AnsweredAssumed Answered

Openvpn is not working with IOT GW LS1021a hardware encryption enabled CPU?

Question asked by Yuqian Li on Jul 13, 2015

Hi All,

we have a IOT GW with hardware encryption enabled LS1021a cpu, we want test how does its hardware encryption engine will improve Openvpn performance. i downloaded SDK from here LS1021A-IoT Gateway Reference Design|Freescale , and following SDK document to enabled cryptodev( in kernel and compiled openssl followed this link Freescale Technical Information Center . and added openvpn-rds in SDK of IOT GW.


Now, we can get outstanding improved performance in openssl, from 48 times up to 100 times in openssl encryption test with cryptodev engine supported (openssl speed aes-128-cbc).

without cryptodev enabled

Screen Shot 2015-07-03 at 9.38.18 AM.png

Screen Shot 2015-07-03 at 9.41.34 AM.pngScreen Shot 2015-07-03 at 9.41.44 AM.png

then we running the openvpn from two IOT GWs (one for server, one for client, and both side cipher used aes-128-cbc), we can get the Openvpn tunnel working, but when we tried to use iperf to test its traffic throughput capacity, the throughput of Iperf shows only 16Mbits/sec with cryptodev hardware engine !!!, it is even low than without cryptodev hardware engine enabled(its around 80Mbits/sec).

when we analyzed Openvpn, we found when we enabled the cryptodev hardware engine, the CPU is busy one for IRQ context, check following

OpenVPN - Perf data when using cryptodev

13.68%  openvpn  [kernel.kallsyms]     [k] _raw_spin_unlock_irqrestore

  7.49%  openvpn  [kernel.kallsyms]     [k] __do_softirq

  6.60%  openvpn  [cryptodev]           [k] 0x000017a0

  5.04%  openvpn  openvpn               [.] 0x0004619c

  2.39%  openvpn  [kernel.kallsyms]     [k] __schedule

  2.26%  openvpn  [kernel.kallsyms]     [k] v7_dma_clean_range

  2.02%  openvpn  [kernel.kallsyms]     [k] __memzero

  1.99%  openvpn  [.] 0x00072050

  1.91%  openvpn  [kernel.kallsyms]     [k] caam_jr_dequeue

  1.71%  openvpn  [kernel.kallsyms]     [k] mutex_lock

  1.61%  openvpn    [.] 0x0010e5ec

  1.44%  openvpn  [kernel.kallsyms]     [k] wait_for_common



OpenVPN - Perf data without cryptodev

11.42%  openvpn  openvpn               [.] 0x00019b64

  9.86%  openvpn    [.] 0x0004a9b4

  7.54%  openvpn  [kernel.kallsyms]     [k] _raw_spin_unlock_irqrestore

  3.57%  openvpn  [kernel.kallsyms]     [k] __do_softirq

  2.96%  openvpn      [.] lzo1x_decompress_safe

  2.22%  openvpn  [ip_tables]           [k] ipt_do_table

  1.75%  openvpn  [kernel.kallsyms]     [k] ktime_get_ts

  1.29%  openvpn  [kernel.kallsyms]     [k] do_sys_poll

  1.24%  openvpn  [kernel.kallsyms]     [k] __copy_from_user

  1.20%  openvpn  [kernel.kallsyms]     [k] local_bh_enable

  1.18%  openvpn  [kernel.kallsyms]     [k] __aeabi_idiv

  1.15%  openvpn  [kernel.kallsyms]     [k] gfar_clean_rx_ring

  1.09%  openvpn  [kernel.kallsyms]     [k] tcp_v4_rcv

  1.07%  openvpn  [kernel.kallsyms]     [k] nf_iterate



then we tried to using StronSWAN, we can see a positive performance difference using the crypto accelerator. we built a kernel with the cryto hardware acceleration disabled and was getting ~50Mb/s bandwidth. With the acceleration enabled, we can getting between 110 and 120Mb/s.


We known the Openvpn must working with crypto accelerator as we can found lot of success information for Openvpn with crypto. but we did not got success with IOT GW of LS1021 SDK, and i believe there is something must be wrong.

So, my question is does anyone make the Openvpn working with crypto accelerator in IOT GW, or, what is your suggestion how i can figure it out. thank you.



SDK of IOT GW is QorIQ-SDK-V1.7-SOURCE-20141218-yocto_RDS_20150302

OpenVPN we tried default version of SDK - 2.3.6, and we also tried new version - 2.3.7 as someone report the 2.3.6 has a bug -