This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

SHA hardware acceleration issue on AM335x Starter Kit

Hi,

Just bought this kit for evaluation. I'm trying to use hardware acceleration for ssl (AES128-SHA cipher).

I've seen that there was an issue with SHA acceleration, was it fixed?

I'm using ti-sdk-am335x-evm-06.00.00

I've created self signed certificate and run on board

openssl s_server -accept 4000 -cert ./root.crt -key ./root.key

if I run openssl s_client -connect 192.168.10.87:4000 -cipher AES128-SHA from the same board it works as expected.

but if I run openssl s_client -connect 192.168.10.87:4000 -cipher AES128-SHA from pc linux computer then I get

ACCEPT
ERROR
1074476768:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:479:
shutting down SSL
CONNECTION CLOSED
ACCEPT

Thank you for your help.

  • Hi,

    SDK 6.0 is quite old and while it's still available, it's no longer supported with patches or upgrades by the Linux team. Please try the latest SDK, which can be downloaded from this link: software-dl.ti.com/.../index_FDS.html
  • Hi,

    Thank you very much for help.

    I've downloaded ti-processor-sdk-linux-am335x-evm-01.00.00.03-Linux-x86-Install and am335x-evm-01.00.00.03.img.zip.

    It's a little bit strange to see newer version with number (1) less than older one (6).

    Now basic openssl works as expected. So I would assume that hardware acceleration is working.

    I see performance degradation when I'm enabling HW acceleration. Is it normal? I would expect HW be faster on large block (I'm usually around 1k).

    I will continue to check but as an example my app shows throughput around 3-5mbps with HW (and after awhile it gets lower to the point when my clients starts to disconnect because of timeouts) and around 7mbps without it.

    Regards,

    Dmitry Efremov.

  • Dmitry Efremov said:
    I see performance degradation when I'm enabling HW acceleration. Is it normal? I would expect HW be faster on large block (I'm usually around 1k).

    For 1KB data block, the hw crypto should be much faster than sw crypto.

    Dmitry Efremov said:
    I will continue to check but as an example my app shows throughput around 3-5mbps with HW (and after awhile it gets lower to the point when my clients starts to disconnect because of timeouts) and around 7mbps without it.

    Do you mind to explain more about your application? How does it use kernel crypto? 3-5 or even 7 mbps is quite low.

  • Hi,

    I've continue to test and it's still not working.

    Here is my test case:

     ti-processor-sdk-linux-am335x-evm-01.00.00.03-Linux-x86-Install and am335x-evm-01.00.00.03.img.zip.

    1. fresh image 
    2. generate self signed certificate or use provided
    3. prepare test file: dd if=/dev/zero of=./testfile count=20000 (this will create file with 0's about 10mb size)
    4. run server openssl s_server -accept 4000 -cert ./root.crt -key ./root.key
    5. run client cat ./testfile | openssl s_client -cipher AES128-SHA -host localhost -port 4000
    6. see it fails

    output from server session:

    root@am335x-evm:/apollo# openssl s_server -accept 4000 -cert ./root.crt -key ./root.key
    Using default temp DH parameters
    ACCEPT
    -----BEGIN SSL SESSION PARAMETERS-----
    MFUCAQECAgMDBAIALwQABDATn0ouqFhWn5Eno8DxlfjE4hHK6W9kMjJiXZvb1K/d
    NrBw1smSsSG8o0ETwVMeYjKhBgIEVZrwkaIEAgIBLKQGBAQBAAAA
    -----END SSL SESSION PARAMETERS-----
    Shared ciphers:AES128-SHA
    CIPHER is AES128-SHA
    Secure Renegotiation IS supported
    ERROR
    3067688672:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:507:
    shutting down SSL
    CONNECTION CLOSED
    ACCEPT
    

