移植国密密码工具箱GmSSL到i.MX平台Enable GmSSL which supports OSCCA Algorithm Toolbox on i.MX

cancel
Showing results for 
Search instead for 
Did you mean: 

移植国密密码工具箱GmSSL到i.MX平台Enable GmSSL which supports OSCCA Algorithm Toolbox on i.MX

移植国密密码工具箱GmSSL到i.MX平台Enable GmSSL which supports OSCCA Algorithm Toolbox on i.MX

GmSSL is an open source cryptographic toolbox that supports SM2 / SM3 / SM4 / SM9 and other national secret (national commercial password) algorithm, SM2 digital certificate and SM2 certificate based on SSL / TLS secure communication protocol to support the national security hardware password device , To provide in line with the national standard programming interface and command line tools, can be used to build PKI / CA, secure communication, data encryption and other standards in line with national security applications. For more information, please access GmSSL official website http://gmssl.org/english.html.

 

Software environments as the belows:

Linux kernel: imx_4.14.98_2.0.0_ga

cryptodev: 1.9

HW platform: i.MX6UL, i.MX7D/S, i.MX8M/MM, i.MX8QM/QXP.

The patches include the following features:

1, Support SM2/SM9 encryption/decryption/sign/verify/key exchange, RSA encryption/decryption, DSA/ECDSA sign/verify, DH/ECDH key agreement, ECC & DLC & RSA key generation and big number operation and elliptic curve math by CAAM hardware accelerating.

2, run "git apply 0001-Enhance-cryptodev-and-its-engine-in-GmSSL-by-CAAM-s-.patch" under folder sources/poky, and "git apply 0001-Add-public-key-cryptography-operations-in-CAAM-drive.patch" under folder sources/meta-fsl-bsp-release for patch these codes.

3, GmSSL Build command:

$ tar zxvf GmSSL-master-iMX.tgz

cd GmSSL-master-iMX

(For i.MX8M/MM, i.MX8QM/QXP)

source /opt/arm-arch64/environment-setup-aarch64-poky-linux 

$ ./Configure -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DHW_ENDIAN_SWAP  --prefix=~/install64 --openssldir=/etc/gmssl --libdir=/usr/lib no-saf no-sdf no-skf no-sof no-zuc -no-ssl3 shared linux-aarch64

$ make 

$ make install                            /*image and config file will be installed to folder ~/install64 */

 

(For i.MX6UL, i.MX7D/S)

$ source /opt/arm-arch32/environment-setup-cortexa7hf-neon-poky-linux-gnueabi

$ ./Configure -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS --prefix=~/install32 --openssldir=/etc/gmssl --libdir=/usr/lib no-saf no-sdf no-skf no-sof no-zuc -no-ssl3 shared linux-armv4

$ make 

$ make install                            /*image and config file will be installed to folder ~/install32 */

 

4, How to use GmSSL:

copy image gmssl to /usr/bin on i.MX board; copy gmssl libcrypto.so.1.1 and libssl.so.1.1 to /usr/lib on i.MX board; copy folder etc/gmssl to /etc/ on i.MX board. copy test examples (dhtest, dsatest, rsa_test, ecdhtest, ecdsatest, eciestest, sm3test, sms4test, sm2test, sm9test) under GmSSL-master-iMX/test  to U disk for running.

You can run test examples by the following commands:

#insmod /lib/modules/4.14.98-imx_4.14.98_2.0.0_ga+g5d6cbeafb80c/extra/cryptodev.ko

#/run/media/sda1/dhtest
#/run/media/sda1/dsatest
#/run/media/sda1/rsa_test
#/run/media/sda1/ecdhtest
#/run/media/sda1/ecdsatest
#/run/media/sda1/eciestest
#/run/media/sda1/sm3test
#/run/media/sda1/sms4test
#/run/media/sda1/sm2test
#/run/media/sda1/sm9test

and speed test commands:

#gmssl speed sm2
#gmssl genrsa -rand -f4 512
#gmssl speed dsa
#gmssl genrsa -rand -f4 1024
#gmssl speed rsa
#gmssl genrsa -rand -f4 2048
#gmssl speed ecdsa
#gmssl genrsa -rand -f4 3072
#gmssl speed ecdh
#gmssl genrsa -rand -f4 4096

 

++++++++++++++++++++++++++++     updating at 2019-09-10   +++++++++++++++++++++++++++++++++++++++++++++

0001-fix-the-bug-which-hash-and-cipher-key-don-t-use-DMA-.patch fix the issue which dismatching on key buffer between crytodev and caam driver. Crytodev uses stack's buffer for key storage and caam driver use it to dma map which cause flush cache failure. The patch need to apply on cryptodev-module in Yocto build.

 

++++++++++++++++++++++++++++     updating at 2019-10-14   +++++++++++++++++++++++++++++++++++++++++++++

This updating is for China C-V2X application. The package meta-cv2x_4.14.98_2.0.0_ga.tgz is Yocto layer which bases on GmSSL and Cryptodev. I add HW SM2 verification by dedicated CAAM job descriptor and enhanced SW SM2 verification by precomputed multiples of generator and ARMv8 assembler language to accelerate point  operation. 

Software environments as the belows:

Linux kernel: imx_4.14.98_2.0.0_ga

cryptodev: 1.9

HW platform: i.MX8M/MM/MN, i.MX8QM/QXP.

