Build OCF for Sitara

From Texas Instruments Wiki
Jump to: navigation, search


This article is the first of three articles written as a how-to guide for enabling hardware accelerated cryptographic functions for OpenSSL version 1.0.0a. This functionality is designed for the hardware accelerators on the 37xx and 35xx general purpose (GP) device family. Other devices may have incompatible or inaccessible hardware accelerators.

This first article describes how to patch and re-build the Linux kernel with support for Open Crypto Framework (OCF-Linux).  OCF-Linux is an open-source project which supports hardware accelerated crypto functions in applications running under Linux.

The second article describes how to build the module which will communicate with the 35xx/37xx hardware accelerators.

The third article describes how to build and use OpenSSL version 1.0.0a with OCF support.


The procedures on this page have been tested using the system described below.

  • Linux host development system - Ubuntu 10.04
  • CodeSourcery Arm cross-compiler tools installed in dev system (Sourcery G++ Lite 2009q1-203 4.3.3)
  • PSP for AM35x/OMAP35x with kernel source code extracted.
  • Root file system from PSP (nfs-base.tar.gz) set up as Network File System (NFS) within host dev system
  • OMAP3 Rev G EVM w/ AM37x processor module booting into PSP and mounting NFS on host dev system
  • Tarballs from (ocf-linux-20100325.tar.gz and crypto-tools-20100325.tar.gz)

All binaries/modules are cross-compiled in the host development under the Network File System (NFS) mount point that the target will use as a root file system.  This eliminates the need to copy binaries/modules from the host to the target.  When the target boots and mounts the NFS, all of the binaries/modules are directly accessible to the target.  If using a different media for the file system (SD card, NAND), it will be necessary to perform the extra step to copy binaries/modules to the file system.  However, the procedure to perform the actual build/cross-compile is the always the same as described in the article.

Procedure to Build and Test OCF-Linux

OCF-Linux is made of two parts.  The first is a patch for the Linux kernel.  The patch must be applied to the kernel source from PSP and then the kernel must be configured and re-built.  The patch/re-building process will create the modules for OCF (cryptodev.ko and cryptosoft.ko). 

The module cryptodev.ko is the driver that will access hardware accelerators if available.  It creates the /dev/crypto device on the target system.  It is required that cryptodev.ko is loaded before trying to use a higher level application like OpenSSL that uses the /dev/crypto device.

The module cryptosoft.ko is a driver that will emulate a hardware accelerator being accessed through /dev/crypto.  It is handy to use cryptosoft.ko in order to test /dev/crypto without the actual hardware accelerators.  It is not necessary to have cryptosoft.ko once you have a driver for the hardware accelerators.  This will be the case at the end of the second article in this series.

The second part of OCF is a patch for OpenSSL.  For OpenSSL version 1.0.0a, the OCF patch if not necessary.  OpenSSL 1.0.0a is already set up to use OCF with a compile time switch.  The third article in this series describes how to build OpenSSL 1.0.0a with OCF support.

Apply the kernel patch

Make a directory for ocf-linux-20100325.tar.gz and extract the tarball in place.  This will create a sub-directory named ocf-linux-20100325.  This subdirectory will contain another tarball ocf-linux.tar.gz, a README file and patches for OpenSSL.  The tarball ocf-linux.tar.gz contains the actual files that will used to directly patch the PSP Linux kernel.

user@Ubuntu:~$ cd OCF-Linux/
user@Ubuntu:~/OCF-Linux$ ll
total 620
drwxr-xr-x 3 user user 4096 2010-06-30 13:09 ./
drwxr-xr-x 39 user user 4096 2010-06-30 13:52 ../
drwxr-xr-x 3 user user 4096 2010-06-30 13:08 ocf-linux-20100325/
-rwxrwxrwx 1 user user 610345 2010-06-14 13:24 ocf-linux-20100325.tar.gz*
-rw-r--r-- 1 user user 4821 2010-06-29 14:57 ocf-linux-20100325.txt
user@Ubuntu:~/OCF-Linux$ cd ocf-linux-20100325/
user@Ubuntu:~/OCF-Linux/ocf-linux-20100325$ ll
total 736
drwxr-xr-x 3 user user 4096 2010-06-30 13:08 ./
drwxr-xr-x 3 user user 4096 2010-06-30 13:09 ../
-rw-r--r-- 1 user user 1473 2010-03-25 06:36 crypto-tools.patch
-rw-r--r-- 1 user user 564655 2010-03-25 06:36 ocf-linux.tar.gz
-rw-r--r-- 1 user user 36034 2010-03-25 06:36 openssl-0.9.8e.patch
-rw-r--r-- 1 user user 35851 2010-03-25 06:36 openssl-0.9.8g.patch
-rw-r--r-- 1 user user 39659 2010-03-25 06:36 openssl-0.9.8i.patch
-rw-r--r-- 1 user user 42908 2010-03-25 06:36 openssl-0.9.8n.patch
-rw-r--r-- 1 user user 5899 2010-03-25 06:36 README
-rw-r--r-- 1 user user 3483 2010-03-25 06:36 README.sglinux
drwxr-xr-x 2 user user 4096 2010-03-25 06:36 tools/

The rest of this article is essentially the procedure described in the README except that it is specific to the PSP kernel and software.

