Welcome! Log In Create A New Profile

Advanced

[EXPERIMENTAL]Hardware Crypto on kickwood device with debian buster

Posted by yuko1225 
[EXPERIMENTAL]Hardware Crypto on kickwood device with debian buster
September 04, 2019 04:03AM
!!WARNING!!


!!EXPERIMENTAL!! This is not a drill. Using these codes/binaries/instructions may result DATA LOSS/DATA CORRUPTION/BRICK DEVICE/SECURITY VULNERABLE etc. USE AT YOUR OWN RISK

This article is not for beginner. You must understand what you are doing.

Skip to the the bottom if you just want the pre-compiled cryptodev binaries for bodhi's 5.2.9 Kirkwood kernel/debian buster.

Marvell CESA support these "usable" offload cipher/digest:
AES128-CBC/AES192-CBC/AES256-CBC
SHA1/SHA256

In debian 10 we have 2 ways to utilize HW Crypto on userland program.
  1. AF_ALG
    Pro: Builtin by debian buster. Somewhat more compatible/reliable than cryptodev.
    Con: Inefficiency.
    Have compatibility issue with latest openssh on debian buster(we will cover that).
     
  2. cryptodev
    Pro: Efficiency. Much lower overhead means MUCH MORE THROUGHPUT and more precious CPU cycles available for other usage. Zero copy is real.
    Con: Additional module required.
    Have compatibility issue with openssh too(WTH openssh?)
Both are disabled by default.

AF_ALG

Install: You can enable AF_ALG by editing the /etc/ssl/openssl.cnf. Make sure you have something like these in the configuration:
openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect
engines = afalg_sect

[afalg_sect]
afalg = afalg_engine_on

[afalg_engine_on]
default_algorithms = ALL
init = 1
Verify: "openssl engine". If you see
(dynamic) Dynamic engine loading support
(afalg) AFALG engine support
then it's working. And you have to use either AES128-CBC/AES192-CBC/AES256-CBC in the specific program's cipher setting. I'm not going to cover those setting.
Quote

BTW I'm not a cryptography expert but as far as I know CBC mode is still "acceptable safe" to date as long as you have all the security patch and TLS ver ≥1.1. This is certainly not the most secure mode anymore and it may become unsafe in the future. You have been warned

Known issue:
You may notice the openssh isn't providing either of those cipher by default...And when you explicit setting it. Boom(I did warned you). Check debian bug#931272 for details.

In short. We need to rebuild openssh without seccomp support(seccomp isn't enforced by default until debian buster. But again these procedure weaken the security a bit)
apt source openssh
cd openssh-x.x.x

# Edit debian/rules and add it to common build options:
confflags += --with-sandbox=no

dpkg-buildpackage -b -us

# After finished. Install the debs and job done
You can freeze the openssh version by "apt-mark hold" to avoid accidently update your openssh.
Just keep in mind this will prevent you from receiving openssh security updates. You have to rebuild on every release for the security.
Or...you could just disable the offload cipher for openssh(default).

cryptodev

It's the most unreliable and yet most speed solution amount these two. If anything there that most are likely to corrupt your data. This is it. Additional modules are required, both kernel and openssl.

Kernel: You have to use the latest source from their github or it won't work on 5.x kernel. And so far it's not compiled on bodhi's headers files for some reason.

I just cross-compiled it. The kernel module binary is on attachment. (cryptodev.zip )

OpenSSL: Until recently you still have to re-compile the whole openssl for the cryptodev support(now called devcrypto). To make matter worse after you done that it become a builtin-engine. YOU COULD NOT DISABLE a builtin-engine unless unload the kernel module. Not even mention it could break your openssh almost entirely...

But luckily openssl source tree has just made it become a module instead a builtin-engine. Some bugs were also fixed(no longer breaking openssh as long as you not using the offloaded cipher). So I backport the module to the buster's openssl1.1.1. which is available in attachment

There are two version of it. devcrypto-with-hash has the offload digest(md5/sha) support, which is straight from official source. devcrypto-wo-hash does not as I strip the digest codes.
You can compare them on the benchmark in #2. You can only install either of them.

Install: Extract and put the "devcrypto.so" directly into "/usr/lib/arm-linux-gnueabi/engines-1.1"
Verify: run "openssl engine devcrypto". If you see:
(devcrypto) /dev/crypto engine
then it's working.

Enable procedure is same as af_alg. Just replace "afalg" with "devcrypto".

