Build OpenSwan for Sitara

From Texas Instruments Wiki
Jump to: navigation, search


Introduction

Openswan is an implementation of IPsec for Linux and is licensed under the GPLv2 with some modules having a different (BSD) license.

This article provides details for how to build OpenSwan and run it on the Sitara EVM.  This procedure should be valid with all Sitara devices.

Openswan has a dependency on GMP, the GNU Mulitple Precision Arithmetic Library.  This library must exist before Openswan can be built.

Assumptions

  • Linux host development system. These instructions are based on Ubuntu 12.04.
  • Installed the Sitara Linux SDK. The sdk directory located will be referred to as <sdk-path> These instructions are based on SDK 7.0.


IMPORTANT:
Replace all references that you see to <sdk-path> with the full path of your SDK directory.
For example the below will be considered a full path:
/home/sitara/ti-sdk-am335x-evm-07.00.00.00/

Software Needed

  • GMP v6.0
  • IPSec-tools v0.8.2
  • OpenSwan v2.6.41


Host Configuration

Before cross compiling the applications there are a few prerequisites steps that need to be done before cross compiling can begin.

Install Additional Host Packages

In a terminal run the following commands to install bision flex texinfo and gettext:
sudo apt-get install bison flex texinfo gettext

These host packages are needed by the software we will cross compile later.

Create Linux Kernel Headers

IPSec-tools needs access to kernel headers meant for user space applications. These headers can be generated by running a few commands using the kernel sources included in the sdk.

First go to the board-support directory within the sdk. This directory will contain the kernel headers that will be generated and it also contains the kernel sources directory.

Run the below commands:
cd <sdk-path>/board-support/
mkdir kernel-headers


Now it is time to generate the kernel headers. Just to be careful first the kernel sources will be cleaned to removed any precompiled files. The headers will be generated and then the kernel sources will be cleaned again so its ready to be used for building the kernel.

Run the below commands:
cd linux-*
make clean
make allnoconfig
make headers_install INSTALL_HDR_PATH=<sdk-path>/board-support/kernel-headers
make clean

Create Cross Compile Directory

We need a directory that will contain the libraries and headers that will be cross compiled. This path to this directory will need to be remembered since it will be referenced several times when cross compiling various applications.

Open a terminal window and run the below command:
mkdir <sdk-path>/cross-dir

Edit Environment-setup file

Using a text editor open <sdk-path>/linux-devkit/environment-setup

Go to the line that says export CPPFLAGS and add -I<sdk-path>/cross-dir/usr/include in between the quotes.

The export CPPFLAGS should end up looking something like this:
export CPPFLAGS=" -march=armv7-a -marm -mthumb-interwork -mfloat-abi=hard -mfpu=neon -mtune=cortex-a8 -I<sdk-path>/cross-dir/usr/include --sysroot=$SDK_PATH_TARGET"

Now go to the line LDFLAGS and add -L<sdk-path>/cross-dir/usr/lib in between the quotes.

The export LDFLAGS line should end up looking something like this:
export LDFLAGS=" -L<sdk-path>/cross-dir/usr/lib --sysroot=$SDK_PATH_TARGET"

Extract Sources

Extract the source tarballs for GMP, OpenSwan and IPSec-tools

Cross Compiling

Within a terminal go to the sdk directory and source the environment-setup file using the below command source <sdk-path>/linux-devkit/environment-setup

This file configures the terminal environment so your ready to cross compile applications.

GMP

In the terminal go in to the directory containing the extracted GMP sources.
Run:
./configure $CONFIGURE_FLAGS --prefix=/usr/

CONFIGURE_FLAGS is an environment variable created by environment-setup that provides several options that instructions the configure script to cross compile the sources using the toolchain and libraries provided by the SDK.

Once configure is done run:
make

Finally run:
make install DESTDIR=<sdk-path>/cross-dir/
This instructions make to install all the required files into our cross compile directory.

OpenSwan

In the terminal go in to the directory containing the extracted OpenSwan sources.

Run:
export ARCH=arm export DESTDIR=<sdk-path>cross-dir/

The above command tweaks the makefile used by OpenSwan since it doesn't use the typical configure script.

Run:
make programs

Finally install the required libraries,headers and executables by running:
make install

IPSec-Tools

Download the patch http://processors.wiki.ti.com/images/3/36/0001-Fix-Patch.patch.

This patch makes tweaks to the sources to get around a known problem with this library trying to use a specific library from Flex.

