Readme for the MontaVista* Linux* 3.1 OpenSSL*/OCF and Intel? IXP400 Software v1.4 Integration
Readme for the MontaVista* Linux* 3.1 OpenSSL*/OCF and Intel? IXP400 Software v1.4 Integration Readme for the MontaVista* Linux* 3.1 OpenSSL*/OCF andIntel® IXP400 Software v1.4 Integration=========================================================================Introduction:=============OCF - OpenBSD Cryptographic FrameworkNOTE: These instructions are provided in addition to the readme that accompaniesthe ocf-linux-20041202 release distributed on SourceForge*.This readme is intended to assist those that want to use OpenSSL/OCF with Intel® IXP400Software and integrate with MontaVista* Linux* Professional Edition 3.1(MVL3.1) IXDP425 Linux Support Package (IXDP425 LSP).Notices=======INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTSEXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCHPRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANYEXPRESS OR IMPLIED WARRANTY RELATING TO SALE AND/OR USE OF INTEL PRODUCTS,INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULARPURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT, OROTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications.Intel may make changes to the Software, or to items referenced therein, at any time without notice, but is not obligated to support, update or provide training for the Software.Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights.Copyright © 2005, Intel Corporation. All Rights Reserved.*Other names and brands may be claimed as the property of others.Revision history================1.0 - initial release, 2/6/2005-------------------------------------------------------------------------Integration Steps=================1. Prerequisites2. Set up and verify the baseline MVL3.1 kernel with Intel® IXP400 Software v1.43. Enable the Crypto support in the Ethernet device driver4. Integrate OCF support - un-tar the OCF-linux source files - Modify the Linux include miscdevice.h - Set up the kernel configuration - Update the MVL3.1 Crypto support - Un-tar the OCF Crypto driver . Edit the kernel drivers Makefile . Edit the drivers/ocf/makefile5. Configure and build the Kernel6. Set up the Crypto device driver node7. Set up OpenSSL - Get the source - Extract and patch - Configure and Build - Basic Install - Verify operation8. Resources, links and Q/A1. Prerequisites================ - These instructions are written to accommodate most Linux developers, but a high level of Linux kernel/driver experience is required to further modify this driver/system. These instructions should be easy to follow, but additional familiarity with the kernel may be required to apply patches and troubleshoot. - MontaVista Linux Professional Edition 3.1 (MVL3.1) LSP Obtain and install the update for the Intel Corporation IXDP425 / IXCDP1100 Development Platform (Big-Endian) BE. Use LSP release 0400824.29 http://support.mvista.com - Obtain the Intel® IXP400 Software v1.4 with Crypto support http://www.intel.com/design/network/products/npfamily/ixp425swr1.htm - Obtain the Intel® IXP400 Software Linux Ethernet Device Driver v1.1 http://www.intel.com/design/network/products/npfamily/ixp400_osc.htm - Obtain the Intel® IXP400 Software IPSec VPN Example code: Based on FreeS/WAN* 1.99, verified with Intel® IXP400 Software Release v1.4 and MontaVista Linux 3.0. http://www.intel.com/design/network/products/npfamily/ixp400_osc.htm - Obtain the OCF Driver with IXP400 software integration source tar file. http://prdownloads.sourceforge.net/ixp4xx-osdg/ocf-linux-20041201.tar.gz - Obtain OpenSSL v0.9.7d http://www.openssl.org/source/openssl-0.9.7d.tar.gz~~~~NOTE: You must use Intel® IXP400 software w/Crypto support if you want to take advantage of the NPE hardware Crypto acceleration. ~~~~2. Set up and verify the baseline MVL3.1 kernel with Intel® IXP400 Software v1.4================================================================Copy the MVL3.1 kernel to a working directory.Install the IXP400 Software v1.4 with Crypto per the release notes.Verify the Linux kernel compiles, loads, boots and NFS mounts the root filesystem. Verify the ixp0/1 Ethernet ports operate properly.Verify OpenSSL operation by running 'openssl speed'. This will report thenon/OCF enabled OpenSSL performance. Keep this as baseline to monitor theperformance increase.3. Enable the Crypto support in the Ethernet device driver==========================================================There