openwrt/target/linux/generic/files/crypto/ocf/README

README - ocf-linux-20100325
---------------------------

This README provides instructions for getting ocf-linux compiled and
operating in a generic linux environment.  For other information you
might like to visit the home page for this project:

    http://ocf-linux.sourceforge.net/

Adding OCF to linux
-------------------

    Not much in this file for now,  just some notes.  I usually build
    the ocf support as modules but it can be built into the kernel as
    well.  To use it:

    * mknod /dev/crypto c 10 70

    * to add OCF to your kernel source,  you have two options.  Apply
      the kernel specific patch:

          cd linux-2.4*; gunzip < ocf-linux-24-XXXXXXXX.patch.gz | patch -p1
          cd linux-2.6*; gunzip < ocf-linux-26-XXXXXXXX.patch.gz | patch -p1
    
      if you do one of the above,  then you can proceed to the next step,
      or you can do the above process by hand with using the patches against
      linux-2.4.35 and 2.6.33 to include the ocf code under crypto/ocf.
      Here's how to add it:

      for 2.4.35 (and later)

          cd linux-2.4.35/crypto
          tar xvzf ocf-linux.tar.gz
          cd ..
          patch -p1 < crypto/ocf/patches/linux-2.4.35-ocf.patch

      for 2.6.23 (and later),  find the kernel patch specific (or nearest)
      to your kernel versions and then:

          cd linux-2.6.NN/crypto
          tar xvzf ocf-linux.tar.gz
          cd ..
          patch -p1 < crypto/ocf/patches/linux-2.6.NN-ocf.patch

      It should be easy to take this patch and apply it to other more
      recent versions of the kernels.  The same patches should also work
      relatively easily on kernels as old as 2.6.11 and 2.4.18.
      
    * under 2.4 if you are on a non-x86 platform,  you may need to:

        cp linux-2.X.x/include/asm-i386/kmap_types.h linux-2.X.x/include/asm-YYY

      so that you can build the kernel crypto support needed for the cryptosoft
      driver.

    * For simplicity you should enable all the crypto support in your kernel
      except for the test driver.  Likewise for the OCF options.  Do not
      enable OCF crypto drivers for HW that you do not have (for example
      ixp4xx will not compile on non-Xscale systems).

    * make sure that cryptodev.h (from ocf-linux.tar.gz) is installed as
      crypto/cryptodev.h in an include directory that is used for building
      applications for your platform.  For example on a host system that
      might be:

              /usr/include/crypto/cryptodev.h

    * patch your openssl-0.9.8n code with the openssl-0.9.8n.patch.
      (NOTE: there is no longer a need to patch ssh). The patch is against:
      openssl-0_9_8e

      If you need a patch for an older version of openssl,  you should look
      to older OCF releases.  This patch is unlikely to work on older
      openssl versions.

      openssl-0.9.8n.patch
                - enables --with-cryptodev for non BSD systems
                - adds -cpu option to openssl speed for calculating CPU load
                  under linux
                - fixes null pointer in openssl speed multi thread output.
                - fixes test keys to work with linux crypto's more stringent
                  key checking.
                - adds MD5/SHA acceleration (Ronen Shitrit), only enabled
                  with the --with-cryptodev-digests option
                - fixes bug in engine code caching.

    * build crypto-tools-XXXXXXXX.tar.gz if you want to try some of the BSD
      tools for testing OCF (ie., cryptotest).

How to load the OCF drivers
---------------------------

    First insert the base modules:

        insmod ocf
        insmod cryptodev

    You can then install the software OCF driver with:

        insmod cryptosoft

    and one or more of the OCF HW drivers with:

        insmod safe
        insmod hifn7751
        insmod ixp4xx
        ...

    all the drivers take a debug option to enable verbose debug so that
    you can see what is going on.  For debug you load them as:

        insmod ocf crypto_debug=1
        insmod cryptodev cryptodev_debug=1
        insmod cryptosoft swcr_debug=1

    You may load more than one OCF crypto driver but then there is no guarantee
    as to which will be used.

    You can also enable debug at run time on 2.6 systems with the following:

        echo 1 > /sys/module/ocf/parameters/crypto_debug
        echo 1 > /sys/module/cryptodev/parameters/cryptodev_debug
        echo 1 > /sys/module/cryptosoft/parameters/swcr_debug
        echo 1 > /sys/module/hifn7751/parameters/hifn_debug
        echo 1 > /sys/module/safe/parameters/safe_debug
        echo 1 > /sys/module/ixp4xx/parameters/ixp_debug
        ...

Testing the OCF support
-----------------------

    run "cryptotest",  it should do a short test for a couple of
    des packets.  If it does everything is working.

    If this works,  then ssh will use the driver when invoked as:

        ssh -c 3des username@host

    to see for sure that it is operating, enable debug as defined above.

    To get a better idea of performance run:

        cryptotest 100 4096

    There are more options to cryptotest,  see the help.

    It is also possible to use openssl to test the speed of the crypto
    drivers.

        openssl speed -evp des -engine cryptodev -elapsed
        openssl speed -evp des3 -engine cryptodev -elapsed
        openssl speed -evp aes128 -engine cryptodev -elapsed

    and multiple threads (10) with:

        openssl speed -evp des -engine cryptodev -elapsed -multi 10
        openssl speed -evp des3 -engine cryptodev -elapsed -multi 10
        openssl speed -evp aes128 -engine cryptodev -elapsed -multi 10

    for public key testing you can try:

        cryptokeytest
        openssl speed -engine cryptodev rsa -elapsed
        openssl speed -engine cryptodev dsa -elapsed

David McCullough
[email protected]