Copy the 0001-Fix-Patch.patch file to the IPSec-Tools sources directory. In the terminal go into the directory containing the extracted IPSec-Tools directory.
Run:
patch -p1 < 0001-Fix-Patch.patch<code>
<code>./configure $CONFIGURE_FLAGS --with-kernel-headers=<sdk-path>/board-support/kernel-headers/include --enable-security-context=no --prefix=/usr/

make
make install DESTDIR=<sdk-path>/cross-dir/

Copying Cross Compile Files

Now that all the applications have been cross compile it is time to copy the files to the target filesystem.

Important: These instructions will very depending on which version of Ubuntu your using or if your using a built in sd card reader.

Assuming your booting your filesystem from an SD card you will need to plugin the sd card into the host PC.

On Ubuntu this should come up as /media/rootfs/

Open a new terminal window and go to /media/rootfs using the below command:
cd </media/rootfs


Now enter the below command to copy all the files from cross-dir to the rootfs:
sudo cp -r <sdk-path>/cross-dir/* .
sync

Get out of the rootfs directory by running:
cd


Now umount the sd card partitions by running:
umount /media/rootfs /media/boot

Linux kernel configuration

Open a brand new terminal window one that didn't source environment-setup.

Run the below command:
export PATH=<sdk-path>/linux-devkit/sysroots/i686-arago-linux/usr/bin:$PATH

This will insure only the toolchain is available but non of the other settings that tweak the environment variables.

There are several tweaks that must be done to the kernel to support IPSec.  Use "menuconfig" to run an interactice session and perfrom the following changes to the kernel.

Go to the sdk's kernel directory by running:
cd <sdk-path>/board-support/linux-*

To launch menuconfig run the below command:
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf-- menuconfig


Networking support (NET) [Y/n/?] y
*
* Networking options
*
 PF_KEY sockets (NET_KEY) [Y/n/m/?] y
 IP: AH transformation (INET_AH) [Y/n/m/?] y
 IP: ESP transformation (INET_ESP) [Y/n/m/?] y
 IP: IPsec user configuration interface (XFRM_USER) [Y/n/m/?] y

Cryptographic API (CRYPTO) [Y/n/?] y

 HMAC support (CRYPTO_HMAC) [Y/n/?] y
 Null algorithms (CRYPTO_NULL) [Y/n/m/?] y
 MD5 digest algorithm (CRYPTO_MD5) [Y/n/m/?] y
 SHA1 digest algorithm (CRYPTO_SHA1) [Y/n/m/?] y
 DES and Triple DES EDE cipher algorithms (CRYPTO_DES) [Y/n/m/?] y
 AES cipher algorithms (CRYPTO_AES) [Y/n/m/?] y



See pictures below for reference:


NetworkMenu.png


CryptoMenu.png


Testing

At this point there is a catch-22 with the previous example. The install location above is a NFS mount point that the target board will boot into. This of course requires Ethernet connectivity between the host and target. But running IPSec on either the host or target will break the connectivity for the NFS. To avoid this, the board should be booted into a root filesystem located on an SD card. The NFS can be copied (using "cp -a") to the SD card or the configure command can use a path for "prefix" that points to a mounted SD card in the host system.

The following shows the "cp" command that is used to copy the NFS to the rootfs partition of an SD card that is mounted on the host system.  The command "cp -a" ensures that the entire root filesystem is copied with all the permissions, ownership and links in place.


