Questions regarding article from KB about enhancing cryptodev+OpenSSL

cancel
Showing results for 
Search instead for 
Did you mean: 

Questions regarding article from KB about enhancing cryptodev+OpenSSL

53 Views
kef2
Senior Contributor IV

Hi all and @xiaodong_zhang

I mean this article

Enhance cryptodev and its engine in OpenSSL by CAA... - NXP Community

Is it really supposed to run properly on iMX7D? Article suggests yes, but I have serious problems with it. If iMX7 indeed is not supported, then which iMX variants are really compatible with these patches? I used kernel 5.4. Perhaps I'm doing something wrong, then just confirm it is really OK for iMX7 and that you don't experience issues like these:

 

Yes, it improves benchmarks noticeably. But we need not only speed improvements, but as well compatible encrypt/decrypt and digest operations to allow interoperation of network nodes using cryptodev and not using cryptodev. I mean `openssl enc` and `openssl enc -d` should be able to decrypt and encrypt files not only when cryptodev is always loaded/ aloways not loaded, bus as well:

  • cryptodev unloaded at encryption time + cryptodev loaded at decryption time
  • cryptodev loaded at encryption time + cryptodev unloaded at decryption time
  • openssl dgst should give the same results with cryptodev loaded and unloaded. Hopefully I see no problems with dighests
  • `openssl s_client -connect mysite.com:443` should work OK with cryptodev loaded when connecting to different TLS hosts, which are using different certificates and encodings.

 

My results:

`openssl s_client`  doesn't work properly at all with cryptodev loaded. You may try connecting to www.google.com:443.

All added OFB and CFB cipher modes are broken. For example using -aes-128-ofb, not possible to decrypt file encrypted with opposite state of cryptodev loaded/unloaded status, like this

# modprobe cryptodev

# echo "Abrakadabra" | openssl enc -aes-128-ofb -out file.enc -iter 1

# rmmod cryptodev

# openssl enc -d -aes-128-ofb -in file.enc -iter 1

 

In contrast the same works well replacing -ofb with -ecb, - ctr and others.

 

Edward

0 Kudos
0 Replies