Applying the kernel patch to the kernel from PSP is very starightforward and is described below.

The kernel for PSP exists in the tarball named linux-  In the example below, the tarball has been extracted in place so that the source for the kernel is in the subdirectory linux-

user@Ubuntu:~/PSP-$ pwd
user@UbuntuVbox1004:~/PSP-$ ll
total 83792
drwxr-xr-x 3 user user 4096 2010-06-11 15:12 ./
drwxr-xr-x 6 user user 4096 2010-05-06 13:46 ../
-rw-r--r-- 1 user user 132393 2010-05-06 13:46 ChangeLog-
-rw-r--r-- 1 user user 20804 2010-05-06 13:46 diffstat-
-rw-r--r-- 1 user user 714860 2010-05-06 13:46 kernel-patches-
drwxrwxr-x 24 user user 4096 2010-06-30 13:50 linux-
-rw-r--r-- 1 user user 84363444 2010-05-06 13:46 linux-
-rw-r--r-- 1 user user 792 2010-05-06 13:46 Readme.txt
-rw-r--r-- 1 user user 17818 2010-05-06 13:46 ShortLog
-rw-r--r-- 1 user user 520670 2010-05-06 13:46 Unified-patch-
user@Ubuntu:~/PSP-$ cd linux-

Before applying the OCF patch, the kernel should be configured and built at least once for the 35x/37x.  To do this the following commands should be executed.

make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- omap3_evm_defconfig
make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- uImage

Now the OCF patch can be applied to the PSP kernel source.  First, copy the tarball ocf-linux.tar.gz to the crypto sub-directory of the kernel source.  Extract the tarball in place to create the crypto/ocf subdirectory.

Copy the file cryptodev.h from the ocf directory into the include directory of the kernel source (two levels up from the ocf directory).

Go back up two levels from ocf and apply the patch from the top of the kernel source code directory.

user@Ubuntu:~/.../linux-$ patch -p1 < crypto/ocf/patches/linux-2.6.33-ocf.patch

Reconfigure the kernel

Now the kernel must be re-configured before being built.  This assumes that the kernel has been already configured at least once with the omap3_evm_defconfig target as described above.  Run make with the menuconfig option.

make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- menuconfig

The picture below shows the configuration screen with the new OCF Configuration menu.  Scroll to OCF Configuration and hit enter.


The OCF Configuration sub-menu will look similar to the picture below.  Select module configuration for 'cryptodev' and 'cryptosoft'.  The final selections are shown below.  Do not select any HW support that does not exist in the actual hardware that will be used.  After making changes exit out of menuconfig and answer "yes" when it asks if you want to save the configuration.

OCF Menu.png

Now the kernel can be re-built.

make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- uImage

Build the Crypto Modules

After the kernel is built the modules must also be built.

make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- modules

After the modules are built, they will be located in the crypto/ocf sub-directory of the kernel source code.

user@Ubuntu:~/.../linux-$ ls -l crypto/ocf/*ko
-rw-r--r-- 1 user user 129195 2010-07-16 10:39 crypto/ocf/cryptodev.ko
-rw-r--r-- 1 user user 104911 2010-07-14 13:16 crypto/ocf/cryptosoft.ko

The crypto modules must be copied to the target root file system.  In the example here, the target is the NFS mount point in the host development system and the sub-directory here is lib/modules/2.6.32/crypto/ocf.

This sub-directory doesn't exist by default so it must be created before the modules are copied.  The output below shows the modules as they exist in the directory under the NFS.

user@Ubuntu:~/.../nfsbase/lib/modules/2.6.32/crypto/ocf$ pwd
user@Ubuntu:~/.../nfsbase/lib/modules/2.6.32/crypto/ocf$ ls -l
total 232
-rw-r--r-- 1 user user 129195 2010-07-16 10:39 cryptodev.ko
-rw-r--r-- 1 user user 104911 2010-07-14 13:16 cryptosoft.ko

Build Crypto-tools

OCF-Linux includes includes some tools to test the OCF package. 

