https://community.nxp.com/t5/i-MX-Processors/Questions-regarding-article-from-KB-about-enhancing-cryptodev/m-p/1451751#M189918 <P>Hi all and&nbsp;@<A href="https://community.nxp.com/t5/user/viewprofilepage/user-id/30869" target="_self"><SPAN class="">xiaodong_zhang</SPAN></A></P><P>I mean this article</P><P><A href="https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/Enhance-cryptodev-and-its-engine-in-OpenSSL-by-CAAM-s-public-key/ta-p/1101000" target="_blank" rel="noopener">Enhance cryptodev and its engine in OpenSSL by CAA... - NXP Community</A></P><P>Is it really supposed to run properly on iMX7D? Article suggests yes, but I have serious problems with it. If iMX7 indeed is not supported, then which iMX variants are really compatible with these patches? I used kernel 5.4. Perhaps I'm doing something wrong, then just confirm it is really OK for iMX7 and that you don't experience issues like these:</P><P>&nbsp;</P><P>Yes, it improves benchmarks noticeably. But we need not only speed improvements, but as well compatible encrypt/decrypt and digest operations to allow interoperation of network nodes using cryptodev and not using cryptodev. I mean `openssl enc` and `openssl enc -d` should be able to decrypt and encrypt files not only when cryptodev is always loaded/ aloways not loaded, bus as well:</P><UL><LI>cryptodev unloaded at encryption time +&nbsp;cryptodev loaded at decryption time</LI><LI><SPAN>cryptodev loaded at encryption time +&nbsp;cryptodev unloaded at decryption time</SPAN></LI><LI><SPAN>openssl dgst should give the same results with cryptodev loaded and unloaded. Hopefully I see no problems with dighests</SPAN></LI><LI><SPAN>`openssl s_client -connect mysite.com:443` should work OK with cryptodev loaded when connecting to different TLS hosts, which are using different certificates and encodings.</SPAN></LI></UL><P>&nbsp;</P><P>My results:</P><P>`openssl s_client`&nbsp; doesn't work properly at all with cryptodev loaded. You may try connecting to <A href="http://www.google.com:443" target="_blank" rel="noopener">www.google.com:443</A>.</P><P>All added OFB and CFB cipher modes are broken. For example using -aes-128-ofb, not possible to decrypt file encrypted with opposite state of cryptodev loaded/unloaded status, like this</P><BLOCKQUOTE><P># modprobe cryptodev</P><P># echo "Abrakadabra" | openssl enc -aes-128-ofb -out file.enc -iter 1</P><P># rmmod cryptodev</P><P># openssl enc -d -aes-128-ofb -in file.enc -iter 1</P><P>&nbsp;</P></BLOCKQUOTE><P>In contrast the same works well replacing -ofb with -ecb, - ctr and others.</P><P>&nbsp;</P><P>Edward</P> Mon, 02 May 2022 09:05:31 GMT kef2 2022-05-02T09:05:31Z https://community.nxp.com/t5/i-MX-Processors/Questions-regarding-article-from-KB-about-enhancing-cryptodev/m-p/1451751#M189918 <P>Hi all and&nbsp;@<A href="https://community.nxp.com/t5/user/viewprofilepage/user-id/30869" target="_self"><SPAN class="">xiaodong_zhang</SPAN></A></P><P>I mean this article</P><P><A href="https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/Enhance-cryptodev-and-its-engine-in-OpenSSL-by-CAAM-s-public-key/ta-p/1101000" target="_blank" rel="noopener">Enhance cryptodev and its engine in OpenSSL by CAA... - NXP Community</A></P><P>Is it really supposed to run properly on iMX7D? Article suggests yes, but I have serious problems with it. If iMX7 indeed is not supported, then which iMX variants are really compatible with these patches? I used kernel 5.4. Perhaps I'm doing something wrong, then just confirm it is really OK for iMX7 and that you don't experience issues like these:</P><P>&nbsp;</P><P>Yes, it improves benchmarks noticeably. But we need not only speed improvements, but as well compatible encrypt/decrypt and digest operations to allow interoperation of network nodes using cryptodev and not using cryptodev. I mean `openssl enc` and `openssl enc -d` should be able to decrypt and encrypt files not only when cryptodev is always loaded/ aloways not loaded, bus as well:</P><UL><LI>cryptodev unloaded at encryption time +&nbsp;cryptodev loaded at decryption time</LI><LI><SPAN>cryptodev loaded at encryption time +&nbsp;cryptodev unloaded at decryption time</SPAN></LI><LI><SPAN>openssl dgst should give the same results with cryptodev loaded and unloaded. Hopefully I see no problems with dighests</SPAN></LI><LI><SPAN>`openssl s_client -connect mysite.com:443` should work OK with cryptodev loaded when connecting to different TLS hosts, which are using different certificates and encodings.</SPAN></LI></UL><P>&nbsp;</P><P>My results:</P><P>`openssl s_client`&nbsp; doesn't work properly at all with cryptodev loaded. You may try connecting to <A href="http://www.google.com:443" target="_blank" rel="noopener">www.google.com:443</A>.</P><P>All added OFB and CFB cipher modes are broken. For example using -aes-128-ofb, not possible to decrypt file encrypted with opposite state of cryptodev loaded/unloaded status, like this</P><BLOCKQUOTE><P># modprobe cryptodev</P><P># echo "Abrakadabra" | openssl enc -aes-128-ofb -out file.enc -iter 1</P><P># rmmod cryptodev</P><P># openssl enc -d -aes-128-ofb -in file.enc -iter 1</P><P>&nbsp;</P></BLOCKQUOTE><P>In contrast the same works well replacing -ofb with -ecb, - ctr and others.</P><P>&nbsp;</P><P>Edward</P> Mon, 02 May 2022 09:05:31 GMT https://community.nxp.com/t5/i-MX-Processors/Questions-regarding-article-from-KB-about-enhancing-cryptodev/m-p/1451751#M189918 kef2 2022-05-02T09:05:31Z