CAAM- En/decrypting data

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CAAM- En/decrypting data

7,318 Views
rashmi
Contributor III

Hi,

     I am triyng to encrypt and decrypt data using aes-256 on i.MX6, from few discussion on i.MX community have found that CAAM can be supported using:

          Crypto API(Scatterlist API).

          use of Openssl with crypto dev engine or AF_ALG family and many other.

I have tried all this but I am not sure whether the CAAM is implemented or not.

Suggestion on:

how to check whether CAAM is been used or not,?

whether CAAM is enabled or not?

Is there any other way to implement CAAM in a better way apart from above mentioned options?

Thanks,

Rashmi

15 Replies

3,753 Views
veeranjaneyulug
Contributor III

Hi all,

I have also same issue .But we are using linux kernel version 3.14.28 with yocto setup .in yocto setup conf/local.conf file .

we added for cryptodev support code

IMAGE_INSTALL_append += " cryptodev-module"

IMAGE_INSTALL_append += " cryptodev-linux"

IMAGE_INSTALL_append += " cryptodev-tests"

By using yocto setup we run below command

$ bitbake cryptodev-module/cryptodev-linux/cryptodev-tests

Above command will generate cryptodev.ko .we inserted cryptodev.ko on target board.

$modprobe cryptodev

caam module loaded.

Run streaming server application on target board

$./test-video &

From client side we run below command

$ gst-launch-1.0 -v rtspsrc location=rtsps://192.168.2.243:8554/test  tls-validation-flags=generic-error user-id=user user-pw=password ! decodebin ! autovideosink

checked cpu performance by using below command

$top

606   585 root S 135m  13%  6% ./test-video
  660 2 root SW   0   0%   1% [kworker/u8:0]
  110 2 root SW   0   0%   0% [kworker/1:1]
  677   585 root R

2820   0%   0% top

CPU % start from 6 .

From flow mentioned below

gstreamer-application=====>libgstsrtp====>libsrtp=====>openssl===>cryptodev====>imx6

But streaming is happend but,How to know whether hardware/software srtp is woking?caam is used  or not ?

Thanks & Regards

veeranjaneyulu

0 Kudos

3,753 Views
Yuri
NXP Employee
NXP Employee

Hello,

to see CAAM activities, please use /proc/interrupts of Linux.

Regards,

Yuri.

0 Kudos

3,753 Views
Yuri
NXP Employee
NXP Employee

The best indicator of CAAM using - performance. It is needed to prepare and compare two systems :

with CAAM support and without it (software cryptodev).

3,753 Views
rashmi
Contributor III

Hi Yuri,

     I have tried executing openssl speed aes-256-cbc  command with two systems one with caam support and one without it, but still the time taken is shown as 3.00 s. This time shown doesn't give me correct answer whether caam is implemented or not. So how do I ensure caam is implemented or not?.

Thanks,

Rashmi

0 Kudos

3,753 Views
Yuri
NXP Employee
NXP Employee

Looks like CAAM is not really used in the case. Note, "We will provide CAAM support on mx6 through openssl in

our 3.10.17-1.0.0 beta release coming out early next year. We are using cryptodev through openssl to access the

CAAM support." Perhaps it makes sense to wait 3.10.17-1.0.0 release.

0 Kudos

3,753 Views
rashmi
Contributor III

Thanks Yuri for the reply,

As my requirement is that I need to encrypt and decrypt at the earliest by implementing CAAM not to wait for next release. So, It would be of great help if you could suggest me on how to encrypt and decrypt data which can implement CAAM capabilities on iMX6 sabre board.

Thanks,

Rashmi.

0 Kudos

3,753 Views
apoorvabhatia
Contributor III

Hi Rashmi,

How were you finally able to make Linux use CAAM using opensssl. It seems I am stuck at a similar problem. Any help if you could provide?

0 Kudos

3,753 Views
Aymen_IRT
Contributor III

Hi Apoorva,

I was able to make linux use CAAM with OpenSSL using the following steps:

0) Ensure that caam driver is loaded either manually or automatically. Make a look at /proc/crypto if you see some crypto algorithms with a priority=3000 and driver name containing the word=caam, that means that you have succeeded in loading your caam driver.