Copy the tarball crypto-tools-20100325.tar.gz into the host system under the home/root directory of the NFS root file system.  Untar it in place and it will create the sub-directory, crypto-tools.

user@Ubuntu:~/.../nfsbase/home/root/crypto-tools$ ll
total 52
drwxr-xr-x 2 user user 4096 2010-07-23 13:55 ./
drwxrwxrwx 11 user user 4096 2010-07-23 13:44 ../
-rw-r--r-- 1 user user 4576 2009-05-22 01:05 cmactest.c
-rw-r--r-- 1 user user 5770 2010-03-15 22:01 cryptokeytest.c
-rw-r--r-- 1 user user 19161 2010-03-15 22:01 cryptotest.c
-rw-r--r-- 1 user user 2073 2010-07-23 13:52 Makefile
-rw-r--r-- 1 user user 2569 2004-11-30 00:25 README

Edit the Makefile and add the following lines (change the kernel source path to match your host system.

LINUXKERNEL_INSTALL_DIR=[path to kernel source]

Now run make.  There will probably be errors from the compilation of cryptokeytest.  That is okay.  We are looking for the executable called cryptotest.  If cryptotest built properly the directory should look like the following

user@Ubuntu:~/.../nfsbase/home/root/crypto-tools$ ll
total 76
drwxr-xr-x 2 user user 4096 2010-07-23 13:58 ./
drwxrwxrwx 11 user user 4096 2010-07-23 13:44 ../
-rw-r--r-- 1 user user 4576 2009-05-22 01:05 cmactest.c
-rw-r--r-- 1 user user 5770 2010-03-15 22:01 cryptokeytest.c
-rwxr-xr-x 1 user user 23670 2010-07-23 13:58 cryptotest*
-rw-r--r-- 1 user user 19161 2010-03-15 22:01 cryptotest.c
-rw-r--r-- 1 user user 2073 2010-07-23 13:52 Makefile
-rw-r--r-- 1 user user 2569 2004-11-30 00:25 README

Boot Target and load Crypto Module

Load the new kernel onto the EVM and check for the existence of /dev/crypto.  At this point it will not exist because the module has not been installed. 

Arago Project arago ttyS0

Arago 2009.11 arago ttyS0
arago login: root
root@arago:~# ls /dev/cr*
ls: /dev/cr*: No such file or directory

Install the cryptodev module.  The kernel will issue a warning about being tainted.

root@arago:~# insmod /lib/modules/2.6.32/crypto/ocf/cryptodev.ko
cryptodev: module license 'BSD' taints kernel.
Disabling lock debugging due to kernel taint
root@arago:~# lsmod
Module Size Used by
cryptodev 10560 0

Now install the cryptosoft.ko module. 

root@arago:~# insmod /lib/modules/2.6.32/crypto/ocf/cryptosoft.ko
root@arago:~# lsmod
Module Size Used by
cryptosoft 10987 0
cryptodev 10560 0

Run Cryptotest

Now the cryptodev.ko module can be tested using crypto-tools.  With cryptodev.ko and cryptosoft.ko loaded the test will not access hardware, but rather will test the /dev/crypto device using the software emulation provided by cryptosoft.ko.  The command "cryptotest -z 1024" is a good general command for running all available crypto functions for a reasonable number of block sizes.  Adding in the Linux "time -v" function will also provide extra information about how long the overall command takes.  In the example below, the test demonstrates that the cryptosoft.ko module provides only DES, 3DES and MD5 cryptographic functions.  The "time -v" function provides information about the CPU usage.  Notice below that the CPU usage for software emulation is 99%.

In the next article the ocf_omap3_cryptok.ko module will be built.  This module will take the place of cryptosoft.ko.  However, it will provide access to the omap3 hardware accelerators.

