Beaglebone Black OpenSSl crypto acceleration

Question

I'm running Debian Wheezy at my Beaglebone Black. Is OpenSSL using the hardware crypto accelerator by default? If no, how can I enable it?

Answer 1

It's probably not, no. You can check with the following:

openssl speed -evp aes-128-cbc

If each line shows around 3 seconds, it's not hw accelerated. You'll need to update your kernel, compile cryptodev and insert the module, then compile OpenSSL using cryptodev. Ready? Let's go!

First, update your kernel and install the headers (check the current version first!)

sudo aptitude install linux-image-3.18.5-bone1 
sudo aptitude install linux-headers-3.18.5-bone1

Now download and compile cryptodev (similarly, 1.7 may not be current when you're reading this)

wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.7.tar.gz
tar zxf cryptodev-linux-1.7.tar.gz 
cd cryptodev-linux-1.7/
make
sudo make install

Now you need to register and insert the cryptodev module

sudo depmod -a
sudo modprobe cryptodev

Now check it's loaded - this should output a list which includes cryptodev!

lsmod

To make cryptodev load permanently, edit /etc/modules and add a line containing only cryptodev at the end

sudo sh -c 'echo cryptodev>>/etc/modules'

Now it's time to download and compile OpenSSL (check your versions)!

cd ~
wget https://www.openssl.org/source/openssl-1.0.2.tar.gz
tar zxf openssl-1.0.2.tar.gz
cd openssl-1.0.2/
ls
./config -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS
make
sudo make install

Check your version and speeds - you should see 0.10 - 0.15 second times

/usr/local/ssl/bin/openssl version
/usr/local/ssl/bin/openssl speed -evp aes-128-cbc

Now what you probably want this for is OpenVPN, but a prepackaged OpenVPN won't be using this newly compiled OpenSSL, so time to compile it yourself again . .

cd ~
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.xz
tar xvf openvpn-2.3.6.tar.xz 
cd openvpn-2.3.6/
./configure --prefix=/opt/openvpn OPENSSL_SSL_LIBS="-L/usr/local/ssl/lib/ -lssl" OPENSSL_SSL_CFLAGS="-I/usr/local/ssl/include/" OPENSSL_CRYPTO_LIBS="-L/usr/local/ssl/lib/ -lcrypto" OPENSSL_CRYPTO_CFLAGS="-I/usr/local/ssl/include/"
make
sudo make install

You've now got a shiny new OpenVPN installation using hw accelerated OpenSSL!

/opt/openvpn/sbin/openvpn --version

Answer 2

Download and build cryptodev.

Download debian openssl source package:

apt-get source openssl

Аdd build options -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS by editing CONFARGS in the file debian/rules.

CONFARGS  = -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib  enable-tlsext no-ssl2

Build debian package

dpkg-buildpackage -us -uc

Now you have your own openssl deb package with hardware acceleration. Just install and test it.

openssl speed -evp aes-128-cbc

You have no need to compile openvpn.