You can test that caam is really working by making a simple linux module using kernel scatterlist API with asynchronous interface and load it. For example, you can make a module to compute a hash with sha1 using kernel crypto API (Linux Kernel Crypto API). Before and after loading your module, take a look at /proc/interrupts, caam_jr value must change.

1) Once you finished your first tests, you have to create a user land interface to kernel crypto API either using cryptodev or AF_ALG sockets. At this level also, you can make some tests using cryptodev or AF_ALG to compute a sha1 digest while keeping caam driver loaded.

2) Add cryptodev or AF_ALG as supported engines to your OpenSSL version and that is it :smileyhappy:

Regards,

Aymen

3,753 Views
apoorvabhatia
Contributor III

Thanks Aymen.

A couple of doubts more which might have a but obvious answer but I am very new to the field so pardon me for the same. :smileyhappy:

See, I am using the sabre_lite board. So basically I was using the iMX6 SDk to build images for the applications and using it on iMX6 on uboot. Now, as you say I need to load the caam driver first. So do I build the SDK CAAM driver module as loadable module and load it or how do I go about it? And secondly how do I load the CAAM driver?

Thanks. :smileyhappy:

0 Kudos

3,753 Views
Aymen_IRT
Contributor III

Hi Apoorva,

I used caam with a nitrogen6x but the procedure is the same for sabrelite.

1) First you need to download a linux kernel providing caam driver. I advise you use to use one of those provided by Boundary. For example, you can use kernel version 3-10-17 from http://boundarydevices.com/mx6-linux-kernel-3-10-17-beta/

2) In your terminal, set the following env variables as follows: "export ARCH=arm; export CROSS_COMPILE=arm-linux-gnueabi-"

3) Then compile your new kernel after selecting caam module:

3-1* do a "make menuconfig" then set your needed kernel configs. For example, you can go to crypto>hardware>caam and select caam driver installation. You can choose to pre-compile caam driver (with Y option) or to compile it as a loadable module called caam.ko (with M option). For more information about module compilation, you can take a look at this link: https://www.kernel.org/doc/Documentation/kbuild/modules.txt 

I really advise to take a moment to learn kernel and modules compilation before going to next steps. It will be really useful for you.

In order to make your kernel recognise the caam hardware, do not forget to add the word caam to your bootargs. The clean way to do it is inside u-boot by updating the bootargs env variable, or inside the 6x_bootscript (if you use a 6x_bootscript). The dirty way of doing it is to look for the caam_enable variable inside the kernel code and set it to 1.

3-2* do a "make uImage" to compile the kernel. The obtained uImage will replace the one you have in your sabrelite rootfs, in the /boot directory.

3-3* depending on your way of compiling caam driver (loadable or not) you may need to add the following command "make modules" and "make modules_install".

4) If you choose to compile caam driver as a loadable module, you will have to look for caam.ko and copy it to your board. Then, you have to load it with the following command: "insmod caam.ko".

I hope that these few steps will help you.

regards,

Aymen

3,753 Views
apoorvabhatia
Contributor III

Thanks Aymen! :smileyhappy:

I have loaded the kernel image with the caam driver. And I get the output related to caam as below. I am able to load the tests of various algos by loading the tcrypt.ko module and I get the various test results. But I am not sure if the results are by using CAAM or without it. I can only check /proc/interrupts either before loading the test module (tcrypt.ko) or after the tests are finished. And on these times, it shows the same value of caam_jr. So I was not sure if CAAM is actually being used.

But can't I activate the tests such that it tests when it is building the image?

This is what I get when I load the image.:

caam caam.0: device ID = 0x0a16010000000000

caam caam.0: job rings = 2, qi = 0

alg: No test for authenc(hmac(md5),cbc(aes)) (authenc-hmac-md5-cbc-aes-caam)

caam caam.0: authenc-hmac-md5-cbc-aes-caam

alg: No test for authenc(hmac(sha1),cbc(aes)) (authenc-hmac-sha1-cbc-aes-caam)

caam caam.0: authenc-hmac-sha1-cbc-aes-caam

alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-caam)

caam caam.0: authenc-hmac-sha224-cbc-aes-caam

alg: No test for authenc(hmac(sha256),cbc(aes)) (authenc-hmac-sha256-cbc-aes-caam)

caam caam.0: authenc-hmac-sha256-cbc-aes-caam

alg: No test for authenc(hmac(md5),cbc(des3_ede)) (authenc-hmac-md5-cbc-des3_ede-caam)

