Readme for the MontaVista* Linux* 3.1 OpenSSL*/OCF and Intel? IXP400 Software v1.4 Integration

Readme for the MontaVista* Linux* 3.1 OpenSSL*/OCF and

Intel® IXP400 Software v1.4 Integration

=========================================================================

Introduction:

=============

OCF - OpenBSD Cryptographic Framework

NOTE: These instructions are provided in addition to the readme that accompanies

the ocf-linux-20041202 release distributed on SourceForge*.

This readme is intended to assist those that want to use OpenSSL/OCF with Intel® IXP400

Software and integrate with MontaVista* Linux* Professional Edition 3.1

(MVL3.1) IXDP425 Linux Support Package (IXDP425 LSP).

Notices

=======

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS

EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH

PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY

EXPRESS OR IMPLIED WARRANTY RELATING TO SALE AND/OR USE OF INTEL PRODUCTS,

INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR

PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR

OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use

in medical, life saving, life sustaining, critical control or safety systems,

or in nuclear facility applications.

Intel may make changes to the Software, or to items referenced therein, at any time without

notice, but is not obligated to support, update or provide training for the Software.

Intel Corporation may have patents or pending patent applications, trademarks,

copyrights, or other intellectual property rights that relate to the presented subject

matter. The furnishing of documents and other materials and information does not provide any

license, express or implied, by estoppel or otherwise, to any such patents, trademarks,

copyrights, or other intellectual property rights.

*Other names and brands may be claimed as the property of others.

Revision history

================

1.0 - initial release, 2/6/2005

-------------------------------------------------------------------------

Integration Steps

=================

1. Prerequisites

2. Set up and verify the baseline MVL3.1 kernel with Intel® IXP400

Software v1.4

3. Enable the Crypto support in the Ethernet device driver

4. Integrate OCF support

- un-tar the OCF-linux source files

- Modify the Linux include miscdevice.h

- Set up the kernel configuration

- Update the MVL3.1 Crypto support

- Un-tar the OCF Crypto driver

. Edit the kernel drivers Makefile

. Edit the drivers/ocf/makefile

5. Configure and build the Kernel

6. Set up the Crypto device driver node

7. Set up OpenSSL

- Get the source

- Extract and patch

- Configure and Build

- Basic Install

- Verify operation

8. Resources, links and Q/A

1. Prerequisites

================

- These instructions are written to accommodate most Linux developers,

but a high level of Linux kernel/driver experience is required to further

modify this driver/system. These instructions should be easy to

follow, but additional familiarity with the kernel

may be required to apply patches and troubleshoot.

- MontaVista Linux Professional Edition 3.1 (MVL3.1) LSP

Obtain and install the update for the Intel Corporation IXDP425 / IXCDP1100

Development Platform (Big-Endian) BE. Use LSP release 0400824.29

http://support.mvista.com

- Obtain the Intel® IXP400 Software v1.4 with Crypto support

http://www.intel.com/design/network/products/npfamily/ixp425swr1.htm

- Obtain the Intel® IXP400 Software Linux Ethernet Device Driver v1.1

http://www.intel.com/design/network/products/npfamily/ixp400_osc.htm

- Obtain the Intel® IXP400 Software IPSec VPN Example code: Based

on FreeS/WAN* 1.99, verified with Intel® IXP400 Software Release v1.4

and MontaVista Linux 3.0.

http://www.intel.com/design/network/products/npfamily/ixp400_osc.htm

- Obtain the OCF Driver with IXP400 software integration source tar file.

http://prdownloads.sourceforge.net/ixp4xx-osdg/ocf-linux-20041201.tar.gz

- Obtain OpenSSL v0.9.7d

http://www.openssl.org/source/openssl-0.9.7d.tar.gz

~~~~

NOTE: You must use Intel® IXP400 software w/Crypto support if you want to take

advantage of the NPE hardware Crypto acceleration.

~~~~

2. Set up and verify the baseline MVL3.1 kernel with Intel® IXP400

Software v1.4

================================================================

Copy the MVL3.1 kernel to a working directory.

Install the IXP400 Software v1.4 with Crypto per the release notes.

Verify the Linux kernel compiles, loads, boots and NFS mounts the root file

system. Verify the ixp0/1 Ethernet ports operate properly.

Verify OpenSSL operation by running "openssl speed". This will report the

non/OCF enabled OpenSSL performance. Keep this as baseline to monitor the

performance increase.

3. Enable the Crypto support in the Ethernet device driver

==========================================================

There are two basic changes required to support using the OCF driver with

IXP400 Software:

1. The Ethernet device driver must load the CRYPTO NPE image

2. call ixCryptoAccInit() in the module init just before ethacc_init().

in the Ethernet device driver/

This can be easily accomplished by using the Ethernet device driver patch

"ixp425_1.4_eth.patch" provided in the FreeS/WAN support

- freeswan1_99_patch_IXP400_1_4_MVL3_0.tar.gz

To get the patch and un-tar the file

tar xzvf freeswan1_99_patch_IXP400_1_4_MVL3_0.tar.gz

open_source_freeswan_release/ixp425_1.4_eth.patch

Then apply the patch

cd linux/drivers

patch -p0 < ~/open_source_freeswan_release/ixp425_1.4_eth.patch

NOTE: When the patch is applied, HUNK/success notifications appear.