user@UbuntuVbox1004:~/ti-sdk-am37x-evm-4.0.1.0/filesystem/SDK_NFS$ ls -l
total 110060
-rw-r--r-- 1 user user 0 2011-03-07 13:06 AM37X_NFSGT
drwxr-xr-x 2 user user 4096 2011-01-26 09:12 bin
drwxr-xr-x 2 user user 4096 2011-01-26 09:12 boot
drwxr-xr-x 3 user user 4096 2010-12-19 17:17 dev
drwxr-xr-x 27 user user 4096 2011-04-08 12:30 etc
drwxr-xr-x 3 user user 4096 2011-01-26 01:20 home
drwxr-xr-x 4 user user 4096 2011-03-14 10:39 lib
lrwxrwxrwx 1 user user 12 2011-02-16 09:05 linuxrc -> /bin/busybox
-rw-r--r-- 1 root root 2006 2011-02-24 14:53 matrixcert.pem
drwxr-xr-x 13 user user 4096 2011-04-08 11:07 media
drwxr-xr-x 3 user user 4096 2011-01-26 01:20 mnt
-rw-r--r-- 1 root root 5637 2011-04-05 16:17 OpenSSLspeedResults.txt
drwxrwxrwx 2 user user 4096 2011-01-26 09:12 opt
drwxr-xr-x 2 user user 4096 2010-12-19 17:17 proc
-rw-r--r-- 1 root root 272 2011-02-24 14:53 pubkey.pem
-rw-r--r-- 1 root root 10485760 2011-04-05 10:04 rnddata
-rw-r--r-- 1 root root 0 2011-04-05 10:06 rnddata.sha1
-rw-r--r-- 1 root root 0 2011-04-05 10:06 rnddata.swdec
drwxr-xr-x 2 user user 4096 2011-01-26 09:12 sbin
drwxr-xr-x 3 root root 4096 2011-03-07 14:16 Settings
drwxr-xr-x 3 user user 4096 2011-01-26 01:20 srv
drwxr-xr-x 2 user user 4096 2010-12-19 17:17 sys
-rw-r--r-- 1 root root 842 2011-04-05 10:06 timeResults.txt
-rw-r--r-- 1 user user 102125826 2011-02-07 16:35 tisdk-rootfs-am37x-evm.tar.gz
lrwxrwxrwx 1 root root 8 2011-02-24 14:28 tmp -> /var/tmp
drwxr-xr-x 15 user user 4096 2011-03-23 12:04 usr
drwxr-xr-x 7 user user 4096 2011-01-20 10:26 var
user@UbuntuVbox1004:~/ti-sdk-am37x-evm-4.0.1.0/filesystem/SDK_NFS$ df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 19737268 15028932 3705740 81% /
none 250384 344 250040 1% /dev
none 254612 156 254456 1% /dev/shm
none 254612 352 254260 1% /var/run
none 254612 0 254612 0% /var/lock
none 254612 0 254612 0% /lib/init/rw
.host:/ 78148160 75478320 2669840 97% /mnt/hgfs
/dev/sdb3 2885812 69900 2669320 3% /media/START_HERE
/dev/sdb2 909168 398812 464172 47% /media/rootfs
/dev/sdb1 71133 2586 68548 4% /media/boot
user@UbuntuVbox1004:~/ti-sdk-am37x-evm-4.0.1.0/filesystem/SDK_NFS$ sudo cp -a * /media/rootfs/


The EVM can now be booted into the SD card.  The ipsec application and ipsec-tools should be in the path.

The examples below are based on examples presented in the on-line IPSec how-to:

http://www.ipsec-howto.org/t1.html


A most basic use case for ipsec can be generated with a manually keyed connection using setkey.  The following example shows the contents of the setkey.conf file that has been generated and is located in the /etc directory of the target.  In this example, the IP address of the target is 128.247.106.242.  This exact same file must also exist in the other device running IPSec (in this case the host machine at IP address 128.247.106.253.  The only difference in the file on the host machine is a swap of the parameters "in" and "out" after the -P in the security policy sections.

 

root@am37x-evm:~#
root@am37x-evm:~#
root@am37x-evm:~# more /etc/setkey.conf
#!/usr/sbin/setkey -f

############### IP EVM IP Host
# Configuration for 128.247.106.242 to 128.247.106.253

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 128.247.106.253 128.247.106.242 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 128.247.106.242 128.247.106.253 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 128.247.106.253 128.247.106.242 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 128.247.106.242 128.247.106.253 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policies
spdadd 128.247.106.253 128.247.106.242 any -P in ipsec
esp/transport//require
ah/transport//require;

spdadd 128.247.106.242 128.247.106.253 any -P out ipsec
esp/transport//require
ah/transport//require;
root@am37x-evm:~#
root@am37x-evm:~# 

 After the configuration files are in place on the two peers (in this case the EVM target and Linux host) they can be loaded with setkey (and tested with setkey -D).  See below.

  

root@am37x-evm:~# setkey -f /etc/setkey.conf
root@am37x-evm:~# setkey -D
128.247.106.242 128.247.106.253
esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
E: 3des-cbc f6ddb555 acfd9d77 b03ea384 3f265325 5afe8eb5 573965df
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 26 22:58:16 2011 current: Jan 26 22:58:22 2011
diff: 6(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=1955 refcnt=0
128.247.106.253 128.247.106.242
esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
E: 3des-cbc 7aeaca3f 87d060a1 2f4a4487 d5a5c335 5920fae6 9a96c831
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 26 22:58:16 2011 current: Jan 26 22:58:22 2011
diff: 6(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=1955 refcnt=0
128.247.106.242 128.247.106.253
ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
A: hmac-md5 96358c90 783bbfa3 d7b196ce abe0536b
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 26 22:58:16 2011 current: Jan 26 22:58:22 2011
diff: 6(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=1955 refcnt=0
128.247.106.253 128.247.106.242
ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
A: hmac-md5 c0291ff0 14dccdd0 3874d9e8 e4cdf3e6
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 26 22:58:16 2011 current: Jan 26 22:58:22 2011
diff: 6(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=1955 refcnt=0
root@am37x-evm:~#


Once the connection is established it can tested by simply pinging from one machine to the other.  See example below.