caam caam.0: authenc-hmac-md5-cbc-des3_ede-caam

alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc-hmac-sha1-cbc-des3_ede-caam)

caam caam.0: authenc-hmac-sha1-cbc-des3_ede-caam

alg: No test for authenc(hmac(sha224),cbc(des3_ede)) (authenc-hmac-sha224-cbc-des3_ede-caam)

caam caam.0: authenc-hmac-sha224-cbc-des3_ede-caam

alg: No test for authenc(hmac(sha256),cbc(des3_ede)) (authenc-hmac-sha256-cbc-des3_ede-caam)

caam caam.0: authenc-hmac-sha256-cbc-des3_ede-caam

alg: No test for authenc(hmac(md5),cbc(des)) (authenc-hmac-md5-cbc-des-caam)

caam caam.0: authenc-hmac-md5-cbc-des-caam

alg: No test for authenc(hmac(sha1),cbc(des)) (authenc-hmac-sha1-cbc-des-caam)

caam caam.0: authenc-hmac-sha1-cbc-des-caam

alg: No test for authenc(hmac(sha224),cbc(des)) (authenc-hmac-sha224-cbc-des-caam)

caam caam.0: authenc-hmac-sha224-cbc-des-caam

alg: No test for authenc(hmac(sha256),cbc(des)) (authenc-hmac-sha256-cbc-des-caam)

caam caam.0: authenc-hmac-sha256-cbc-des-caam

caam caam.0: cbc-aes-caam

caam caam.0: cbc-3des-caam

hub 2-1:1.0: USB hub found

hub 2-1:1.0: 3 ports detected

caam caam.0: cbc-des-caam

platform caam_jr.0: registering rng-caam

platform caam_sm.0: caam_sm_test: 8-byte key test match OK

platform caam_sm.0: caam_sm_test: 16-byte key test match OK

platform caam_sm.0: caam_sm_test: 32-byte key test match OK

platform caam_secvio.0: security violation service handlers armed

This I get on loading tcrypt.ko:

# insmod tcrypt.ko sec=1 mode=200

testing speed of ecb(aes) encryption

test 0 (128 bit key, 16 byte blocks): 174761 operations in 1 seconds (2796176 bytes)

test 1 (128 bit key, 64 byte blocks): 134576 operations in 1 seconds (8612864 bytes)

test 2 (128 bit key, 256 byte blocks): 69308 operations in 1 seconds (17742848 bytes)

test 3 (128 bit key, 1024 byte blocks): 23574 operations in 1 seconds (24139776 bytes)

test 4 (128 bit key, 8192 byte blocks): 3199 operations in 1 seconds (26206208 bytes)

test 5 (192 bit key, 16 byte blocks): 170484 operations in 1 seconds (2727744 bytes)

test 6 (192 bit key, 64 byte blocks): 127817 operations in 1 seconds (8180288 bytes)

test 7 (192 bit key, 256 byte blocks): 62334 operations in 1 seconds (15957504 bytes)

test 8 (192 bit key, 1024 byte blocks): 20441 operations in 1 seconds (20931584 bytes)

test 9 (192 bit key, 8192 byte blocks): 2721 operations in 1 seconds (22290432 bytes)

test 10 (256 bit key, 16 byte blocks): 170418 operations in 1 seconds (2726688 bytes)

test 11 (256 bit key, 64 byte blocks): 121865 operations in 1 seconds (7799360 bytes)

test 12 (256 bit key, 256 byte blocks): 56648 operations in 1 seconds (14501888 bytes)

test 13 (256 bit key, 1024 byte blocks): 18052 operations in 1 seconds (18485248 bytes)

test 14 (256 bit key, 8192 byte blocks): 2396 operations in 1 seconds (19628032 bytes)

testing speed of ecb(aes) decryption

test 0 (128 bit key, 16 byte blocks): 175668 operations in 1 seconds (2810688 bytes)

test 1 (128 bit key, 64 byte blocks): 136039 operations in 1 seconds (8706496 bytes)

test 2 (128 bit key, 256 byte blocks): 70902 operations in 1 seconds (18150912 bytes)

test 3 (128 bit key, 1024 byte blocks): 24321 operations in 1 seconds (24904704 bytes)

...

...