root@arago:~# cd crypto-tools/
root@arago:~/crypto-tools# ls -l
-rw-r--r-- 1 1000 1000 2198 Sep 16 2010 Makefile
-rw-r--r-- 1 1000 1000 2569 Nov 30 2004 README
-rw-r--r-- 1 1000 1000 4576 May 22 2009 cmactest.c
-rw-r--r-- 1 1000 1000 5770 Mar 16 2010 cryptokeytest.c
-rwxr-xr-x 1 1000 1000 23670 Sep 16 2010 cryptotest
-rw-r--r-- 1 1000 1000 19161 Mar 16 2010 cryptotest.c
root@arago:~/crypto-tools# time -v cryptotest -z 1024
0.040 sec, 2048 des crypts, 8 bytes, 406490 byte/sec, 3.1 Mb/sec
0.042 sec, 2048 des crypts, 16 bytes, 774859 byte/sec, 5.9 Mb/sec
0.046 sec, 2048 des crypts, 32 bytes, 1428017 byte/sec, 10.9 Mb/sec
0.053 sec, 2048 des crypts, 64 bytes, 2474130 byte/sec, 18.9 Mb/sec
0.066 sec, 2048 des crypts, 128 bytes, 3943972 byte/sec, 30.1 Mb/sec
0.094 sec, 2048 des crypts, 256 bytes, 5576049 byte/sec, 42.5 Mb/sec
0.149 sec, 2048 des crypts, 512 bytes, 7038037 byte/sec, 53.7 Mb/sec
0.258 sec, 2048 des crypts, 1024 bytes, 8127677 byte/sec, 62.0 Mb/sec
0.477 sec, 2048 des crypts, 2048 bytes, 8796096 byte/sec, 67.1 Mb/sec
0.915 sec, 2048 des crypts, 4096 bytes, 9172379 byte/sec, 70.0 Mb/sec
1.794 sec, 2048 des crypts, 8192 bytes, 9350222 byte/sec, 71.3 Mb/sec
3.556 sec, 2048 des crypts, 16384 bytes, 9436572 byte/sec, 72.0 Mb/sec
7.100 sec, 2048 des crypts, 32768 bytes, 9452067 byte/sec, 72.1 Mb/sec
14.156 sec, 2048 des crypts, 65280 bytes, 9444210 byte/sec, 72.1 Mb/sec
0.044 sec, 2048 3des crypts, 8 bytes, 374124 byte/sec, 2.9 Mb/sec
0.049 sec, 2048 3des crypts, 16 bytes, 673186 byte/sec, 5.1 Mb/sec
0.058 sec, 2048 3des crypts, 32 bytes, 1134430 byte/sec, 8.7 Mb/sec
0.076 sec, 2048 3des crypts, 64 bytes, 1726972 byte/sec, 13.2 Mb/sec
0.111 sec, 2048 3des crypts, 128 bytes, 2359213 byte/sec, 18.0 Mb/sec
0.182 sec, 2048 3des crypts, 256 bytes, 2880118 byte/sec, 22.0 Mb/sec
0.325 sec, 2048 3des crypts, 512 bytes, 3228086 byte/sec, 24.6 Mb/sec
0.609 sec, 2048 3des crypts, 1024 bytes, 3446316 byte/sec, 26.3 Mb/sec
1.176 sec, 2048 3des crypts, 2048 bytes, 3566230 byte/sec, 27.2 Mb/sec
2.313 sec, 2048 3des crypts, 4096 bytes, 3627363 byte/sec, 27.7 Mb/sec
4.590 sec, 2048 3des crypts, 8192 bytes, 3655559 byte/sec, 27.9 Mb/sec
9.145 sec, 2048 3des crypts, 16384 bytes, 3669124 byte/sec, 28.0 Mb/sec
18.278 sec, 2048 3des crypts, 32768 bytes, 3671525 byte/sec, 28.0 Mb/sec
36.414 sec, 2048 3des crypts, 65280 bytes, 3671469 byte/sec, 28.0 Mb/sec
0.020 sec, 1024 md5 crypts, 8 bytes, 400646 byte/sec, 3.1 Mb/sec
0.020 sec, 1024 md5 crypts, 16 bytes, 806141 byte/sec, 6.2 Mb/sec
0.020 sec, 1024 md5 crypts, 32 bytes, 1600156 byte/sec, 12.2 Mb/sec
0.021 sec, 1024 md5 crypts, 64 bytes, 3050314 byte/sec, 23.3 Mb/sec
0.023 sec, 1024 md5 crypts, 128 bytes, 5811732 byte/sec, 44.3 Mb/sec
0.025 sec, 1024 md5 crypts, 256 bytes, 10670574 byte/sec, 81.4 Mb/sec
0.029 sec, 1024 md5 crypts, 512 bytes, 18295924 byte/sec, 139.6 Mb/sec
0.037 sec, 1024 md5 crypts, 1024 bytes, 28633189 byte/sec, 218.5 Mb/sec
0.053 sec, 1024 md5 crypts, 2048 bytes, 39539810 byte/sec, 301.7 Mb/sec
0.085 sec, 1024 md5 crypts, 4096 bytes, 49385423 byte/sec, 376.8 Mb/sec
0.150 sec, 1024 md5 crypts, 8192 bytes, 55949044 byte/sec, 426.9 Mb/sec
0.284 sec, 1024 md5 crypts, 16384 bytes, 59132588 byte/sec, 451.1 Mb/sec
0.554 sec, 1024 md5 crypts, 32768 bytes, 60575767 byte/sec, 462.2 Mb/sec
1.084 sec, 1024 md5 crypts, 65280 bytes, 61669333 byte/sec, 470.5 Mb/sec
Command being timed: "cryptotest -z 1024"
User time (seconds): 0.23
System time (seconds): 104.14
Percent of CPU this job got: 99%
Elapsed (wall clock) time (h:mm:ss or m:ss): 1m 44.69s
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 3216
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 0
Minor (reclaiming a frame) page faults: 510
Voluntary context switches: 7
Involuntary context switches: 71684
Swaps: 0
File system inputs: 0
File system outputs: 0
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0