are two basic changes required to support using the OCF driver withIXP400 Software:1. The Ethernet device driver must load the CRYPTO NPE image2. call ixCryptoAccInit() in the module init just before ethacc_init(). in the Ethernet device driver/This can be easily accomplished by using the Ethernet device driver patch'ixp425_1.4_eth.patch' provided in the FreeS/WAN support- freeswan1_99_patch_IXP400_1_4_MVL3_0.tar.gzTo get the patch and un-tar the file tar xzvf freeswan1_99_patch_IXP400_1_4_MVL3_0.tar.gz open_source_freeswan_release/ixp425_1.4_eth.patchThen apply the patch cd linux/drivers patch -p0 < ~/open_source_freeswan_release/ixp425_1.4_eth.patchNOTE: When the patch is applied, HUNK/success notifications appear.4. Integrate the OCF support=============================- un-tar the OCF-Linux source files tar xzvf ocf-linux-<rel-date>.tar.gzThis creates the filesocf-linux-20041201|-- README|-- README.sglinux|-- crypto-tools.patch|-- crypto-tools.tar.gz|-- ocf-linux-2.4.28.patch|-- ocf-linux.tar.gz|-- ssh.patch`-- ssl.patch~~~~~NOTE: <rel-date> is the 'release date'. This readme was written based on ocf-linux-20041201. Content may change for later releases. Please consult the readme for updates. The 20041201 release supports generic Linux kernels (with appropriate Crypto upgrade) SnapGear* Linux 3.1.1 and 3.1.6 distributions. Refer to the README files for the abbreviated/adjunct instructions. The content in this file was written/verified using the Crypto support from the Linux 2.4.26 kernel. Should you desire to use the 2.4.28 kernel Crypto you will need to modify your steps accordingly. The patch ocf-linux-2.4.28.patch performs some of the steps. This expects the OCF support to be under the Crypto directory.~~~~~- Modify the Linux* include file miscdevice.h---------------------------------------Edit the miscdevice.h file and add the define#define CRYPTODEV_MINOR70/* OpenBSD cryptographic framework */This adds the minor number of the OCF Cryptodev driver.- Set up the kernel config--------------------------Add a CONFIG entries to arch/arm/config.in tristate 'OCF (Open Cryptographic Framework)' CONFIG_OCF_OCF dep_tristate ' cryptodev (user space support)' CONFIG_OCF_CRYPTODEV $CONFIG_OCF_OCF dep_tristate ' cryptosoft (software crypto engine)' CONFIG_OCF_CRYPTOSOFT $CONFIG_OCF_OCF dep_tristate ' safenet (HW crypto engine)' CONFIG_OCF_SAFE $CONFIG_OCF_OCF dep_tristate ' IXP4xx (HW crypto engine)' CONFIG_OCF_IXP4XX $CONFIG_OCF_OCF- Update the MVL3.1 Crypto support----------------------------------The MVL3.1 kernel in based on Linux 2.4.20. The Crypto source must be updatedto use at least Crypto support available in Linux 2.4.26.If you have an MVL support account you can request a patch that will updatethe MVL3.1 Linux Crypto support. Contact MontaVista support via email To: Support@mvista.com RE: SUBMIT: Request patch to update the IXDP425 LSP crypto support to 2.4.26You can also choose to do this on your own by using the linux-2.4.26/cryptocode.Replace the current crypto directory filesinclude/linux/crypto.h and kmap_types.h to build the kernel Cryptosupport.Get and un-tar the linux-2.4.26 kernel wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.26.tar.gz tar xzvf linux-2.4.26.tar.gzSave any of the original files and make a soft link to the new crypto filesusing commands such as: cd linux-2.4.20_mvl31 mv crypto/ crypto-orig/ mv include/linux/crypto.h include/linux/crypto-orig.hNOTE: kmap-types.h is not in include/asm-arm/ and must be copied from the include/asm-i386 directory. ln -s ~/kernel/linux-2.4.26/crypto/ crypto ln -s ~/kernel/linux-2.4.26/include/linux/crypto.h include/linux/crypto.h cp ~/kernel/linux-2.4.26/include/asm-i386/kmap_types.h include/asm-arm/.- Un-tar the OCF Crypto driver-----------------------------Go to the drivers directory of the kernel and un-tar the OCF supportfile.cd driverstar xzvf ~/ocf-linux-<rel-date>/ocf-linux.tar.gzThis un-tars to create the filesocf|-- Makefile|-- TODO|-- criov.c|-- crypto.c|-- cryptodev.c|-- cryptodev.h|-- cryptosoft.c|-- hifn| |-- hifn7751.c| |-- hifn7751reg.h| `-- hifn7751var.h|-- ixp4xx| `-- ixp4xx.c|-- safe| |-- safe.c| |-- safereg.h| `-- safevar.h`-- uio.h. Edit the kernel drivers Makefile----------------------------------Edit the drivers/Makefile to add the ocf directory to the make in thesection of the make that is enabled by 'ifdef CONFIG_IXP425_CSR' subdir-$(CONFIG_OCF_OCF)+= ocf. Edit the drivers/ocf/makefiles--------------------------------The makefiles are set up to use the 'module' build system, and the includepaths need to use the settings that are specific to the MVL3.1 environmentsetting. So, modify drivers/ocf/ixp/Makefile and change the path in thetwo EXTRA_CFLAGS macros to use the IX_XSCALE_SW environment variable.For example:EXTRA_CFLAGS += -I$(IX_XSCALE_SW)/src/includeEXTRA_CFLAGS += -I$(IX_XSCALE_SW)/src/linux5. Configure and build the kernel---------------------------------make def-configmake menuconfigWhen menu config starts to navigate to the menu System Type --->IXP4xx Implementation Optionsselect module for the options... <M> Build IXP425 Access Library <M> OCF (Open Cryptographic Framework) (NEW)The dependent config choices appear. Then select module for the option... <M> cryptodev (user space support) <M> cryptosoft (software crypto engine) < > safenet (HW crypto engine) <M> IXP4xx (HW crypto engine)back out to the main menu then select Cryptographic options --->Set all choices to Y except the 'test' module~~~~~Note: Crypto MUST be compiled into the kernel and OCF support should be compiled as a module.~~~~~Exit saving changesNOTE: You can verify the OCF config values are in .config by using grep.[homer@simsun linux-2.4.20_mvl31$ grep 'OCF' .configCONFIG_OCF_OCF=mCONFIG_OCF_CRYPTODEV=mCONFIG_OCF_CRYPTOSOFT=m# CONFIG_OCF_SAFE is not setCONFIG_OCF_IXP4XX=mAfter the kernel is configured, make the kernel and modules then install usingcommands such as the following:make dep zImage modulessumake modules_installexit6. Set up the Crypto device driver node--------------------------------------The device driver node must be created. This can be in the NFS mount targetor at run time. The steps below create the node in the NFS mounted filesystem. su cd /opt/montavista/pro/devkit/arm/xscale_be/target mknod dev/crypto c 10 70 ls dev/cry* -la crw-r--r-- 1 root root 10, 70 Nov 22 09:22 dev/crypto7. Set up OpenSSL----------------- Get the source----------------wget http://www.openssl.org/source/openssl-0.9.7d.tar.gz- Extract and patch-------------------tar xzvf src/openssl-0.9.7d.tar.gzln -s openssl-0.9.7d opensslpatch -p0 < ssl.patchThe patch to openssl enables cryptodev support as an ENGINE in OpenSSL.- Configure and Build---------------------Place the cryptodev.h in the target include locationcd linux/drivers/ocfsumkdir /opt/montavista/pro/devkit/arm/xscale_be/target/usr/include/cryptocp crytodev.h /opt/montavista/pro/devkit/arm/xscale_be/target/usr/include/crypto~~~~~NOTE: In order to build OpenSSL applications, make sure that cryptodev.h is installed as crypto/cryptodev.h in your include directory~~~~~./Configure linux-elf-arm -shared --prefix=/opt/montavista/pro/devkit/arm/xscale_be/target/usr/To build for the Intel XScale core you must modify the Makefile so that CC,CFLAG, EX_LIBS, AR and RANLIB macros are correct for cross-compilation.In the CFLAG macro change -DL_ENDIAN to -DB_ENDIANChange the other macros to read:CC=xscale_be-gccEX_LIBS= -ldlAR=xscale_be-ar $(ARFLAGS) rRANLIB= xscale_be-ranlibThen make- Basic Install---------------These steps copy and set up the necessary librariesin the MVL3.1 NFS target root filesystem.sucd /opt/montavista/pro/devkit/arm/xscale_be/target/usr/lib# back up the existing libsmv libcrypto.so.0.9.7 libcrypto.so.0.9.7bmv libssl.so.0.9.7 libssl.so.0.0.9.7bmv libssl.a libssl.a.0.9.7bmv libcrypto.a libcrypto.a.0.7.9bcp openssl/libcrypto.so.0.9.7 .cp openssl/libssl.so.0.9.7 .cp openssl/libssl.a .cp openssl/libcrypto.a .cd /opt/montavista/pro/devkit/arm/xscale_be/target/cd /opt/montavista/pro/devkit/arm/xscale_be/target/usr/bin# this moves the old OpenSSLmv openssl openssl.0.9.7b# copy the rebuilt applicationcp openssl/apps/openssl .- Verify operation------------------Verify the operation of the driver and Engine by using the following OpenSSLspeed command: openssl speed -evp des -engine cryptodevSee the readme provided with the OCF drivers for additional detail.8. Resources, links, and Q/A---------------------------Consult these sites for informationCryptoDev and Crypto API for Linux -home page: http://www.logix.cz/michal/devel/cryptodev/Mailing list: http://lists.logix.cz/mailman/listinfo/cryptoapiuCdot -Home page: http://www.uCdot.orgSourceForge*: IXP4xx-osgd -home page: http://ixp4xx-osdg.sourceforge.netProject page: http://sourceforge.net/projects/ixp4xx-osdg/Forums: http://sourceforge.net/forum/forum.php?forum_id=311814