Thanks! :smileyhappy:

0 Kudos

3,753 Views
Aymen_IRT
Contributor III

Hi Apoorva,

You are getting the same value of the caam job ring (caam_jr) before and after loading tcrypt.ko, that means that you are not using caam. You can verify that by loading tcrypt.ko after loading caam.ko (1st test) and loading tcrypt.ko without loading caam.ko (2nd test). You will get the same results.

Have you done the following task (in step 3-1): In order to make your kernel recognise the caam hardware, do not forget to add the word "caam" to your bootargs. The clean way to do it is inside u-boot by updating the bootargs env variable, or inside the 6x_bootscript (if you use a 6x_bootscript). The dirty way of doing it is to look for the caam_enable variable inside the kernel code and set it to 1.

You can add the word caam to bootargs through u-boot using the following command: setenv bootargs "$bootargs caam" or via 6x_bootscript.

Regards,

Aymen

0 Kudos

3,753 Views
apoorvabhatia
Contributor III

Hi Aymen,

Thanks. I understand this now. :smileyhappy:

Actually I had loaded caam by giving it in the bootargs. But my testing scripts use CAAM only when I explicitly ask it to use the caam driver. Otherwise, I think it is using the software algorithm drivers because when I don’t mention the driver as caam explicitly, it does not use caam (caam_jr value does not change then. It changes if I mention it to use caam e.g driver= md5-caam). Is it because CAAM drivers have a priority of 3000 and others have a lower number(higher priority) or is it higher number corresponding to higher priority? Because the results show it otherwise.

Thanks,

Apoorva

0 Kudos

3,753 Views
Aymen_IRT
Contributor III

Hi Apoorva,

You do not need to give the name of the driver because the kernel, by default, will use the algorithm with the highest priority (highest number). So if you load caam.ko, kernel will be using CAAM for crypto computation. But, you have to use the asynchronous interface of scatterlist crypto API (i.e. kernel crypto API) in order to be able to use CAAM HW (take a look at this previous discussion CAAM activation problem on I.MX6). That is, if tcrypt.c does not rely on the asynchronous interface of the kernel crypto API, you will not be able to use caam and you won't see any change in caam_jr values when you load tcrypt.ko.

Regards,

Aymen

0 Kudos

3,753 Views
apoorvabhatia
Contributor III

Hi Aymen,

I cross compiled the cryptodev module and have loaded it. Then I compiled their example C code for sha as you have suggested and also removed the comment in this line CRYPTODEV_CFLAGS ?= #-DENABLE_ASYNC.

But still it gives me the error of:

ioctl(CIOCGSESSION): Inappropriate ioctl for device

ioctl(CIOCCRYPT): Inappropriate ioctl for device

ioctl(CIOCFSESSION): Inappropriate ioctl for device

digest: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:78:9f:b9:2a:

SHA1 hashing failed

I was getting similar error when I was using the older version cryptodev. When I searched for the ioctl error, it might be that /dev/crypto is not accessible.

crw-rw----1 root root   10,  62 Jan  1 00:06 /dev/crypto

I even tried to change the permissions so that it is accessible in the user space but still it gives me the ioctl error. And also it does not fail at the point when the file descriptor is checked after opening the file. So I assuem, my file is getting correctly opened. I am not able to get why the ioctl error is coming now.

Thanks,

Apoorva

P.S. (I by mistake deleted the last question and answer so I am adding the answer here.)

>Hi Apoorva,

>

>You done right when you chose to use cryptodev version 1.6. Actually, it was the one I used to make CAAM accessible from OpenSSL. By the way, I have just checked cryptodev website, thanks to >you, and noticed that there is a new cryptodev version 1.7. I will try it later

>

>In the Makefile, you have to change the KERNEL_DIR variable. KERNEL_DIR has to contain the path to where you extracted the kernel sources which are adapted to your board (nitrogen6x or >sabrelite...). For example, you can use the kernel sources that you used to create the kernel image including CAAM driver. In addition, you have to remove the comment in this line >CRYPTODEV_CFLAGS ?= #-DENABLE_ASYNC,  in order to be able to use kernel crypto API asynchronous interface (which is the interface to CAAM). Finally, you compile cryptodev using the >following command: make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi-  (do not forget the "- " at the end of gnueabi).

>

>Or you can replace you kernel cryptodev driver code with the one you got in cryptodev-1.6 and then recompile your kernel.

>

>Regards,

>Aymen

0 Kudos