Cryptodev/af_alg engines in OpenSSL on STM32MP157C-DK2 do not provide hash algorithms for hardware acceleration

Paradox · ‎2020-03-25

Hello,

I have successfully compiled and deployed the distribution package (trusted) onto the STM32MP1. I am using OpenSSL in a program for signing data, where SHA256 is used as a hash. I would like to take advantage of hardware acceleration by using either the cryptodev or af_alg engines. The distribution provides Yocto recipes for cryptodev-linux (header), cryptodev-module (kernel module) of version 1.9 and for OpenSSL version 1.1.1b, in which I modified the PACKAGECONFIG line by adding cryptodev-linux option in it, so OpenSSL compiles with the cryptodev support. The 3 aforementioned recipes were built and deployed using devtool. OpenSSL also provides a built-in AF_ALG engine by default. However, the supported algorithms of both engines are only ciphers, there are no hash algorithms whatsoever. I also tried to build OpenSSL with the -DUSE_CRYPTODEV_DIGESTS, but that didnt change anything. Version 1.0.2 of OpenSSL however, provides some hashing algorithms like MD5 and SHA1, but not SHA256. I have also posted an issue on OpenSSL github, but maybe there is a problem on STM side. The output of cat /proc/crypto lists

SHA256 among many other hashes, which means it should be supported.

I would appreciate any help regarding this issue.

Bernard PUEL · ‎2020-03-31

Hello,

few things first to double check:

Architecture scheme is depicted in this article: https://wiki.st.com/stm32mpu/wiki/Crypto_API_overview openssl is part of openstlinux distribution.
Although the HW configuration is activated by default in the kernel config, it is not done in the devicetree, so you need to activate them in the device tree (status = "okay") to probe the drivers (see related wiki articles). Then after that you will see them (stm32....) in /proc/crypto.

But if you already see some SW implementation of SHA256, This should work on openssl application.

Bernard PUEL · ‎2020-03-31

Here is what I did on my DK2 with V1.2.0 to check it was working well:

1/ add "openssl" application on my board:

In yocto build directory, add the following lines at the end of "conf/local.conf" file:

IMAGE_INSTALL_append = "openssl-bin"

2/ flash the new image and check SHA256 is working ok (SW):

root@stm32mp1:~# openssl sha256 README-CHECK-GPU

SHA256(README-CHECK-GPU)= 3a6e03abefa513077bbd323c425972c8193e7349430f17df17a40137894a9a86

root@stm32mp1:~# cat /proc/crypto

name : sha256

driver : sha256-generic

module : kernel

priority : 100

refcnt : 3

selftest : passed

internal : no

type : shash

blocksize : 64

digestsize : 32

3/ update your devicetree and check SHA256 is working ok (HW):

3.1/ add following lines at the end of your board devicetree and update your board with it:

&hash1 {

status = "okay";

};

3.2/ check HW sha256:

root@stm32mp1:~# openssl sha256 README-CHECK-GPU

SHA256(README-CHECK-GPU)= 3a6e03abefa513077bbd323c425972c8193e7349430f17df17a40137894a9a86

root@stm32mp1:~# cat /proc/crypto

name : sha256

driver : stm32-sha256

module : kernel

priority : 200

refcnt : 1

selftest : passed

internal : no

type : ahash

async : yes

blocksize : 64

digestsize : 32

Paradox · ‎2020-04-01

Hello Bernard PUEL,

First of all, thank you very much for your reply. However, this is not the described issue, I have already managed to load the STM32 drivers for both crypto and hash, however I am not able to use them with OpenSSL. There is only a software implementation of SHA256 working, which in comparison to HW acceleration is a lot slower. Here are the supported algorithms by OpenSSL devcrypto engine after enabling the drivers:

root@stm32mp1:~# openssl engine -t -c
 
(devcrypto) /dev/crypto engine
 
 [DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-CTR, AES-192-CTR, AES-256-CTR, AES-128-ECB, AES-192-ECB, AES-256-ECB]
 
   [ available ]
 
(dynamic) Dynamic engine loading support
 
   [ unavailable ]

