Enable H/W encryption in Geode
- For Voyage 0.6.2
- For Voyage 0.7.5

Enable H/W encryption in Geode

To set the required modules to load at startup, add these to /etc/modules:

ocf
cryptodev
cryptosoft

Also, make sure geode_aes is loaded automatically, if not, add to /etc/modules.

For Voyage 0.6.2

For 0.6.2, the bundled openssl and libssl does not have cryptodev support. Need to install the patched openssl and libssl with cryptodev support:

# install from voyage APT repository at http://www.voyage.hk/dists/0.6
apt-get install --reinstall openssl libssl0.9.8

After reboot, check for cryptodev support in openssl by:

openssl engine

You should see this line:

(cryptodev) BSD cryptodev engine

Test performance by:

openssl speed -evp aes128

You should see something like these:

Doing aes-128-cbc for 3s on 16 size blocks: 149156 aes-128-cbc's in 0.09s
Doing aes-128-cbc for 3s on 64 size blocks: 141139 aes-128-cbc's in 0.05s
Doing aes-128-cbc for 3s on 256 size blocks: 118003 aes-128-cbc's in 0.18s
Doing aes-128-cbc for 3s on 1024 size blocks: 71261 aes-128-cbc's in 0.10s
Doing aes-128-cbc for 3s on 2048 size blocks: 46546 aes-128-cbc's in 0.03s
OpenSSL 0.9.8g 19 Oct 2007
built on: Thu Aug  6 10:51:32 HKT 2009
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DL_ENDIAN -DTERMIO -O3 -march=i586 -Wa,--noexecstack -g -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   2048 bytes
aes-128-cbc      26516.62k   180657.92k   167826.49k   729712.64k  3177540.27k

For Voyage 0.7.5

The stock openssl/libssl package does not have OCF cryptodev support compiled in, so we need to create the package ourselves using a Debian Squeeze buildbox.

First, get the openssl source package and package build tools:

mkdir openssl-src
cd openssl-src
apt-get install devscripts fakeroot 
apt-get source openssl0.9.8
apt-get build-dep openssl0.9.8

Get the ocf-linux patch from http://sourceforge.net/projects/ocf-linux/ . We used ocf-linux-20110720.tar.gz in this write up.

(TODO: Prepare the kernel for building modules if errors encountered in this step.)
Unpack ocf-linux-20110720.tar.gz and build it:

tar zxvf ocf-linux-20110720.tar.gz
cd ocf-linux-20110720/ocf/
make ocf_modules
make ocf_install

Patch the openssl source tree with the ocf patch:

# suppose the openssl version is 0.9.8o-4squeeze1 :
cp ocf-linux-20110720/patches/openssl-0.9.8r.patch openssl-src/openssl-0.9.8o/
cd openssl-src/openssl-0.9.8o/
patch -p1 < openssl-0.9.8r.patch

If the patch applied OK, edit the debian/rules file to add Configure option –with-cryptodev:

...
CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib enable-tlsext --with-cryptodev
...

Build the binary deb packages by:

# at openssl-src/openssl-0.9.8o/

# update changelog and package version
dch -v 0.9.8o-4squeeze1-ocf1

# build it!
fakeroot debian/rules binary

After successful build, we will have these deb files in openssl-src/ ready for install.

$ ls -l openssl-src/*.deb
libssl0.9.8_0.9.8o-4squeeze1-ocf1_i386.deb
libssl0.9.8-dbg_0.9.8o-4squeeze1-ocf1_i386.deb
libssl-dev_0.9.8o-4squeeze1-ocf1_i386.deb
openssl_0.9.8o-4squeeze1-ocf1_i386.deb

Install:

dpkg -i openssl_0.9.8o-4squeeze1-ocf1_i386.deb libssl0.9.8_0.9.8o-4squeeze1-ocf1_i386.deb

Test, just like for 0.6.2.