How to build:

1, decompress meta-cv2x_4.14.98_2.0.0_ga.tgz and copy meta-cv2x to folder (Yocto 4.14.98_2.0.0_ga dir)/sources/

2, Run DISTRO=fsl-imx-wayland MACHINE=imx8qxpmek source fsl-setup-release.sh -b build-cv2x and add BBLAYERS += " ${BSPDIR}/sources/meta-cv2x " into (Yocto 4.14.98_2.0.0_ga dir)/build-cv2x/conf/bblayers.conf and  IMAGE_INSTALL_append += " gmssl-bin "  into local.conf

3, Run bitbake fsl-image-validation-imx.

4, You can find cv2x-verify.c under (build dir)/tmp/work/aarch64-poky-linux/cryptodev-tests/1.9-r0/git/tests. It is example for using CAAM cryptdev interface to do C-V2X verification (includes SM2 p256, NIST p256 and brainpoolP256r1).  cv2x_benchmark.c under (build dir)/tmp/work/aarch64-poky-linux/gmssl/1.0-r0/gmssl-1.0/test is the benchmark test program of C-V2X verifying. It includes HW, SW and HW+SW(one CPU) verifying for SM2 p256, NIST p256 and brainpoolP256r1.

5, Run the below command on your i.MX8QXP MEK board.

modprobe cryptodev

./cv2x_benchmark

Note: the udpated GmSSL also support projective coordinates and affine coordinates (CAAM only support affine coordinates). Affine coordinates is used by default. You can call EC_GROUP_set_coordinates() and EC_GROUP_restore_coordinates() to change coordinates and restore default. When you hope to use some EC APIs under expected coordinates, you need to call EC_GROUP_set_coordinates() before EC APIs and EC_GROUP_restore_coordinates() after them. Like the below example:

orig_coordinate = EC_GROUP_set_coordinates(EC_PROJECTIVE_COORDINATES);
group = EC_GROUP_new_by_curve_name(NID_sm2p256v1);
EC_GROUP_restore_coordinates(orig_coordinate);

Attachments
Comments

Attach performance data based on 1xA35 CPU + CAAM

./cv2x_benchmark

C-V2X BPp256r1 benchmark pre-start: sign message


C-V2X BPp256r1 SW verify benchmark:
C-V2X BPp256r1 SW verify benchmark: 5000 messages took 18.000000 second
C-V2X BPp256r1 SW verify benchmark: Average 277.78 verification/second with verification failures: 0


C-V2X BPp256r1 HW verify benchmark:
C-V2X BPp256r1 HW verify benchmark: 5000 messages took 8.000000 second
C-V2X BPp256r1 HW verify benchmark: Average 625.00 verification/second with verification failures: 0


C-V2X BPp256r1 HW+SW verify benchmark:
C-V2X BPp256r1 HW+SW verify benchmark: 10000 messages took 10.000000 second
C-V2X BPp256r1 HW+SW verify benchmark: Average 1000.00 verification/second with verification failures: 0


C-V2X NISTp256 benchmark pre-start: sign message


C-V2X NISTp256 SW verify benchmark:
C-V2X NISTp256 SW verify benchmark: 5000 messages took 5.000000 second
C-V2X NISTp256 SW verify benchmark: Average 1000.00 verification/second with verification failures: 0


C-V2X NISTp256 HW verify benchmark:
C-V2X NISTp256 HW verify benchmark: 5000 messages took 6.000000 second
C-V2X NISTp256 HW verify benchmark: Average 833.33 verification/second with verification failures: 0


C-V2X NISTp256 HW+SW verify benchmark:
C-V2X NISTp256 HW+SW verify benchmark: 10000 messages took 6.000000 second
C-V2X NISTp256 HW+SW verify benchmark: Average 1666.67 verification/second with verification failures: 0


C-V2X SM2p256 benchmark pre-start: sign message


C-V2X SM2p256 SW verify benchmark:
C-V2X SM2p256 SW verify benchmark: 5000 messages took 4.000000 second
C-V2X SM2p256 SW verify benchmark: Average 1250.00 verification/second with verification failures: 0


C-V2X SM2p256 HW verify benchmark:
C-V2X SM2p256 HW verify benchmark: 5000 messages took 7.000000 second
C-V2X SM2p256 HW verify benchmark: Average 714.29 verification/second with verification failures: 0


C-V2X SM2p256 HW+SW verify benchmark:
C-V2X SM2p256 HW+SW verify benchmark: 10000 messages took 5.000000 second
C-V2X SM2p256 HW+SW verify benchmark: Average 2000.00 verification/second with verification failures: 0
C-V2X benchmark test passed

你可以在meta-cv2x_4.14.98_2.0.0_ga.tgz里找到patch。解压后的路径是meta-cv2x/recipes-cv2x-kit/cryptodev/files

you can find all patches in meta-cv2x_4.14.98_2.0.0_ga.tgz . Pleas decompress it and path is meta-cv2x/recipes-cv2x-kit/cryptodev/files.

谢谢,还有我想问下imx6ul可以通过openssl或者gmssl,利用caam实现sm2或者其他国密算法加解密吗

请看蓝色的字 (For i.MX6UL, i.MX7D/S) 部分,之前的gmssl版本已经支持6ul,同时也支持用CAAM加速SM2/SM9国密算法。不过SM3/4还是软件。

please look at the section (For i.MX6UL, i.MX7D/S) ,6ul already support GmSSL with SM2/9. But for SM3/4, they are pure software yet. 

非常感谢,我有认真看过您写的内容,不过我打完0001-Enhance-cryptodev-and-its-engine-in-GmSSL-by-CAAM-s-.patch和0001-Add-public-key-cryptography-operations-in-CAAM-drive.patch,这两个补丁之后,执行"gmssl speed sm2"会出错pastedImage_1.png

Version history
Revision #:
3 of 3
Last update:
a week ago
Updated by:
 
Contributors