Ping from target to host before IPsec is turned on (note the performance).

root@am37x-evm:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:C2:7E:8F:90
inet addr:128.247.106.242 Bcast:0.0.0.0 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3803 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:342909 (334.8 KiB) TX bytes:1950 (1.9 KiB)
Interrupt:80

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@am37x-evm:~# ping 128.247.106.253
PING 128.247.106.253 (128.247.106.253): 56 data bytes
64 bytes from 128.247.106.253: seq=0 ttl=64 time=0.610 ms
64 bytes from 128.247.106.253: seq=1 ttl=64 time=0.641 ms
64 bytes from 128.247.106.253: seq=2 ttl=64 time=0.702 ms
64 bytes from 128.247.106.253: seq=3 ttl=64 time=0.489 ms
64 bytes from 128.247.106.253: seq=4 ttl=64 time=0.641 ms
64 bytes from 128.247.106.253: seq=5 ttl=64 time=0.610 ms
64 bytes from 128.247.106.253: seq=6 ttl=64 time=0.702 ms
64 bytes from 128.247.106.253: seq=7 ttl=64 time=0.640 ms
64 bytes from 128.247.106.253: seq=8 ttl=64 time=0.641 ms
64 bytes from 128.247.106.253: seq=9 ttl=64 time=0.702 ms

--- 128.247.106.253 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 0.489/0.637/0.702 ms
root@am37x-evm:~#

Ping from target to host after IPsec is set on target but not host (note that connection appears to be broken).

root@am37x-evm:~# setkey -f /etc/setkey.conf
root@am37x-evm:~# ping 128.247.106.253
PING 128.247.106.253 (128.247.106.253): 56 data bytes

--- 128.247.106.253 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
root@am37x-evm:~#


Ping from target to host after IPSec is set on both target and host (notice performance difference).


root@am37x-evm:~#
root@am37x-evm:~# ping 128.247.106.253
PING 128.247.106.253 (128.247.106.253): 56 data bytes
64 bytes from 128.247.106.253: seq=0 ttl=64 time=1.191 ms
64 bytes from 128.247.106.253: seq=1 ttl=64 time=1.251 ms
64 bytes from 128.247.106.253: seq=2 ttl=64 time=0.977 ms
64 bytes from 128.247.106.253: seq=3 ttl=64 time=1.038 ms
64 bytes from 128.247.106.253: seq=4 ttl=64 time=0.824 ms
64 bytes from 128.247.106.253: seq=5 ttl=64 time=0.732 ms
64 bytes from 128.247.106.253: seq=6 ttl=64 time=0.915 ms
64 bytes from 128.247.106.253: seq=7 ttl=64 time=0.885 ms
64 bytes from 128.247.106.253: seq=8 ttl=64 time=1.129 ms
64 bytes from 128.247.106.253: seq=9 ttl=64 time=0.701 ms
64 bytes from 128.247.106.253: seq=10 ttl=64 time=1.099 ms
64 bytes from 128.247.106.253: seq=11 ttl=64 time=0.977 ms

--- 128.247.106.253 ping statistics ---
12 packets transmitted, 12 packets received, 0% packet loss
round-trip min/avg/max = 0.701/0.976/1.251 ms
root@am37x-evm:~#

 

Use “-F” with the setkey command to clear IPSec.

Use “-D” to verify the current status.

See the before/after example below.

root@am37x-evm:~#
root@am37x-evm:~# setkey -f /etc/setkey.conf
root@am37x-evm:~# setkey -D
128.247.106.242 128.247.106.253
esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
E: 3des-cbc f6ddb555 acfd9d77 b03ea384 3f265325 5afe8eb5 573965df
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 26 23:03:06 2011 current: Jan 26 23:03:08 2011
diff: 2(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=2124 refcnt=0
128.247.106.253 128.247.106.242
esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
E: 3des-cbc 7aeaca3f 87d060a1 2f4a4487 d5a5c335 5920fae6 9a96c831
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 26 23:03:06 2011 current: Jan 26 23:03:08 2011
diff: 2(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=2124 refcnt=0
128.247.106.242 128.247.106.253
ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
A: hmac-md5 96358c90 783bbfa3 d7b196ce abe0536b
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 26 23:03:06 2011 current: Jan 26 23:03:08 2011
diff: 2(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=2124 refcnt=0
128.247.106.253 128.247.106.242
ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
A: hmac-md5 c0291ff0 14dccdd0 3874d9e8 e4cdf3e6
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 26 23:03:06 2011 current: Jan 26 23:03:08 2011
diff: 2(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=2124 refcnt=0

root@am37x-evm:~# setkey -F
root@am37x-evm:~# setkey -D
No SAD entries.
root@am37x-evm:~#