As you can see, there are no hash algorithms available whatsoever, only encryption, which is not what I need. Interesting thing is that even those encryption algorithms are NOT using the STM32 drivers, since these were available even before I enabled the crypto module. I can also confirm that it is not supported by running a speed test:

root@stm32mp1:~# time openssl speed -evp sha256 -engine devcrypto
engine "devcrypto" set.
Doing sha256 for 3s on 16 size blocks: 470605 sha256's in 2.98s
Doing sha256 for 3s on 64 size blocks: 328102 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 170421 sha256's in 2.98s
Doing sha256 for 3s on 1024 size blocks: 58893 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 8253 sha256's in 3.00s
Doing sha256 for 3s on 16384 size blocks: 4164 sha256's in 3.00s
OpenSSL 1.1.1b  26 Feb 2019
built on: Tue Feb 26 14:15:30 2019 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: arm-ostl-linux-gnueabi-gcc  -march=armv7ve -mthumb -mfpu=neon-vfpv4 -mfloat-abi=hard -mcpu=cortex-a7 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fdebug-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
sha256            2526.74k     6999.51k    14640.19k    20102.14k    22536.19k    22740.99k
real    0m 18.12s
user    0m 17.97s
sys     0m 0.02s

As you can see from the output, the speed is around 22 MB/s with 16KB chunks, which is quite slow when compared to HW acceleration. I managed to make my program work with AF_ALG sockets, which give me 53 MB/s speed and a way lower CPU utilization at only around 25% compared to full load on SW implementation, which is a pretty big difference in my opinion. Also, if the acceleration worked, the time displayed for "user" would be below 1s and all the time would be spent by "sys".

Bernard PUEL · ‎2020-04-03

Could you please details how did you activate cryptodev engine in openssl (I know you described it in your first comment but I could not succeed to do the same) ?

Then, I could discuss with experts:

It is not expected to have a big gap between SW and HW implementation on the current platform implementation (depend on use cases and size)
The root cause is the Kernel framework and ST driver has not been optimized for that
Current implementation (kernel framework + driver) will help to save CPU rather to get improvment in performance

Paradox · ‎2020-04-03

Hello,

since I already had an image built, I used following commands to get cryptodev module on the board:

devtool modify cryptodev-linux
devtool build cryptodev-linux
devtool deploy-target cryptodev-linux root@<ip_address>:/
 
devtool modify cryptodev-module
devtool build cryptodev-module
devtool deploy-target cryptodev-module root@<ip_address>:/

First recipe only generated a cryptodev header file, but it is a prerequisite for cryptodev module, which is the required kernel module for OpenSSL. When both have been successfully deployed, I updated the modules using depmod and loaded the kernel module using modprobe cryptodev.

Afterwards, by command openssl engine -t -c I could list the available engines (in this case only cryptodev) and their supported algorithms. As mentioned before, no hashes are available on newest OpenSSL version, but in older 1.0.2 version there are at least MD5 and SHA1 (which are outdated). Perhaps I should add the cryptodev module to the local.conf file and bitbake whole image with it?

EDIT: Attempted to bitbake the image with options "openssl-bin cryptodev-module", which were both installed, but there are still no hashes.

Bernard PUEL · ‎2020-04-03

Ok. on my side I have tried to work with openssl recipe (to make sure the application was well configured) but without any success: I don't see the devcrypto engine.

Paradox · ‎2020-04-03

The OpenSSL recipe alone does not come with cryptodev, it only supports it. You need to install the cryptodev module separately and load it. After you successfully load it, it should be located in /dev/crypto. OpenSSL then displays it as shown two posts above after issuing openssl engine -t -c. The newest OpenSSL should support it automatically, but in case you still have trouble, in the openssl_1.1.1b.bb recipe you can also modify the line PACKAGECONFIG ?= "", where you add cryptodev-linux. That way it will definitely display the engine, as long as it is properly loaded.

Bernard PUEL · ‎2020-04-05

Yes. cryptodev-linux package was removed some time ago from the openssl recipe. So I though only adding back again cryptodev-linux was enough (what I did) but it seems not. Probably the pb comes from the installation as on your side the "manual" installation with devtool is working well.

Paradox · ‎2020-04-06

The installation is working, there wasn't any problem with devtool or bitbake, but I might still be missing something as the hash acceleration is not supported by the engine. I know for sure it is working as I have confirmed using the AF_ALG sockets. Currently I am using those in combination with OpenSSL to make sure its accelerating, but the problem with complete integration still persists which is why I am keeping the question "unanswered". What is also interesting is that there is an AF_ALG engine for OpenSSL and even that does not show any hashes. I am starting to think HW acceleration of hashes in OpenSSL was disabled on purpose, since it might be inconsistent and even could produce wrong output in certain scenarios.