AM5728: AES, DES, SHA Hardware Accelerators using AF_ALG crypto engine

Devashish Tiwari

Part Number: AM5728

Hi,

As per the original question, I am trying to verify the hardware acceleration in AM5728 EVM. According to this link, Cryptodev kernel module is not supported on AM57XX SoCs.

So I ran the openssl commands through the AF_ALG engine on AM5728 EVM. This engine was available in the TI Linux PSDK 6.03 at /usr/lib/engines-1.1/afalg.so .I am getting following output -

root@am57xx-evm:/# openssl speed -evp aes-128-cbc -engine afalg   
engine "afalg" set.
Doing aes-128-cbc for 3s on 16 size blocks: 157308 aes-128-cbc's in 0.24s
Doing aes-128-cbc for 3s on 64 size blocks: 151927 aes-128-cbc's in 0.18s
Doing aes-128-cbc for 3s on 256 size blocks: 49680 aes-128-cbc's in 0.11s
Doing aes-128-cbc for 3s on 1024 size blocks: 31503 aes-128-cbc's in 0.05s
Doing aes-128-cbc for 3s on 8192 size blocks: 10444 aes-128-cbc's in 0.02s
Doing aes-128-cbc for 3s on 16384 size blocks: 5827 aes-128-cbc's in 0.01s
OpenSSL 1.1.1b  26 Feb 2019
built on: Sun Apr 19 02:06:32 2020 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr) 
compiler: arm-linux-gnueabihf-gcc  -march=armv7-a -mthumb -mfpu=neon -mfloat-abi=hard --sysroot=recipe-sysroot -isystem/home/gtbldadm/tools/gcc-arm-2019.03/arm-linux-gnueabihf/include  -O2 -pipe -g -feliminate-unused-debug-types -fdebug-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG  -isystem/home/gtbldadm/tools/gcc-arm-2019.03/arm-linux-gnueabihf/include
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      10487.20k    54018.49k   115618.91k   645181.44k  4277862.40k  9546956.80k

root@am57xx-evm:/# time -v openssl speed -evp aes-128-cbc -engine afalg
engine "afalg" set.
Doing aes-128-cbc for 3s on 16 size blocks: 160212 aes-128-cbc's in 0.22s
Doing aes-128-cbc for 3s on 64 size blocks: 151701 aes-128-cbc's in 0.13s
Doing aes-128-cbc for 3s on 256 size blocks: 49034 aes-128-cbc's in 0.08s
Doing aes-128-cbc for 3s on 1024 size blocks: 30981 aes-128-cbc's in 0.05s
Doing aes-128-cbc for 3s on 8192 size blocks: 10376 aes-128-cbc's in 0.04s
Doing aes-128-cbc for 3s on 16384 size blocks: 5813 aes-128-cbc's in 0.01s
OpenSSL 1.1.1b  26 Feb 2019
built on: Sun Apr 19 02:06:32 2020 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr) 
compiler: arm-linux-gnueabihf-gcc  -march=armv7-a -mthumb -mfpu=neon -mfloat-abi=hard --sysroot=recipe-sysroot -isystem/home/gtbldadm/tools/gcc-arm-2019.03/arm-linux-gnueabihf/include  -O2 -pipe -g -feliminate-unused-debug-types -fdebug-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG  -isystem/home/gtbldadm/tools/gcc-arm-2019.03/arm-linux-gnueabihf/include
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      11651.78k    74683.57k   156908.80k   634490.88k  2125004.80k  9524019.20k
	Command being timed: "openssl speed -evp aes-128-cbc -engine afalg"
	User time (seconds): 0.54
	System time (seconds): 8.78
	Percent of CPU this job got: 50%
	Elapsed (wall clock) time (h:mm:ss or m:ss): 0m 18.51s
	Average shared text size (kbytes): 0
	Average unshared data size (kbytes): 0
	Average stack size (kbytes): 0
	Average total size (kbytes): 0
	Maximum resident set size (kbytes): 14624
	Average resident set size (kbytes): 0
	Major (requiring I/O) page faults: 0
	Minor (reclaiming a frame) page faults: 187
	Voluntary context switches: 96175
	Involuntary context switches: 2622
	Swaps: 0
	File system inputs: 0
	File system outputs: 0
	Socket messages sent: 0
	Socket messages received: 0
	Signals delivered: 0
	Page size (bytes): 4096
	Exit status: 0

I now have following queries regarding hardware acceleration -

What is the difference between afalg and cryptodev engine? If afalg is also supported as crypto engine, why it is not mentioned in TI's documentation?
What are the list of algorithms supported by this engine? How can I verify that this engine is actually using hardware accelarator?
After enabling this engine in /etc/ssl/openssl.cnf and setting it to default, will openssl use this engine by default? And thereby use hardware crypto accelerator by default?

Kindly revert.