4. Integrate the OCF support

=============================

- un-tar the OCF-Linux source files

tar xzvf ocf-linux-<rel-date>.tar.gz

This creates the files

ocf-linux-20041201

|-- README

|-- README.sglinux

|-- crypto-tools.patch

|-- crypto-tools.tar.gz

|-- ocf-linux-2.4.28.patch

|-- ocf-linux.tar.gz

|-- ssh.patch

`-- ssl.patch

~~~~~

NOTE: <rel-date> is the "release date". This readme was written based on

ocf-linux-20041201. Content may change for later releases. Please

consult the readme for updates. The 20041201 release supports

generic Linux kernels (with appropriate Crypto upgrade) SnapGear* Linux

3.1.1 and 3.1.6 distributions. Refer to the README files for the

abbreviated/adjunct instructions.

The content in this file was written/verified using the Crypto support

from the Linux 2.4.26 kernel. Should you desire to use the 2.4.28

kernel Crypto you will need to modify your steps accordingly. The

patch ocf-linux-2.4.28.patch performs some of the steps. This expects

the OCF support to be under the Crypto directory.

~~~~~

- Modify the Linux* include file miscdevice.h

---------------------------------------

Edit the miscdevice.h file and add the define

#define CRYPTODEV_MINOR70/* OpenBSD cryptographic framework */

This adds the minor number of the OCF Cryptodev driver.

- Set up the kernel config

--------------------------

Add a CONFIG entries to arch/arm/config.in

tristate 'OCF (Open Cryptographic Framework)' CONFIG_OCF_OCF

dep_tristate ' cryptodev (user space support)' CONFIG_OCF_CRYPTODEV $CONFIG_OCF_OCF

dep_tristate ' cryptosoft (software crypto engine)' CONFIG_OCF_CRYPTOSOFT $CONFIG_OCF_OCF

dep_tristate ' safenet (HW crypto engine)' CONFIG_OCF_SAFE $CONFIG_OCF_OCF

dep_tristate ' IXP4xx (HW crypto engine)' CONFIG_OCF_IXP4XX $CONFIG_OCF_OCF

- Update the MVL3.1 Crypto support

----------------------------------

The MVL3.1 kernel in based on Linux 2.4.20. The Crypto source must be updated

to use at least Crypto support available in Linux 2.4.26.

If you have an MVL support account you can request a patch that will update

the MVL3.1 Linux Crypto support. Contact MontaVista support via email

To: Support@mvista.com

RE: SUBMIT: Request patch to update the IXDP425 LSP crypto support to 2.4.26

You can also choose to do this on your own by using the linux-2.4.26/crypto

code.

Replace the current crypto directory files

include/linux/crypto.h and kmap_types.h to build the kernel Crypto

support.

Get and un-tar the linux-2.4.26 kernel

wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.26.tar.gz

tar xzvf linux-2.4.26.tar.gz

Save any of the original files and make a soft link to the new crypto files

using commands such as:

cd linux-2.4.20_mvl31

mv crypto/ crypto-orig/

mv include/linux/crypto.h include/linux/crypto-orig.h

NOTE: kmap-types.h is not in include/asm-arm/ and must be copied from the

include/asm-i386 directory.

ln -s ~/kernel/linux-2.4.26/crypto/ crypto

ln -s ~/kernel/linux-2.4.26/include/linux/crypto.h include/linux/crypto.h

cp ~/kernel/linux-2.4.26/include/asm-i386/kmap_types.h include/asm-arm/.

- Un-tar the OCF Crypto driver

-----------------------------

Go to the drivers directory of the kernel and un-tar the OCF support

file.

cd drivers

tar xzvf ~/ocf-linux-<rel-date>/ocf-linux.tar.gz

This un-tars to create the files

ocf

|-- Makefile

|-- TODO

|-- criov.c

|-- crypto.c

|-- cryptodev.c

|-- cryptodev.h

|-- cryptosoft.c

|-- hifn

| |-- hifn7751.c

| |-- hifn7751reg.h

| `-- hifn7751var.h

|-- ixp4xx

| `-- ixp4xx.c

|-- safe

| |-- safe.c

| |-- safereg.h

| `-- safevar.h

`-- uio.h

. Edit the kernel drivers Makefile

----------------------------------

Edit the drivers/Makefile to add the ocf directory to the make in the

section of the make that is enabled by "ifdef CONFIG_IXP425_CSR"

subdir-$(CONFIG_OCF_OCF)+= ocf

. Edit the drivers/ocf/makefiles

--------------------------------

The makefiles are set up to use the "module" build system, and the include

paths need to use the settings that are specific to the MVL3.1 environment

setting. So, modify drivers/ocf/ixp/Makefile and change the path in the

two EXTRA_CFLAGS macros to use the IX_XSCALE_SW environment variable.

