AM335x Hardware Crypto Engine

John J Wu

Other Parts Discussed in Thread: AM3358, TMDSSK3358

We have recently discovered a couple of issues with the hardware crypto provided as part of AM335x SOC and Linux SDK.

Issue #1: With certain configurations of IPSec encryption, we have seen kernel crashes. This was resolved by disabling hardware crypto and replacing it with a software based one.

Issue #2: IPSec performance measured with hardware crypto was 20x lower than with the software crypto.

Thanks,

John

over 9 years ago

0 Biser Gatchev-XID over 9 years ago

TI__Guru**** 393215 points

Hi John,

Can you provide more details: Which SDK are you using, what is the hardware platform?

0 Miroslav Kiradzhiyski XID over 9 years ago

TI__Mastermind 25235 points

Hi John,

I'll let the factory team know. Maybe they can share some thoughts.

Best regards,
Miroslav

0 John J Wu over 9 years ago in reply to Biser Gatchev-XID

Genius 3870 points

It's AM3358 Starter Kit TMDSSK3358.

Thanks,

John

0 Michael Erdahl over 9 years ago

TI__Genius 13455 points

What SDK version are you using? Are you using the latest AMSDK 7.0, or 6.0? The crypto drivers underwent some change between these versions, so it will be useful to know what version you have, especially if it is the latest version.

Can you explain what your IPSec software stack looks like? What kernel modules have you added (if any)?

Lots of issues can contribute to low performance using the crypto hardware, ranging from your packet size to encryption algorithm used could make a difference.

Once we understand what your system is, we can probably give some suggestions.

0 John J Wu over 9 years ago in reply to Michael Erdahl

Genius 3870 points

We are using AMSDK 6.0, essentially we tried to follow
the TI Cryptography Users Guide for configuration :

http://processors.wiki.ti.com/index.php/Cryptography_Users_Guide#Building_the_Driver

We have only seen this kernel panic when using 3DES encryption, we have not
seen the same issue with AES256.

Our software consists of the following packages :

    ipsec-tools_0.8.1

    openssl_1.0.0j

    libssl1.0.0_1.0.0j

    libcrypto1.0.0_1.0.0j

    ocf-linux



    Note: OpenSSL was compiled with ocf-linux support

Kernel Modules related to crypto support :

