Changes between Version 2 and Version 3 of linux/encryption

Timestamp:

07/08/2019 10:00:05 PM (5 years ago)

Author:

Matthew Michilot

Comment:

Added instructions on how to build OpenSSL 1.1.1 and onward w/ AF_ALG and cryptodev support. Added performance metrics.

linux/encryption

@@ -139 +139 @@
  * http://cryptodev-linux.org/
 
+=== Performace Comparisons
+* Device: GW6404-B
+* CPU Speed: 1500 MHz
+* OpenSSL version: 1.1.1c
+
+||                ||||||||||||= '''Number of Blocks Processed in 3s / Block Size in Bytes''' =||             
+||= '''Engine''' =||16    ||64    ||256   ||1024   ||8192  ||16384||  
+||= AF_ALG       =||283925||281102||254300||212132 ||75834 ||43402||
+||= cryptodev    =||958747||919563||674246||450026 ||107426||55976||
+||= software     =||959704||920003||673949||4494228||107408||56336||
+
+Note: Performance of each engine may vary between systems. It's recommended to evaluate each engine on your system to determine their performance.
 
 [=#openssl]
@@ -193 +205 @@
  * Use {{{-elapsed}}} and no {{{-engine}}} param to use software crypto to show wall-clock time vs CPU time
 
-
 [=#openssl-af_alg]
 === OpenSSL with AF_ALG
+==== Building OpenSSL prior to 1.1.0 with AF_ALG support
 OpenSSL added native AF_ALG support 1.1.0 (Aug 25 2016). If you are using a version prior to that you need to build a plugin for OpenSSL.
 
@@ -217 +229 @@
 sudo cp libaf_alg.so $DIR
 sudo chmod 644 $DIR/libaf_alg.so
-openssl engine # show engines available
 }}}
  * Note that this plugin is incompatible with OpenSSL 1.1.x and will fail to build for those versions due to API changes
 
-Note that prior to OpenSSL 1.1.1 afalg is not enabled by default thus you need to rebuild it and add the 'enable-afalgeng' config option.
-
+==== Building OpenSSL 1.1.0 and later with AF_ALG support 
+Note that prior to OpenSSL 1.1.1 AF_ALG support is not enabled by default thus you need to rebuild it and add the 'enable-afalgeng' config option.
+{{{#!bash
+apt install build-essential pkg-config libssl-dev
+wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz
+tar xvf openssl-*
+cd openssl-*
+./config enable-engine enable-dso enable-afalgeng
+make
+make install
+}}}
+
+Note that for Ubuntu / Debian Linux distros it is preferred to download source package, modify debian/rules and recompile the package:
+{{{#!bash
+apt install build-essential pkg-config ubuntu-dev-tools debhelper
+apt-get build-dep openssl
+apt-get source openssl
+cd openssl-*/
+sed -i "s/CONFARGS  =/CONFARGS  = enable-engine enable-dso enable-afalgeng/" debian/rules
+dch -i "Enabled AF_ALG support"
+debuild
+sudo dpkg -i ../*.deb
+}}}
+
+==== Enabling the AF_ALG kernel module
 To ensure you are loading the kernel modules (af_alg, algif_hash, algif_skcipher):
  * load them on boot:
@@ -237 +271 @@
 }}}
 
-OpenSSL performance can be tested with:
-{{{#!bash
-openssl engine # ensure af_alg is present
+==== Checking AF_ALG engine installation
+
+On OpenSSL versions prior to 1.1.0, you can check if the AF_ALG engine was successfully installed by running the following command:
+{{{#!bash
+openssl engine # check if af_alg is present
+}}}
+
+On OpenSSL versions 1.1.0 and later, the AF_ALG engine is dynamically loaded which means that the engine will not appear when you run the command above.
+
+==== Evaluating AF_ALG performance
+For OpenSSL versions prior to 1.1.0:
+{{{#!bash
 openssl speed -evp aes-128-cbc -engine af_alg -elapsed
 }}}
 
+For OpenSSL versions 1.1.0 and later:
+{{{#!bash
+openssl speed -evp aes-128-cbc -engine afalg -elapsed
+}}}
 
 [=#openssl-crytodev]
 === OpenSSL with cryptodev
+==== Building OpenSSL versions prior to 1.1.1 with cryptodev support
 Because Cryptodev is not available by default on Linux distributions OpenSSL has to be compiled with additional flags to include support for them:
 {{{#!bash
@@ -264 +312 @@
 apt-get source openssl
 cd openssl-*/
-sed -i -e "s/CONFARGS  =/CONFARGS = -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS/" debian/rules
+sed -i "s/CONFARGS  =/CONFARGS = -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS/" debian/rules
 dch -i "Enabled cryptodev support"
 DEB_BUILD_OPTIONS=nocheck debuild # disable checks to avoid issue with api check failing
@@ -270 +318 @@
 }}}
 
+==== Building OpenSSL versions 1.1.1 and later with cryptodev support
+Starting with version 1.1.1, the cryptodev engine is now called devcrypto and is implemented against the cryptodev-linux kernel module. To build OpenSSL with devcrypto support, the 'enable-devcryptoeng' flag is used during configuration.
+
+{{{#!bash
+apt install build-essential pkg-config
+wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz
+tar xvf openssl-*
+cd openssl-*
+./config enable-engine enable-dso enable-devcryptoeng
+make
+make install
+}}}
+
+For Ubuntu / Debian Linux distros:
+{{{#!bash
+apt install build-essential pkg-config ubuntu-dev-tools debhelper
+apt-get build-dep openssl
+apt-get source openssl
+cd openssl-*/
+sed -i "s/CONFARGS  =/CONFARGS = enable-engine enable-dso enable-devcryptoeng/" debian/rules
+dch -i "Enabled cryptodev support"
+debuild # disable checks to avoid issue with api check failing
+sudo dpkg -i ../*.deb
+}}}
+
+==== Enabling the cryptodev kernel module
 To ensure you are loading the kernel module (cryptodev):
  * load them on boot:
@@ -282 +356 @@
 }}}
 
-OpenSSL Testing:
+==== Checking cryptodev engine installation
+
+For OpenSSL versions prior to 1.1.1:
 {{{#!bash
 openssl engine # show engines available - look for cryptodev
@@ -288 +364 @@
 }}}
 
+For OpenSSL versions 1.1.1 and later:
+{{{#!bash
+openssl engine # look for devcrypto
+}}}
+
+==== Evaluating cryptodev performance
 OpenSSL performance can be tested with the 'openssl speed' command:
+
+For OpenSSL versions prior to 1.1.1
 {{{#!bash
 openssl speed -evp aes-128-cbc -engine cryptodev -elapsed
 }}}
- * -elapsed argument is used so throughput measurements are against wall clock time rather than cpu time
+
+For OpenSSL versions 1.1.1 and later
+{{{#!bash
+openssl speed -evp aes-128-cbc -engine devcrypto -elapsed
+}}}
 
 References: