the CAAM PKC module on the LS1046A?

What is the recommended path for OpenSSL 3.x to consume rsa-caam (AF_ALG vs. a specific NXP Provider)?

LSDK version 25.06

Re: Enabling CAAM RSA Hardware Offload via User-Space (AF_ALG) on LS1046ARDB

yipingwang — Mon, 27 Apr 2026 02:56:30 GMT

I just got confirmation from the AE team.

Currently Linux kennel doesn't support asymmetric API via AF_ALG.

https://www.kernel.org/doc/html/latest/crypto/userspace-if.html

The kernel crypto API is accessible from user space. Currently, the following ciphers are accessible:
Message digest including keyed message digest (HMAC, CMAC)
Symmetric ciphers
AEAD ciphers
Random Number Generators

Re: Enabling CAAM RSA Hardware Offload via User-Space (AF_ALG) on LS1046ARDB

figure-it-out — Mon, 27 Apr 2026 03:58:13 GMT

Thanks for the confirmation regarding AF_ALG. Since the kernel's akcipher interface is currently restricted, I am looking for the officially recommended alternative to offload RSA to the rsa-caam driver.

cryptodev-linux: Is the /dev/crypto interface via cryptodev-linux still the standard path for RSA offloading in LSDK 25.06?
OpenSSL Provider/Engine: Does NXP provide a native OpenSSL 3.x Provider for LS1046A that communicates with the CAAM Job Rings directly (bypassing AF_ALG)?
Performance: If using cryptodev, are there known bottlenecks compared to a direct engine implementation?

My goal is to achieve RSA-2048/4096 offloading from user-space OpenSSL by any supported means.