Regards,

Devashish

over 4 years ago

0 Keerthy J over 4 years ago

TI__Guru**** 163510 points

Devashish Tiwari said:
What is the difference between afalg and cryptodev engine? If afalg is also supported as crypto engine, why it is not mentioned in TI's documentation?

This is never tested on our side. Hence never mentioned in the documentation.

Devashish Tiwari said:

What are the list of algorithms supported by this engine? How can I verify that this engine is actually using hardware accelerator?

http://trac.gateworks.com/wiki/linux/encryption

This is more of generic crypto question. You can please ask all of the afalg related questions on linux-crypto@vger.kernel.org

Devashish Tiwari said:
After enabling this engine in /etc/ssl/openssl.cnf and setting it to default, will openssl use this engine by default? And thereby use hardware crypto accelerator by default?

As long as you see omap-sham omap-aes modules loaded using lsmod you can be sure that hardware crypto will be used as
the algorithms are given higher priority than software crypto.
Ex:

.cra_priority = 300, in static struct crypto_alg algs_ecb_cbc[] = { in driver/crypto/omap-aes.c

You can always use tcrypt to ensure that hardware crypto is being used: https://stackoverflow.com/questions/28080086/how-to-test-a-specific-algorithm-using-tcrypt-ko-module-in-linux-kernel

Best Regards,
Keerthy

0 Devashish Tiwari over 4 years ago in reply to Keerthy J

Expert 1435 points

Hello,

Thanks for your responses.

Keerthy J said:

This is never tested on our side. Hence never mentioned in the documentation.

Will the Cryptodev engine be supported on AM5728 in future Linux PSDKs? If not, is there any way to use Cryptodev engine with openssl on AM5728 with TI Linux PSDK 5.03?

Keerthy J said:

As long as you see omap-sham omap-aes modules loaded using lsmod you can be sure that hardware crypto will be used as
the algorithms are given higher priority than software crypto.
Ex:

.cra_priority = 300, in static struct crypto_alg algs_ecb_cbc[] = { in driver/crypto/omap-aes.c

How can I check the performance of these hardware crypto accelerators? Any command line utility to check the speed and throughput?

Regards,

Devashish

0 Keerthy J over 4 years ago in reply to Devashish Tiwari

TI__Guru**** 163510 points

Devashish Tiwari said:
Will the Cryptodev engine be supported on AM5728 in future Linux PSDKs? If not, is there any way to use Cryptodev engine with openssl on AM5728 with TI Linux PSDK 5.03?

Right now there is no plan.

How can I check the performance of these hardware crypto accelerators? Any command line utility to check the speed and throughput?

As i mentioned above there is tcrypt kenel module. you could simply use that for getting the algorithm performance numbers

Let me know if you can use tcrypt. If yes please resolve this issue.

Best Regards,
Keerthy

0 Devashish Tiwari over 4 years ago in reply to Keerthy J

Expert 1435 points

Hi,

I ran the commands mentioned on this link under tcrypt testing head and I am getting the same output as mentioned on the link.

What I am not able to do is let the applications (which I have developed) use hardware crypto accelerator by default.

For instance, I am developing an application that streams video on the EVM from a streaming server. I would like to encrypt this video using hardware accelerator. Or for another application which provides end-to-end video calling feature, I would like to send encrypted video. How can I use hardware accelerator for such use cases ?

Regards,

Devashish

0 Devashish Tiwari over 4 years ago in reply to Devashish Tiwari

Expert 1435 points

Hello,

Kindly acknowledge and revert.

Regards,

Devashish

0 Devashish Tiwari over 4 years ago in reply to Devashish Tiwari

Expert 1435 points

Hello,

This is a second reminder that I am waiting for your reply on this post.

Keerthy J

Regards,

Devashish

0 Devashish Tiwari over 4 years ago in reply to Devashish Tiwari

Expert 1435 points

Hello,

This is a third reminder that I am waiting for your reply.

Keerthy J

Regards,

Devashish

0 Devashish Tiwari over 4 years ago in reply to Devashish Tiwari

Expert 1435 points

Hello,

Is anybody going to reply here anytime soon?

0 Karthik Ramanan over 4 years ago in reply to Devashish Tiwari

TI__Guru** 113810 points

Devashish,

It looks like this thread didn't receive a response after youe previous post. Apologies.

Could you please let us know if this problem is still open and important to you? If yes, we can try to work and find a solution.

Regards

Karthik

0 Devashish Tiwari over 4 years ago in reply to Karthik Ramanan

Expert 1435 points

Hi Karthik,

The problem is still there. I still am not able to let the applications (which I have developed) use hardware crypto accelerator by default.

For instance, I am developing an application that streams video on the EVM from a streaming server. I would like to encrypt this video using the hardware accelerator. Or for another application that provides an end-to-end video calling feature, I would like to send encrypted video. How can I use the hardware accelerator for such use cases?

Regards,

Devashish

Processors

Processors forum

AM5728: AES, DES, SHA Hardware Accelerators using AF_ALG crypto engine