Known issue:
It will break openssh connection if you enable this engine with offloaded cipher(i.e. aes128-cbc) setting in sshd_config(which is not default). Unlike af_alg I didn't find any workaround.
See this report


Wanna use both? Or only wanna enable certain engine for certain application? No problem

Openssl support "OPENSSL_CONF" as environment var. You can make another openssl.cnf with different engine. Then pass the file path to the executable with OPENSSL_CONF. For example:
OPENSSL_CONF=/path/to/engine/afalg.cnf sshd


Q&A:
Q. Why there are so many useless blahblah. I just want more specific commands
A. It's not for the beginner and it's EXPERIMENTAL.

Q. Why it is experimental. Isn't it all from official source?
A. Cryptography is serious thing. Even though some of these codes have been existing for quite long time it still quite buggy and lack of popularity means lack of maintenance. Anything could happen.

Q. My ssh is not working anymore.
A. Remove the configuration and modules.

Q. My encrypted data corrupted.
A. You have been warned.

Special thanks to https://wiki.kobol.io/cesa/ and bodhi



Edited 3 time(s). Last edit at 09/05/2019 02:46AM by yuko1225.
Attachments:
open | download - cryptodev.zip (18.5 KB)
open | download - devcrypto-with-hash.zip (43 KB)
open | download - devcrypto-wo-hash.zip (32.4 KB)
Re: [EXPERIMENTAL]Hardware Crypto on kickwood device with debian buster
September 04, 2019 04:06AM
Correction: benchmark parameters was wrong(didn't set the "elapsed" parameters). Old data is deleted and below is correct data.

Software

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
md4               2722.18k     9854.38k    28290.99k    53199.87k    71554.39k    72204.29k
md5               2624.53k     9288.04k    25463.21k    45150.89k    58217.81k    58698.41k
sha1              2185.57k     6787.61k    15682.05k    23386.45k    27249.32k    27383.13k
sha256            1838.62k     5413.55k    11722.75k    16576.51k    18800.64k    18928.98k
sha512             782.49k     3129.15k     5093.63k     7302.14k     8350.38k     8410.45k
seed-cbc          5682.78k     7678.91k     8421.21k     8622.42k     8669.87k     8605.68k
rc2-cbc           5222.04k     6596.48k     7061.16k     7196.33k     7225.34k     7208.96k
bf-cbc            7275.10k    10337.98k    11551.32k    11906.39k    11990.36k    11900.25k
des-cbc           4284.48k     5318.12k     5657.17k     5753.17k     5772.63k     5756.25k
des-ede3          1717.97k     1801.34k     1820.50k     1826.47k     1818.03k     1824.09k
aes-128-cbc       7139.94k    10119.32k    11303.00k    11645.61k    11730.94k    11692.71k
aes-192-cbc       6484.08k     8852.16k     9745.15k     9985.02k    10051.58k    10027.01k
aes-256-cbc       5933.29k     7865.71k     8559.62k     8753.15k     8809.13k     8781.82k
camellia-128-cbc     6486.85k     9001.51k     9959.34k    10229.42k    10291.88k    10205.98k
camellia-192-cbc     5507.29k     7205.87k     7813.46k     7975.94k     8019.97k     7979.01k
camellia-256-cbc     5498.62k     7211.39k     7816.28k     7976.96k     8017.24k     7984.47k
rc4              16630.41k    30758.76k    39129.43k    41958.40k    42833.24k    42435.10k
cast5-cbc         7442.66k    10786.60k    12143.02k    12535.47k    12626.60k    12539.22k

devcrypto(no hash)

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
md4               2722.72k     9863.34k    28256.94k    53164.37k    71488.85k    72198.83k
md5               2622.62k     9290.20k    25420.37k    45139.97k    58253.31k    58709.33k
sha1              2185.84k     6790.59k    15698.69k    23368.36k    27254.78k    27399.51k
sha256            1835.02k     5408.98k    11733.67k    16566.95k    18819.75k    18928.98k
sha512             777.93k     3111.53k     5078.70k     7298.39k     8350.38k     8382.51k
seed-cbc          5668.70k     7670.57k     8409.60k     8613.21k     8672.60k     8623.45k
rc2-cbc           5224.66k     6597.16k     7054.93k     7184.04k     7222.61k     7203.50k
bf-cbc            7266.79k    10320.17k    11550.98k    11927.37k    12027.72k    11940.05k
des-cbc            176.32k      703.15k     2809.09k     8457.08k    30488.49k    36422.89k
des-ede3          1723.68k     1803.29k     1832.84k     1836.69k     1829.55k     1824.09k
aes-128-cbc        176.46k      701.38k     2799.53k     8301.91k    25679.19k    22189.40k
aes-192-cbc        173.95k      693.48k     2771.63k     8152.41k    24586.92k    21315.58k
aes-256-cbc        175.72k      700.89k     2798.08k     8094.04k    23803.22k    20682.07k
camellia-128-cbc     6486.53k     8990.14k     9952.17k    10213.38k    10289.15k    10234.54k
camellia-192-cbc     5513.48k     7205.06k     7805.70k     7974.91k     8014.51k     8000.21k
camellia-256-cbc     5511.72k     7206.98k     7807.74k     7999.19k     8044.05k     7979.01k
rc4              16621.46k    30820.75k    39183.58k    42052.84k    42811.39k    42314.41k
cast5-cbc         7453.44k    10802.28k    12179.44k    12559.58k    12629.33k    12533.76k

devcrypto(w/ hash)