For example:

EXTRA_CFLAGS += -I$(IX_XSCALE_SW)/src/include

EXTRA_CFLAGS += -I$(IX_XSCALE_SW)/src/linux

5. Configure and build the kernel

---------------------------------

make def-config

make menuconfig

When menu config starts to navigate to the menu

System Type --->IXP4xx Implementation Options

select module for the options...

<M> Build IXP425 Access Library

<M> OCF (Open Cryptographic Framework) (NEW)

The dependent config choices appear. Then select module for the option...

<M> cryptodev (user space support)

<M> cryptosoft (software crypto engine)

< > safenet (HW crypto engine)

<M> IXP4xx (HW crypto engine)

back out to the main menu then select

Cryptographic options --->

Set all choices to Y except the "test" module

~~~~~

Note: Crypto MUST be compiled into the kernel and OCF support should be

compiled as a module.

~~~~~

Exit saving changes

NOTE: You can verify the OCF config values are in .config by using grep.

[homer@simsun linux-2.4.20_mvl31$ grep "OCF" .config

CONFIG_OCF_OCF=m

CONFIG_OCF_CRYPTODEV=m

CONFIG_OCF_CRYPTOSOFT=m

# CONFIG_OCF_SAFE is not set

CONFIG_OCF_IXP4XX=m

After the kernel is configured, make the kernel and modules then install using

commands such as the following:

make dep zImage modules

make modules_install

exit

6. Set up the Crypto device driver node

--------------------------------------

The device driver node must be created. This can be in the NFS mount target

or at run time. The steps below create the node in the NFS mounted filesystem.

cd /opt/montavista/pro/devkit/arm/xscale_be/target

mknod dev/crypto c 10 70

ls dev/cry* -la

crw-r--r-- 1 root root 10, 70 Nov 22 09:22 dev/crypto

7. Set up OpenSSL

----------------

- Get the source

----------------

wget http://www.openssl.org/source/openssl-0.9.7d.tar.gz

- Extract and patch

-------------------

tar xzvf src/openssl-0.9.7d.tar.gz

ln -s openssl-0.9.7d openssl

patch -p0 < ssl.patch

The patch to openssl enables cryptodev support as an ENGINE in OpenSSL.

- Configure and Build

---------------------

Place the cryptodev.h in the target include location

cd linux/drivers/ocf

mkdir /opt/montavista/pro/devkit/arm/xscale_be/target/usr/include/crypto

cp crytodev.h /opt/montavista/pro/devkit/arm/xscale_be/target/usr/include/crypto

~~~~~

NOTE: In order to build OpenSSL applications, make sure that cryptodev.h

is installed as crypto/cryptodev.h in your include directory

~~~~~

./Configure linux-elf-arm -shared --prefix=/opt/montavista/pro/devkit/arm/xscale_be/target/usr/

To build for the Intel XScale core you must modify the Makefile so that CC,

CFLAG, EX_LIBS, AR and RANLIB macros are correct for cross-compilation.

In the CFLAG macro change -DL_ENDIAN to -DB_ENDIAN

Change the other macros to read:

CC=xscale_be-gcc

EX_LIBS= -ldl

AR=xscale_be-ar $(ARFLAGS) r

RANLIB= xscale_be-ranlib

Then make

- Basic Install

---------------

These steps copy and set up the necessary libraries

in the MVL3.1 NFS target root filesystem.

cd /opt/montavista/pro/devkit/arm/xscale_be/target/usr/lib

# back up the existing libs

mv libcrypto.so.0.9.7 libcrypto.so.0.9.7b

mv libssl.so.0.9.7 libssl.so.0.0.9.7b

mv libssl.a libssl.a.0.9.7b

mv libcrypto.a libcrypto.a.0.7.9b

cp openssl/libcrypto.so.0.9.7 .

cp openssl/libssl.so.0.9.7 .

cp openssl/libssl.a .

cp openssl/libcrypto.a .

cd /opt/montavista/pro/devkit/arm/xscale_be/target/

cd /opt/montavista/pro/devkit/arm/xscale_be/target/usr/bin

# this moves the old OpenSSL

mv openssl openssl.0.9.7b

# copy the rebuilt application

cp openssl/apps/openssl .

- Verify operation

------------------

Verify the operation of the driver and Engine by using the following OpenSSL

speed command:

openssl speed -evp des -engine cryptodev

See the readme provided with the OCF drivers for additional detail.

8. Resources, links, and Q/A

---------------------------

Consult these sites for information

CryptoDev and Crypto API for Linux -

home page: http://www.logix.cz/michal/devel/cryptodev/

Mailing list: http://lists.logix.cz/mailman/listinfo/cryptoapi

uCdot -

Home page: http://www.uCdot.org

SourceForge*: IXP4xx-osgd -

home page: http://ixp4xx-osdg.sourceforge.net

Project page: http://sourceforge.net/projects/ixp4xx-osdg/

Forums: http://sourceforge.net/forum/forum.php?forum_id=311814