CONFIG_CRYPTO=y

#

# Crypto core or helper

#

CONFIG_CRYPTO_ALGAPI=y

CONFIG_CRYPTO_ALGAPI2=y

CONFIG_CRYPTO_AEAD=y

CONFIG_CRYPTO_AEAD2=y

CONFIG_CRYPTO_BLKCIPHER=y

CONFIG_CRYPTO_BLKCIPHER2=y

CONFIG_CRYPTO_HASH=y

CONFIG_CRYPTO_HASH2=y

CONFIG_CRYPTO_RNG2=y

CONFIG_CRYPTO_PCOMP=y

CONFIG_CRYPTO_PCOMP2=y

CONFIG_CRYPTO_MANAGER=y

CONFIG_CRYPTO_MANAGER2=y

# CONFIG_CRYPTO_USER is not set

CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y

# CONFIG_CRYPTO_GF128MUL is not set

CONFIG_CRYPTO_NULL=y

CONFIG_CRYPTO_WORKQUEUE=y

# CONFIG_CRYPTO_CRYPTD is not set

CONFIG_CRYPTO_AUTHENC=y

# CONFIG_CRYPTO_TEST is not set

#

# Authenticated Encryption with Associated Data

#

# CONFIG_CRYPTO_CCM is not set

# CONFIG_CRYPTO_GCM is not set

# CONFIG_CRYPTO_SEQIV is not set

#

# Block modes

#

CONFIG_CRYPTO_CBC=y

# CONFIG_CRYPTO_CTR is not set

# CONFIG_CRYPTO_CTS is not set

CONFIG_CRYPTO_ECB=y

# CONFIG_CRYPTO_LRW is not set

# CONFIG_CRYPTO_PCBC is not set

# CONFIG_CRYPTO_XTS is not set

#

# Hash modes

#

CONFIG_CRYPTO_HMAC=y

# CONFIG_CRYPTO_XCBC is not set

# CONFIG_CRYPTO_VMAC is not set

#

# Digest

#

CONFIG_CRYPTO_CRC32C=y

# CONFIG_CRYPTO_GHASH is not set

# CONFIG_CRYPTO_MD4 is not set

CONFIG_CRYPTO_MD5=y

# CONFIG_CRYPTO_MICHAEL_MIC is not set

# CONFIG_CRYPTO_RMD128 is not set

# CONFIG_CRYPTO_RMD160 is not set

# CONFIG_CRYPTO_RMD256 is not set

# CONFIG_CRYPTO_RMD320 is not set

CONFIG_CRYPTO_SHA1=y

CONFIG_CRYPTO_SHA256=y

# CONFIG_CRYPTO_SHA512 is not set

# CONFIG_CRYPTO_TGR192 is not set

# CONFIG_CRYPTO_WP512 is not set

#

# Ciphers

#

CONFIG_CRYPTO_AES=y

# CONFIG_CRYPTO_ANUBIS is not set

CONFIG_CRYPTO_ARC4=y

# CONFIG_CRYPTO_BLOWFISH is not set

# CONFIG_CRYPTO_CAMELLIA is not set

# CONFIG_CRYPTO_CAST5 is not set

# CONFIG_CRYPTO_CAST6 is not set

CONFIG_CRYPTO_DES=y

# CONFIG_CRYPTO_FCRYPT is not set

# CONFIG_CRYPTO_KHAZAD is not set

# CONFIG_CRYPTO_SALSA20 is not set

# CONFIG_CRYPTO_SEED is not set

# CONFIG_CRYPTO_SERPENT is not set

# CONFIG_CRYPTO_TEA is not set

# CONFIG_CRYPTO_TWOFISH is not set

#

# Compression

#

CONFIG_CRYPTO_DEFLATE=y

CONFIG_CRYPTO_ZLIB=y

CONFIG_CRYPTO_LZO=y

#

# Random Number Generation

#

# CONFIG_CRYPTO_ANSI_CPRNG is not set

# CONFIG_CRYPTO_USER_API_HASH is not set

# CONFIG_CRYPTO_USER_API_SKCIPHER is not set

CONFIG_CRYPTO_HW=y

CONFIG_CRYPTO_DEV_OMAP4_AES=y

CONFIG_CRYPTO_DEV_OMAP4_SHAM=y

CONFIG_HW_RANDOM=y

CONFIG_HW_RANDOM_OMAP4=y

CONFIG_OCF_OCF=y

0 Michael Erdahl over 9 years ago in reply to John J Wu

TI__Genius 13455 points

The AM335x does not have DES hardware acceleration.

Do you observe the kernel panic immediately, or only after some time?

Do you see the same low performance with AES? How much throughput do you measure with AES? What are your packet sizes?

0 John J Wu over 9 years ago in reply to Michael Erdahl

Genius 3870 points

Sorry if the 3DES information was misleading, the actual kernel panic is occurring in the crypto-omap4-sham.c module when IPsec is configured to use 3DES encryption and SHA1 hash

arm-linux-gnueabihf-addr2line -e vmlinux c026cfe4

/home/mengland/ti-sdk-am335x-evm-06.00.00.00/board-support/linux-3.2.0-psp04.06.00.11/drivers/crypto/omap4-sham.c:423

The addr2line lookup confirms the panic originates from the crypto_omap4-sham (Support for OMAP SHA1/MD5 HW acceleration)

When IPsec is configured to use AES/SHA1 we do not see the same exceptions, with 3DES/SHA1 the kernel panic happens immediately.

Processors

Processors forum

AM335x Hardware Crypto Engine