From owner-freebsd-questions@FreeBSD.ORG  Tue May 19 13:25:26 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 457CB106568A
	for <freebsd-questions@freebsd.org>;
	Tue, 19 May 2009 13:25:26 +0000 (UTC)
	(envelope-from brendan.kennedy@gmail.com)
Received: from mail-ew0-f159.google.com (mail-ew0-f159.google.com
	[209.85.219.159])
	by mx1.freebsd.org (Postfix) with ESMTP id B1ACB8FC32
	for <freebsd-questions@freebsd.org>;
	Tue, 19 May 2009 13:25:25 +0000 (UTC)
	(envelope-from brendan.kennedy@gmail.com)
Received: by ewy3 with SMTP id 3so4691007ewy.43
	for <freebsd-questions@freebsd.org>;
	Tue, 19 May 2009 06:25:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=K3x59lHIP8S97hA9j67rUh9p2P96Q4ueNKS1zayF4Hs=;
	b=NL5YlTNpoObuG2ciixn+k0s7kffN8ORLBuxDwHCVkNRMnzbhsrq1QqlBNYYXCzWioo
	+XccSmXlLOoPCzTSg3actcNzYLfRfYZ8BI2yUPV/HFZHHlPIzzOFDE3eCkn+GXqoIz9u
	z/w0CitXWXYpefzYGmKrjkeq3fq5HX13y+oVI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=WeRBqwQmosK6ezgJx/h7j4CJJ16LINx0bNHpwagCKfOeF2w/523foyPA3JEc9srW4T
	AaXYyYb5CU2XCdbkdUwH76zQicXl+sBxXPKaMwD4S8k9iFNSCP6xbx7fJ/e3/ky90c+y
	M+rQEVMs67tcQ6U6Yl6Plz0wmqEoITlWE8tho=
MIME-Version: 1.0
Received: by 10.216.72.14 with SMTP id s14mr8603wed.164.1242739524717; Tue, 19 
	May 2009 06:25:24 -0700 (PDT)
In-Reply-To: <1242705969.3946.21.camel@localhost.localdomain>
References: <db3b765b0905121114k4c16f924n854b66c3dd467320@mail.gmail.com>
	<1242397289.31340.3167.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com>
	<db3b765b0905180321x27bf720ay1c8cae199d02bd3a@mail.gmail.com>
	<1242705969.3946.21.camel@localhost.localdomain>
Date: Tue, 19 May 2009 14:25:24 +0100
Message-ID: <db3b765b0905190625q3eb1e0c1l820930ed0c3e2c3a@mail.gmail.com>
From: Brendan Kennedy <brendan.kennedy@gmail.com>
To: Brian Seklecki <seklecki@noc.cfi.pgh.pa.us>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Steve Polyack <spolyack@gmail.com>, freebsd-questions@freebsd.org
Subject: Re: FreeBSD 7.1 opencrypto --> kern.cryptodevallowsoft
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2009 13:25:38 -0000

Agreed! The driver doesn't seem to be getting executed through
OpenSSH/OpenSSL for ssh session setup either (it used to work that way
on FreeBSD 6.2, I don't know if this feature has been left up to the
user to enable in FreeBSD 7.x??).

thanks for the tools, I'll give them a go. The driver is being
accessed properly from 'cryptotest', so I guess that's something.

2009/5/19 Brian Seklecki <seklecki@noc.cfi.pgh.pa.us>:
> The openssl speed sub-command is a real PITA:
>
> Try:
>
> =A0$ openssl speed -elapsed -evp aes-128-cbc (or des-ede3)
>
> Also goto /usr/src/tools/tools/crypto/ && make
>
> Run those utils to extract useful statistics out of the driver's kernel
> data structures.
>
> ~BAS
>
> On Mon, 2009-05-18 at 11:21 +0100, Brendan Kennedy wrote:
>> Hi Brian, Patrick,
>>
>> Thanks for your responses. I agree that it looks like a bug! I'm a bit
>> of a newb to FreeBSD. Where should I go to log this?
>>
>> I ran (as root ;) )
>>
>> > openssl engine
>> (padlock) VIA PadLock (no-RNG, no-ACE)
>> (dynamic) Dynamic engine loading support
>> (cryptodev) BSD cryptodev engine
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0[RSA, DSA, DH=
]
>>
>> It can be seen only PKE functions are being shown as accelerated.
>> 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto'
>> compiled as part of the kernel.
>>
>> I have found another issue here also - although 'openssl engine -c'
>> shows correct accelerated functionality of the hardware driver,
>> running a speed test (e.g. openssl speed des-ede3 -engine cryptodev)
>> does not result in any messages being sent to the driver apart from
>> the initial check for available algorithms. It seems only accelerated
>> PKE functions are run through the driver. It may be that the symmetric
>> functions are being run through the software device driver
>> (cryptosoft)...
>>
>> Could it be down to cryptodev engine being loaded twice in OpenSSL? Or
>> would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not
>> set?
>>
>> Regards,
>> Brendan
>>
>>
>> 2009/5/15 Brian A. Seklecki <seklecki@noc.cfi.pgh.pa.us>:
>> > On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote:
>> >> Hi All,
>> >>
>> >> I'm trying to test a hardware crypto driver, but want to run my tests
>> >> through the software driver first (and possibly use the software
>> >> driver to validate results).
>> >> I have set the following in my GENERIC conf file:
>> >>
>> >
>> > What does kldstat(8) / openssl(1) return?
>> >
>> > % sudo openssl engine
>> > (dynamic) Dynamic engine loading support
>> >
>> > $ openssl engine
>> > (cryptodev) BSD cryptodev engine
>> > (padlock) VIA PadLock (no-RNG, no-ACE)
>> > (dynamic) Dynamic engine loading support
>> >
>> > $ kldstat |egrep -i 'cry|ub'
>> > =A03 =A0 =A03 0xc0e06000 25b78 =A0 =A0crypto.ko
>> > =A07 =A0 =A01 0xc64c9000 4000 =A0 =A0 cryptodev.ko
>> > =A08 =A0 =A01 0xc6546000 a000 =A0 =A0 ubsec.ko
>> >
>> >
>> > Return?
>> >
>> > ~BAS
>> >
>> >
>> >> device =A0 =A0 =A0 =A0 =A0crypto
>> >> device =A0 =A0 =A0 =A0 =A0enc
>> >> options =A0 =A0 =A0 =A0 IPSEC
>> >>
>> >> I have rebuilt the kernel, rebooted and set the
>> >> kern.cryptodevallowsoft kernel variable to 1:
>> >>
>> >> FreeBSD_26# sysctl -a | grep crypto
>> >> kern.cryptodevallowsoft: 1
>> >>
>> >> However, when I try a test, I get the following:
>> >>
>> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des
>> >> cipher 3des keylen 24
>> >> CIOCGSESSION: Invalid argument
>> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des
>> >> cipher des keylen 8
>> >> CIOCGSESSION: Invalid argument
>> >>
>> >> It seems the software crypto device is not available. Do I need to do
>> >> any other steps to enable it? Is there another config option that
>> >> makes sure it is build as part of Opencrypto framework? Do I need to
>> >> build some other software driver instead?
>> >>
>> >> Best Regards,
>> >> Brendan
>> >> _______________________________________________
>> >> freebsd-questions@freebsd.org mailing list
>> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freeb=
sd.org"
>> >
>> >
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.=
org"
>
>
>
>
> This mail was sent via Mail-SeCure System.
>
>
>