• State
  • Locked Locked
  • Replies 5 replies
  • Subscribers 99 subscribers
  • Views 1097 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM335x - Crypto Engine - Support for ECB for Non-SSL Applications Using OCF

Michael Questo
Expert 6000 points


The documentation for the AM335x Crytographic features at http://processors.wiki.ti.com/index.php/Cryptography_Users_Guide discusses how to include the driver and Open Container Format (OCF) in buildroot and how to use it via OpenSSL.  We are trying to access the crypto accelerator from a non-SSL application. 

Is there a way to directly invoke system calls via IOCTL() against /dev/crypto?  The man page for /dev/crypto (http://processors.wiki.ti.com/index.php/Cryptography_Users_Guide) only generically lists the potential features available, e.g. CRYPTO_AES_CBC.  What are the exact list of features available when used with omap4-aes and omap4-sham?  Does it support all the encrpytions listed in the TRM (e2e.ti.com/.../571404 )

 We are currently using AES_CCM and perhaps SHA256, and would like to understand how to take advantage of the accelerator. To refine my questions:  we are trying to use aes-ecb on the AM335x’s crypto hardware.  This driver is being registered in the TI’s kernel patch, but it is not accessible from the OCF (does it support ECB?).  How can we access aes-ecb on the crypto hardware?  given that it’s not accessible by OpenSSL via OCF?

  • 0
    TI__Guru**** 393215 points

    Hi Michael,

    I will forward this to the factory team experts.

  • 0
    Prodigy 100 points
    To follow-up: I was able to use ioctl() to access those crypto algorithms supported in cryptodev.h. However, aes-ecb is not listed. I see that the TI patch registers both aes-cbc and aes-ecb with OCF, so I modified the OCF to recognize aes-ecb in the switch statement. Still I was not able to access it (got "bad parameter" from ioctl).
  • 0
    Mastermind 8040 points

    It seems the current linux driver only supports ECB, CBC, and CTR modes, and none of the remaining modes supported by the crypto accelerator (e.g. CCM, XTS, GCM). I have no idea why you can't use ECB, it may be a limitation of the frameworks involved and I'm not really familiar with them, but I also see no reason why you would want ECB mode. The simplest solution I can think of to try to accelerate CCM in a non-SSL application would be by having the crypto accelerator perform CTR encryption (using one of the two kernel APIs directly; apparently /dev/crypto is slightly faster but requires a non-mainline kernel module) while in parallel performing the CBC-MAC in userspace. Whether or not this actually ends up being faster or not I don't know, I've seen many reports suggesting that the overhead of using the kernel driver is high, and as a result using the crypto accelerator often ends up slower than a software implementation unless encrypting very large blocks of data.

    Part of the issue may be that the kernel crypto framework seems primarily focussed on providing crypto services to the kernel's needs (e.g. IPSec), while providing them to userspace is not really a priority. An interesting alternative would be to directly access the peripheral from userspace and just have a minimalistic kernel driver that just deals with setting up DMA and delivering relevant IRQs (the UIO framework may be useful here), but writing kernel code of any sort is probably a rather steep entry-barrier for most programmers. Still, in case you'd consider that option, you can find references to more documentation on the crypto modules here for example (the AM335x TRM itself stupidly lacks this documentation).

  • 0 in reply to Matthijs van Duin
    Prodigy 100 points
    Thanks. Until you mentioned, I didn't even know the crypto accelerator supports AES-CCM and AES-GCM which are actually what I was looking for. I could only infer from the TI patch to OCF that there are drivers for AES-CBC and AES-ECB, but OCF apparently doesn't support the ECB mode. The link you provided just loops one back to the SDK for the appropriate processor, which is where I started off.
  • 0 in reply to Henry Luis
    Mastermind 8040 points

    Note that all the "crypto" links are not provided by me, the forum software inserts those automatically with no way to turn it off afaik. Very annoying.