    output from client session

    root@am335x-evm:/apollo# cat ./testfile | openssl s_client -cipher AES128-SHA -host localhost -port 4000
    CONNECTED(00000004)
    depth=0 C = US, ST = CA, L = Some Location, O = Some Company, OU = Some OU, CN = Root, emailAddress = some@email.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = US, ST = CA, L = Some Location, O = Some Company, OU = Some OU, CN = Root, emailAddress = some@email.com
    verify error:num=9:certificate is not yet valid
    notBefore=Aug 19 17:40:09 2015 GMT
    verify return:1
    depth=0 C = US, ST = CA, L = Some Location, O = Some Company, OU = Some OU, CN = Root, emailAddress = some@email.com
    notBefore=Aug 19 17:40:09 2015 GMT
    verify return:1
    ---
    Certificate chain
    0 s:/C=US/ST=CA/L=Some Location/O=Some Company/OU=Some OU/CN=Root/emailAddress=some@email.com
    i:/C=US/ST=CA/L=Some Location/O=Some Company/OU=Some OU/CN=Root/emailAddress=some@email.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDkDCCAngCCQDmwYtMXKQOGTANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMC
    VVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1Tb21lIExvY2F0aW9uMRUwEwYDVQQK
    DAxTb21lIENvbXBhbnkxEDAOBgNVBAsMB1NvbWUgT1UxDTALBgNVBAMMBFJvb3Qx
    HTAbBgkqhkiG9w0BCQEWDnNvbWVAZW1haWwuY29tMB4XDTE1MDgxOTE3NDAwOVoX
    DTI1MDgxNjE3NDAwOVowgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQG
    A1UEBwwNU29tZSBMb2NhdGlvbjEVMBMGA1UECgwMU29tZSBDb21wYW55MRAwDgYD
    VQQLDAdTb21lIE9VMQ0wCwYDVQQDDARSb290MR0wGwYJKoZIhvcNAQkBFg5zb21l
    QGVtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqtbe/v
    KtHXRG3+BUlCjzQR7xjWTDNs5PjUJhJ1S2p4cxX1PsWoDTmkcs4uixcMouBMSIon
    CFXqA8bVHuqayJumvJgnXaOfNS1bHIXFufO38JNP9JhOsm/lEM4thcOV6Es9T2QH
    h302DuE/g7AiV1zkj9mFHd+nG7GnfrIkfNq6Qtp4hwUqVijWq/l3qlepGjEeia9G
    1FDeBlp2kW2zEb+rcJMrrgOXzrx+gnG1xObNLTivnHV+M59eCIg3J76cShWtxoaP
    e93nzxF9zC3GZemE0SMQY7tOW1aNlKwC1B3w7Huulp1PS/LwWXdxAa+5PJWE6LOU
    NNIwlZTUglNKMQkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAyYa2FvTYo4gem/pA
    sHASjcmhucBYyzANjCn77jGNp8XZisVo816YJ6KK360r0o70V31hsPinU0J8F65A
    XzkxIkQDYFK6jlcAIYNX1+rH9/+hohZh329WWT63Uq8rBfZCcDMZBittJZN/SsO7
    SM0XSySy16zjjYdyhOu4O/C22nkGKyRpQ40oNG4GivLUC/0wV2h1I3/mF4A9blk8
    E1uEisl2tnD0S2yJE5eSHW6Z82a3tAsFJRXgmfOVDARccsP6h0FPM6pWz1VWcecF
    cPu8iysrI4CpiRJIEP1YpaSqUIWflPneFMbewm0hlAbkfQkErxo71BeU/25zWhqQ
    bzC3HQ==
    -----END CERTIFICATE-----
    subject=/C=US/ST=CA/L=Some Location/O=Some Company/OU=Some OU/CN=Root/emailAddress=some@email.com
    issuer=/C=US/ST=CA/L=Some Location/O=Some Company/OU=Some OU/CN=Root/emailAddress=some@email.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1253 bytes and written 441 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES128-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : AES128-SHA
    Session-ID: C37445DA6F8E77CB4E63D83E35C8BC49CF8623B8A962C5CD8622D90E95FB232C
    Session-ID-ctx:
    Master-Key: 139F4A2EA858569F9127A3C0F195F8C4E211CAE96F643232625D9BDBD4AFDD36B070D6C992B121BCA34113C1531E6232
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2f 4f 7d b7 06 45 b1 d2-81 35 11 08 b5 56 78 3f /O}..E...5...Vx?
    0010 - 0a 18 94 6f 73 2c e0 02-3e 53 a7 89 e0 9d 40 6e ...os,..>S....@n
    0020 - 24 a7 76 3a 80 d6 95 84-9e f1 80 4b 85 dc fb 9a $.v:.......K....
    0030 - b1 d0 bf 5a 45 2a f3 f3-47 be e0 bf f8 6c 3e a6 ...ZE*..G....l>.
    0040 - 42 12 70 c3 90 39 e8 0f-1d d8 3e c2 8b a3 82 e9 B.p..9....>.....
    0050 - de a4 8d 3d d0 8d 7c 80-8f f9 f9 e6 bf 3d 3d cc ...=..|......==.
    0060 - 79 3c 15 1b 1a 85 54 bd-21 16 5c ff 8f ab 77 c4 y<....T.!.\...w.
    0070 - d2 8e c5 5b 2a 18 9f ca-42 ff 9f 53 82 dd 3b ee ...[*...B..S..;.
    0080 - bc ac c6 15 5b ac f9 4c-2d 23 5f 44 83 23 20 5d ....[..L-#_D.# ]

    0090 - bb 43 85 fc 00 c3 ff b3-3c 00 ad 9e 17 9f 7c 3d .C......<.....|=

    Start Time: 1436217489
    Timeout : 300 (sec)
    Verify return code: 9 (certificate is not yet valid)
    ---
    3067729632:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1289:SSL alert number 20

    root.zip

  • Hi,

    Thank you for your answer.
    I've found more information - see my response below.

    As for your question:
    Once I've figured out why test below is not working I will continue to look at my results (with my app). But in general this app is an "ssl router". It has to decrypt and encrypt data a lot.
  • I'm sorry. I still trying to get used to this forum. Reply is above (not below) link is e2e.ti.com/.../1651486
  • Hi,

    Has anyone tried to repeat it?

    I can't continue to evaluate the board because of issue I'm experiencing.