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
md4                888.85k     3446.70k    12095.49k    32558.42k    64353.62k    67960.83k
md5                105.24k      311.98k     1247.91k     4413.44k    22994.94k    32123.56k
sha1               104.72k      310.36k     1240.75k     4352.68k    21121.71k    30108.33k
sha256             761.06k     2649.45k     7452.50k    13649.58k    17986.90k    18278.23k
sha512             483.14k     1940.82k     4055.38k     6613.33k     8118.27k     8252.07k
seed-cbc          5600.77k     7557.95k     8275.46k     8485.89k     8566.10k     8548.17k
rc2-cbc           5139.08k     6491.09k     6947.93k     7071.74k     7128.96k     7121.58k
bf-cbc            7157.43k    10165.48k    11413.33k    11724.12k    11793.75k    11763.71k
des-cbc            172.36k      688.79k     2754.22k     8364.37k    30089.22k    35973.80k
des-ede3          1700.85k     1774.29k     1794.90k     1805.99k     1818.62k     1802.24k
aes-128-cbc        173.11k      675.54k     2698.92k     8060.93k    25351.51k    22173.01k
aes-192-cbc        170.45k      679.59k     2730.24k     8029.53k    24491.35k    21381.12k
aes-256-cbc        170.69k      678.68k     2717.44k     7923.03k    23519.23k    20611.07k
camellia-128-cbc     6387.72k     8881.83k     9835.97k    10103.35k    10161.92k    10070.70k
camellia-192-cbc     5427.82k     7114.77k     7742.93k     7875.55k     7891.63k     7864.32k
camellia-256-cbc     5400.30k     7094.31k     7682.90k     7849.64k     7891.63k     7853.40k
rc4              16359.03k    30267.09k    38463.15k    41235.46k    42276.18k    41872.04k
cast5-cbc         7340.99k    10604.95k    11952.30k    12482.25k    12451.84k    12337.15k


AFALG

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
md4               2721.70k     9860.42k    28274.60k    53107.71k    71467.01k    72204.29k
md5               2622.15k     9300.91k    25444.18k    45130.41k    58187.78k    58736.64k
sha1              2187.27k     6580.26k    15610.45k    23381.67k    27249.32k    27366.74k
sha256            1837.62k     5408.36k    11730.77k    16567.30k    18825.22k    18912.60k
sha512             778.44k     3107.82k     5080.23k     7292.25k     8353.11k     8410.45k
seed-cbc          5643.20k     7672.55k     8413.44k     8624.81k     8667.14k     8634.37k
rc2-cbc           5218.85k     6595.58k     7058.77k     7192.23k     7222.61k     7185.01k
bf-cbc            7286.44k    10320.41k    11590.21k    11905.71k    11998.55k    11911.17k
des-cbc           4291.94k     5317.55k     5658.37k     5744.64k     5707.09k     5690.71k
des-ede3          1718.94k     1803.78k     1824.51k     1828.52k     1826.82k     1823.47k
aes-128-cbc        103.81k      411.48k     1621.59k     5250.73k    18773.33k    22844.76k
aes-192-cbc        104.05k      412.03k     1629.61k     5142.53k    18631.34k    22391.47k
aes-256-cbc        103.34k      408.19k     1622.27k     5082.79k    17937.75k    21621.42k
camellia-128-cbc     6493.03k     9002.88k     9958.74k    10233.51k    10302.81k    10240.00k
camellia-192-cbc     5500.22k     7207.13k     7816.28k     7979.69k     8019.97k     7984.47k
camellia-256-cbc     5505.26k     7213.44k     7819.18k     7974.23k     8019.97k     7984.47k
rc4              16637.58k    30748.93k    39127.81k    41966.93k    42860.54k    42445.48k
cast5-cbc         7451.31k    10774.06k    12136.02k    12542.63k    12640.26k    12544.68k

The overheads has some significant impact. Small bytes HW result is no where close to the software. And on hash even the large bytes isn't able to compare with software. On most commonly use cipher size it shows about 2x throughput, which match the real world result. AF_ALG is clearly slower than cryptodev.

Also, because the cost of context-switch. The cpu usage isn't benefit from the offload hash either.



Edited 3 time(s). Last edit at 09/05/2019 02:49AM by yuko1225.
Author:

Your Email:


Subject:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.
Message: