OCF Support on linux 2.6.

OCF Support on linux 2.6.

[Nawang Chhetan]

Hi All,

I am trying to integrate OCF-linux with Quicksec on linux 2.6 kernels.
Many versions of OCF-Linux have been released but wtihout clear
demarcation of 2.6 kernel versions they support. All they mention is
support for kernel verison 2.6.11 and later and the README within the
distributions states it can be easily modified to support recent
version of kernels( which is true, I did it for 2.6.17.7 )
My Question here is that:
Is there any good OCF-Linux documentation available ?

What is/are the version of 2.6 kernel, the OCF-Linux is most
stable/tested/developed for ?
Further I tried to use SafeXcel-1141 hardware accelerator ( which is
claimed to be supported) with OCF-Linux, but inserting the module
safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
version 2.6.17.6 .).
Do I need to insmod the SafeXcel-1141 driver too ?

Please help !!


-- 
Nawang Chhetan
Software Engineer
SafeNet India.

Re: OCF Support on linux 2.6.

[David McCullough]

Jivin Nawang Chhetan lays it down ...
> Hi All,
> 
> I am trying to integrate OCF-linux with Quicksec on linux 2.6 kernels.
> Many versions of OCF-Linux have been released but wtihout clear
> demarcation of 2.6 kernel versions they support. All they mention is
> support for kernel verison 2.6.11 and later and the README within the
> distributions states it can be easily modified to support recent
> version of kernels( which is true, I did it for 2.6.17.7 )
> My Question here is that:
> Is there any good OCF-Linux documentation available ?

Only whats on the website.  Your best bet is to ask.
The current releases work for kernels up to 2.6.18 without
any major issues.  I should be doing a release this week with
everything up to 2.6.22 supported fully.  Just finishing off the
testing.

> What is/are the version of 2.6 kernel, the OCF-Linux is most
> stable/tested/developed for ?
> Further I tried to use SafeXcel-1141 hardware accelerator ( which is
> claimed to be supported) with OCF-Linux, but inserting the module
> safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
> version 2.6.17.6 .).
> Do I need to insmod the SafeXcel-1141 driver too ?

I have used the safenet driver on SuperH and ARM platforms. It works
fine there.  I don't have any way to test it on x86 though.

It should work fine on 2.6.17, load everything with debug enabled
and see what happens.

If you are running on an x86_64 system, disable all the code in
"random.c" however,  it was broken on 64bits arches in older versions.

Cheers,
Davidm

-- 
David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: OCF Support on linux 2.6.

[Nawang Chhetan]

Hi David,
   Thanks for the reply. I have been using the SafeXcel 1141 card on
x86 platform. Need to investigate this further as suggested by you.

I have a question, I have noticed that list of hardware accelerators
are supported with OCF-Linux is a bit unclear, even though these
hardware accelerators are mentioned clearly:

1.	Hifn-7751
2.	SafeXcel-1141
3.	Intel-Ixp.

Is this the exhaustive list ?


On 7/17/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
>
> Jivin Nawang Chhetan lays it down ...
> > Hi All,
> >
> > I am trying to integrate OCF-linux with Quicksec on linux 2.6 kernels.
> > Many versions of OCF-Linux have been released but wtihout clear
> > demarcation of 2.6 kernel versions they support. All they mention is
> > support for kernel verison 2.6.11 and later and the README within the
> > distributions states it can be easily modified to support recent
> > version of kernels( which is true, I did it for 2.6.17.7 )
> > My Question here is that:
> > Is there any good OCF-Linux documentation available ?
>
> Only whats on the website.  Your best bet is to ask.
> The current releases work for kernels up to 2.6.18 without
> any major issues.  I should be doing a release this week with
> everything up to 2.6.22 supported fully.  Just finishing off the
> testing.
>
> > What is/are the version of 2.6 kernel, the OCF-Linux is most
> > stable/tested/developed for ?
> > Further I tried to use SafeXcel-1141 hardware accelerator ( which is
> > claimed to be supported) with OCF-Linux, but inserting the module
> > safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
> > version 2.6.17.6 .).
> > Do I need to insmod the SafeXcel-1141 driver too ?
>
> I have used the safenet driver on SuperH and ARM platforms. It works
> fine there.  I don't have any way to test it on x86 though.
>
> It should work fine on 2.6.17, load everything with debug enabled
> and see what happens.
>
> If you are running on an x86_64 system, disable all the code in
> "random.c" however,  it was broken on 64bits arches in older versions.
>
> Cheers,
> Davidm
>
> --
> David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
>


-- 
Nawang Chhetan
Software Engineer
SafeNet India.

Re: OCF Support on linux 2.6.

[David McCullough]

Jivin Nawang Chhetan lays it down ...
> Hi David,
>   Thanks for the reply. I have been using the SafeXcel 1141 card on
> x86 platform. Need to investigate this further as suggested by you.

Make sure you have the latest safenet driver from the 2007 tarball,
there are some bus width fixes in there IIRC for all the PCI drivers.

Other than that,  it's debug time.

> I have a question, I have noticed that list of hardware accelerators
> are supported with OCF-Linux is a bit unclear, even though these
> hardware accelerators are mentioned clearly:
> 
> 1.	Hifn-7751

hifn 7751, 7956

safenet 1141, 1741

Intel IXP (465 425 and 422)

Freescale SEC (talitos)

There is also a Via padlock driver in freebsd that would be trivial to
port.

Software (using linux kernel crypto API,  which may also use hardware :-)

> Is this the exhaustive list ?

The list above is,

Cheers,
Davidm

> On 7/17/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
> >
> >Jivin Nawang Chhetan lays it down ...
> >> Hi All,
> >>
> >> I am trying to integrate OCF-linux with Quicksec on linux 2.6 kernels.
> >> Many versions of OCF-Linux have been released but wtihout clear
> >> demarcation of 2.6 kernel versions they support. All they mention is
> >> support for kernel verison 2.6.11 and later and the README within the
> >> distributions states it can be easily modified to support recent
> >> version of kernels( which is true, I did it for 2.6.17.7 )
> >> My Question here is that:
> >> Is there any good OCF-Linux documentation available ?
> >
> >Only whats on the website.  Your best bet is to ask.
> >The current releases work for kernels up to 2.6.18 without
> >any major issues.  I should be doing a release this week with
> >everything up to 2.6.22 supported fully.  Just finishing off the
> >testing.
> >
> >> What is/are the version of 2.6 kernel, the OCF-Linux is most
> >> stable/tested/developed for ?
> >> Further I tried to use SafeXcel-1141 hardware accelerator ( which is
> >> claimed to be supported) with OCF-Linux, but inserting the module
> >> safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
> >> version 2.6.17.6 .).
> >> Do I need to insmod the SafeXcel-1141 driver too ?
> >
> >I have used the safenet driver on SuperH and ARM platforms. It works
> >fine there.  I don't have any way to test it on x86 though.
> >
> >It should work fine on 2.6.17, load everything with debug enabled
> >and see what happens.
> >
> >If you are running on an x86_64 system, disable all the code in
> >"random.c" however,  it was broken on 64bits arches in older versions.
> >
> >Cheers,
> >Davidm
> >
> >--
> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> >Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
> >
> 
> 
> -- 
> Nawang Chhetan
> Software Engineer
> SafeNet India.
> 

-- 
David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: OCF Support on linux 2.6.

[Nawang Chhetan]

Hi David,
         Thanks for the reply. Since there is no proper API
documentation for the OCF-Linux, can we refer to original OpenBsd
Cryptographic Documentaton . Like the one in the following link:

http://www.digipedia.pl/man/crypto.9.html


I just cross checked few API's and realized they are almost the same.


On 7/18/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
>
> Jivin Nawang Chhetan lays it down ...
> > Hi David,
> >   Thanks for the reply. I have been using the SafeXcel 1141 card on
> > x86 platform. Need to investigate this further as suggested by you.
>
> Make sure you have the latest safenet driver from the 2007 tarball,
> there are some bus width fixes in there IIRC for all the PCI drivers.
>
> Other than that,  it's debug time.
>
> > I have a question, I have noticed that list of hardware accelerators
> > are supported with OCF-Linux is a bit unclear, even though these
> > hardware accelerators are mentioned clearly:
> >
> > 1.    Hifn-7751
>
> hifn 7751, 7956
>
> safenet 1141, 1741
>
> Intel IXP (465 425 and 422)
>
> Freescale SEC (talitos)
>
> There is also a Via padlock driver in freebsd that would be trivial to
> port.
>
> Software (using linux kernel crypto API,  which may also use hardware :-)
>
> > Is this the exhaustive list ?
>
> The list above is,
>
> Cheers,
> Davidm
>
> > On 7/17/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
> > >
> > >Jivin Nawang Chhetan lays it down ...
> > >> Hi All,
> > >>
> > >> I am trying to integrate OCF-linux with Quicksec on linux 2.6 kernels.
> > >> Many versions of OCF-Linux have been released but wtihout clear
> > >> demarcation of 2.6 kernel versions they support. All they mention is
> > >> support for kernel verison 2.6.11 and later and the README within the
> > >> distributions states it can be easily modified to support recent
> > >> version of kernels( which is true, I did it for 2.6.17.7 )
> > >> My Question here is that:
> > >> Is there any good OCF-Linux documentation available ?
> > >
> > >Only whats on the website.  Your best bet is to ask.
> > >The current releases work for kernels up to 2.6.18 without
> > >any major issues.  I should be doing a release this week with
> > >everything up to 2.6.22 supported fully.  Just finishing off the
> > >testing.
> > >
> > >> What is/are the version of 2.6 kernel, the OCF-Linux is most
> > >> stable/tested/developed for ?
> > >> Further I tried to use SafeXcel-1141 hardware accelerator ( which is
> > >> claimed to be supported) with OCF-Linux, but inserting the module
> > >> safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
> > >> version 2.6.17.6 .).
> > >> Do I need to insmod the SafeXcel-1141 driver too ?
> > >
> > >I have used the safenet driver on SuperH and ARM platforms. It works
> > >fine there.  I don't have any way to test it on x86 though.
> > >
> > >It should work fine on 2.6.17, load everything with debug enabled
> > >and see what happens.
> > >
> > >If you are running on an x86_64 system, disable all the code in
> > >"random.c" however,  it was broken on 64bits arches in older versions.
> > >
> > >Cheers,
> > >Davidm
> > >
> > >--
> > >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> > >Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
> > >
> >
> >
> > --
> > Nawang Chhetan
> > Software Engineer
> > SafeNet India.
> >
>
> --
> David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
>


-- 
Nawang Chhetan
Software Engineer
SafeNet India.

Re: OCF Support on linux 2.6.

[David McCullough]

Jivin Nawang Chhetan lays it down ...
> Hi David,
>         Thanks for the reply. Since there is no proper API
> documentation for the OCF-Linux, can we refer to original OpenBsd
> Cryptographic Documentaton . Like the one in the following link:
> 
> http://www.digipedia.pl/man/crypto.9.html
> 
> 
> I just cross checked few API's and realized they are almost the same.

They are the same :-)  Its a linux port of the FreeBSD version of the
OpenBSD crypto API.

Have you looked at:

	http://www.thought.net/jason/ocfpaper/
	http://www.usenix.org/publications/library/proceedings/bsdcon03/tech/leffler_crypto/leffler_crypto.pdf

All available from the links page on:

	http://ocf-linux.sourceforge.net/links.html

Cheers,
Davidm

> On 7/18/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
> >
> >Jivin Nawang Chhetan lays it down ...
> >> Hi David,
> >>   Thanks for the reply. I have been using the SafeXcel 1141 card on
> >> x86 platform. Need to investigate this further as suggested by you.
> >
> >Make sure you have the latest safenet driver from the 2007 tarball,
> >there are some bus width fixes in there IIRC for all the PCI drivers.
> >
> >Other than that,  it's debug time.
> >
> >> I have a question, I have noticed that list of hardware accelerators
> >> are supported with OCF-Linux is a bit unclear, even though these
> >> hardware accelerators are mentioned clearly:
> >>
> >> 1.    Hifn-7751
> >
> >hifn 7751, 7956
> >
> >safenet 1141, 1741
> >
> >Intel IXP (465 425 and 422)
> >
> >Freescale SEC (talitos)
> >
> >There is also a Via padlock driver in freebsd that would be trivial to
> >port.
> >
> >Software (using linux kernel crypto API,  which may also use hardware :-)
> >
> >> Is this the exhaustive list ?
> >
> >The list above is,
> >
> >Cheers,
> >Davidm
> >
> >> On 7/17/07, David McCullough <David_Mccullough@securecomputing.com> 
> >wrote:
> >> >
> >> >Jivin Nawang Chhetan lays it down ...
> >> >> Hi All,
> >> >>
> >> >> I am trying to integrate OCF-linux with Quicksec on linux 2.6 kernels.
> >> >> Many versions of OCF-Linux have been released but wtihout clear
> >> >> demarcation of 2.6 kernel versions they support. All they mention is
> >> >> support for kernel verison 2.6.11 and later and the README within the
> >> >> distributions states it can be easily modified to support recent
> >> >> version of kernels( which is true, I did it for 2.6.17.7 )
> >> >> My Question here is that:
> >> >> Is there any good OCF-Linux documentation available ?
> >> >
> >> >Only whats on the website.  Your best bet is to ask.
> >> >The current releases work for kernels up to 2.6.18 without
> >> >any major issues.  I should be doing a release this week with
> >> >everything up to 2.6.22 supported fully.  Just finishing off the
> >> >testing.
> >> >
> >> >> What is/are the version of 2.6 kernel, the OCF-Linux is most
> >> >> stable/tested/developed for ?
> >> >> Further I tried to use SafeXcel-1141 hardware accelerator ( which is
> >> >> claimed to be supported) with OCF-Linux, but inserting the module
> >> >> safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
> >> >> version 2.6.17.6 .).
> >> >> Do I need to insmod the SafeXcel-1141 driver too ?
> >> >
> >> >I have used the safenet driver on SuperH and ARM platforms. It works
> >> >fine there.  I don't have any way to test it on x86 though.
> >> >
> >> >It should work fine on 2.6.17, load everything with debug enabled
> >> >and see what happens.
> >> >
> >> >If you are running on an x86_64 system, disable all the code in
> >> >"random.c" however,  it was broken on 64bits arches in older versions.
> >> >
> >> >Cheers,
> >> >Davidm
> >> >
> >> >--
> >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 
> >734352815
> >> >Secure Computing - SnapGear  http://www.uCdot.org 
> >http://www.cyberguard.com
> >> >
> >>
> >>
> >> --
> >> Nawang Chhetan
> >> Software Engineer
> >> SafeNet India.
> >>
> >
> >--
> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> >Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
> >
> 
> 
> -- 
> Nawang Chhetan
> Software Engineer
> SafeNet India.
> 

-- 
David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: OCF Support on linux 2.6.

[Nawang Chhetan]

Hi David,
                  I have noticed that with every release of OCF-Linux
backward compatibilty is not taken care of.

For example in cryptosoft.c file you declared a new instance of
blkcipher_desc structure, this structure is no defined upto 2.6.18. I
could find it on 2.6.20.1. I dont know about version of kernel in
between.

Is this a specific observation, or backward compatibilty is not
considered at all?


On 7/18/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
>
> Jivin Nawang Chhetan lays it down ...
> > Hi David,
> >         Thanks for the reply. Since there is no proper API
> > documentation for the OCF-Linux, can we refer to original OpenBsd
> > Cryptographic Documentaton . Like the one in the following link:
> >
> > http://www.digipedia.pl/man/crypto.9.html
> >
> >
> > I just cross checked few API's and realized they are almost the same.
>
> They are the same :-)  Its a linux port of the FreeBSD version of the
> OpenBSD crypto API.
>
> Have you looked at:
>
>        http://www.thought.net/jason/ocfpaper/
>        http://www.usenix.org/publications/library/proceedings/bsdcon03/tech/leffler_crypto/leffler_crypto.pdf
>
> All available from the links page on:
>
>        http://ocf-linux.sourceforge.net/links.html
>
> Cheers,
> Davidm
>
> > On 7/18/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
> > >
> > >Jivin Nawang Chhetan lays it down ...
> > >> Hi David,
> > >>   Thanks for the reply. I have been using the SafeXcel 1141 card on
> > >> x86 platform. Need to investigate this further as suggested by you.
> > >
> > >Make sure you have the latest safenet driver from the 2007 tarball,
> > >there are some bus width fixes in there IIRC for all the PCI drivers.
> > >
> > >Other than that,  it's debug time.
> > >
> > >> I have a question, I have noticed that list of hardware accelerators
> > >> are supported with OCF-Linux is a bit unclear, even though these
> > >> hardware accelerators are mentioned clearly:
> > >>
> > >> 1.    Hifn-7751
> > >
> > >hifn 7751, 7956
> > >
> > >safenet 1141, 1741
> > >
> > >Intel IXP (465 425 and 422)
> > >
> > >Freescale SEC (talitos)
> > >
> > >There is also a Via padlock driver in freebsd that would be trivial to
> > >port.
> > >
> > >Software (using linux kernel crypto API,  which may also use hardware :-)
> > >
> > >> Is this the exhaustive list ?
> > >
> > >The list above is,
> > >
> > >Cheers,
> > >Davidm
> > >
> > >> On 7/17/07, David McCullough <David_Mccullough@securecomputing.com>
> > >wrote:
> > >> >
> > >> >Jivin Nawang Chhetan lays it down ...
> > >> >> Hi All,
> > >> >>
> > >> >> I am trying to integrate OCF-linux with Quicksec on linux 2.6 kernels.
> > >> >> Many versions of OCF-Linux have been released but wtihout clear
> > >> >> demarcation of 2.6 kernel versions they support. All they mention is
> > >> >> support for kernel verison 2.6.11 and later and the README within the
> > >> >> distributions states it can be easily modified to support recent
> > >> >> version of kernels( which is true, I did it for 2.6.17.7 )
> > >> >> My Question here is that:
> > >> >> Is there any good OCF-Linux documentation available ?
> > >> >
> > >> >Only whats on the website.  Your best bet is to ask.
> > >> >The current releases work for kernels up to 2.6.18 without
> > >> >any major issues.  I should be doing a release this week with
> > >> >everything up to 2.6.22 supported fully.  Just finishing off the
> > >> >testing.
> > >> >
> > >> >> What is/are the version of 2.6 kernel, the OCF-Linux is most
> > >> >> stable/tested/developed for ?
> > >> >> Further I tried to use SafeXcel-1141 hardware accelerator ( which is
> > >> >> claimed to be supported) with OCF-Linux, but inserting the module
> > >> >> safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
> > >> >> version 2.6.17.6 .).
> > >> >> Do I need to insmod the SafeXcel-1141 driver too ?
> > >> >
> > >> >I have used the safenet driver on SuperH and ARM platforms. It works
> > >> >fine there.  I don't have any way to test it on x86 though.
> > >> >
> > >> >It should work fine on 2.6.17, load everything with debug enabled
> > >> >and see what happens.
> > >> >
> > >> >If you are running on an x86_64 system, disable all the code in
> > >> >"random.c" however,  it was broken on 64bits arches in older versions.
> > >> >
> > >> >Cheers,
> > >> >Davidm
> > >> >
> > >> >--
> > >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61
> > >734352815
> > >> >Secure Computing - SnapGear  http://www.uCdot.org
> > >http://www.cyberguard.com
> > >> >
> > >>
> > >>
> > >> --
> > >> Nawang Chhetan
> > >> Software Engineer
> > >> SafeNet India.
> > >>
> > >
> > >--
> > >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> > >Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
> > >
> >
> >
> > --
> > Nawang Chhetan
> > Software Engineer
> > SafeNet India.
> >
>
> --
> David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
>


-- 
Nawang Chhetan
Software Engineer
SafeNet India.

Re: OCF Support on linux 2.6.

[David McCullough]

Jivin Nawang Chhetan lays it down ...
> Hi David,
>                  I have noticed that with every release of OCF-Linux
> backward compatibilty is not taken care of.
> 
> For example in cryptosoft.c file you declared a new instance of
> blkcipher_desc structure, this structure is no defined upto 2.6.18. I
> could find it on 2.6.20.1. I dont know about version of kernel in
> between.
> 
> Is this a specific observation, or backward compatibilty is not
> considered at all?

Ok,  if you are looking in the current 2007 based releases,  cryptosoft
doesn't even work in that release :-(

The version I am trying to put up this week has full backward compat to
2.4 so that is just an aberation (a long one :-(

In general,  backwards compat is high on the list of things to provide.
It helps ensure that the HW drivers are easier to maintain if nothing
else ;-)

Cheers,
Davidm

> On 7/18/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
> >
> >Jivin Nawang Chhetan lays it down ...
> >> Hi David,
> >>         Thanks for the reply. Since there is no proper API
> >> documentation for the OCF-Linux, can we refer to original OpenBsd
> >> Cryptographic Documentaton . Like the one in the following link:
> >>
> >> http://www.digipedia.pl/man/crypto.9.html
> >>
> >>
> >> I just cross checked few API's and realized they are almost the same.
> >
> >They are the same :-)  Its a linux port of the FreeBSD version of the
> >OpenBSD crypto API.
> >
> >Have you looked at:
> >
> >       http://www.thought.net/jason/ocfpaper/
> >       http://www.usenix.org/publications/library/proceedings/bsdcon03/tech/leffler_crypto/leffler_crypto.pdf
> >
> >All available from the links page on:
> >
> >       http://ocf-linux.sourceforge.net/links.html
> >
> >Cheers,
> >Davidm
> >
> >> On 7/18/07, David McCullough <David_Mccullough@securecomputing.com> 
> >wrote:
> >> >
> >> >Jivin Nawang Chhetan lays it down ...
> >> >> Hi David,
> >> >>   Thanks for the reply. I have been using the SafeXcel 1141 card on
> >> >> x86 platform. Need to investigate this further as suggested by you.
> >> >
> >> >Make sure you have the latest safenet driver from the 2007 tarball,
> >> >there are some bus width fixes in there IIRC for all the PCI drivers.
> >> >
> >> >Other than that,  it's debug time.
> >> >
> >> >> I have a question, I have noticed that list of hardware accelerators
> >> >> are supported with OCF-Linux is a bit unclear, even though these
> >> >> hardware accelerators are mentioned clearly:
> >> >>
> >> >> 1.    Hifn-7751
> >> >
> >> >hifn 7751, 7956
> >> >
> >> >safenet 1141, 1741
> >> >
> >> >Intel IXP (465 425 and 422)
> >> >
> >> >Freescale SEC (talitos)
> >> >
> >> >There is also a Via padlock driver in freebsd that would be trivial to
> >> >port.
> >> >
> >> >Software (using linux kernel crypto API,  which may also use hardware 
> >:-)
> >> >
> >> >> Is this the exhaustive list ?
> >> >
> >> >The list above is,
> >> >
> >> >Cheers,
> >> >Davidm
> >> >
> >> >> On 7/17/07, David McCullough <David_Mccullough@securecomputing.com>
> >> >wrote:
> >> >> >
> >> >> >Jivin Nawang Chhetan lays it down ...
> >> >> >> Hi All,
> >> >> >>
> >> >> >> I am trying to integrate OCF-linux with Quicksec on linux 2.6 
> >kernels.
> >> >> >> Many versions of OCF-Linux have been released but wtihout clear
> >> >> >> demarcation of 2.6 kernel versions they support. All they mention 
> >is
> >> >> >> support for kernel verison 2.6.11 and later and the README within 
> >the
> >> >> >> distributions states it can be easily modified to support recent
> >> >> >> version of kernels( which is true, I did it for 2.6.17.7 )
> >> >> >> My Question here is that:
> >> >> >> Is there any good OCF-Linux documentation available ?
> >> >> >
> >> >> >Only whats on the website.  Your best bet is to ask.
> >> >> >The current releases work for kernels up to 2.6.18 without
> >> >> >any major issues.  I should be doing a release this week with
> >> >> >everything up to 2.6.22 supported fully.  Just finishing off the
> >> >> >testing.
> >> >> >
> >> >> >> What is/are the version of 2.6 kernel, the OCF-Linux is most
> >> >> >> stable/tested/developed for ?
> >> >> >> Further I tried to use SafeXcel-1141 hardware accelerator ( which 
> >is
> >> >> >> claimed to be supported) with OCF-Linux, but inserting the module
> >> >> >> safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
> >> >> >> version 2.6.17.6 .).
> >> >> >> Do I need to insmod the SafeXcel-1141 driver too ?
> >> >> >
> >> >> >I have used the safenet driver on SuperH and ARM platforms. It works
> >> >> >fine there.  I don't have any way to test it on x86 though.
> >> >> >
> >> >> >It should work fine on 2.6.17, load everything with debug enabled
> >> >> >and see what happens.
> >> >> >
> >> >> >If you are running on an x86_64 system, disable all the code in
> >> >> >"random.c" however,  it was broken on 64bits arches in older 
> >versions.
> >> >> >
> >> >> >Cheers,
> >> >> >Davidm
> >> >> >
> >> >> >--
> >> >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61
> >> >734352815
> >> >> >Secure Computing - SnapGear  http://www.uCdot.org
> >> >http://www.cyberguard.com
> >> >> >
> >> >>
> >> >>
> >> >> --
> >> >> Nawang Chhetan
> >> >> Software Engineer
> >> >> SafeNet India.
> >> >>
> >> >
> >> >--
> >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 
> >734352815
> >> >Secure Computing - SnapGear  http://www.uCdot.org 
> >http://www.cyberguard.com
> >> >
> >>
> >>
> >> --
> >> Nawang Chhetan
> >> Software Engineer
> >> SafeNet India.
> >>
> >
> >--
> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> >Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
> >
> 
> 
> -- 
> Nawang Chhetan
> Software Engineer
> SafeNet India.
> 

-- 
David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: OCF Support on linux 2.6.

[Nawang Chhetan]

Hi David,
             In the meanwhile I was browsing through ocf-bech code. I
see implementation is based on work queues and the maximum request at
any time is 20. Any specific reason to do this(i.e. work queue and
limiting maximum requests) ?

I am asking this because I also have to implement something similar.

Thanks,
Nawang.


On 7/19/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
>
> Jivin Nawang Chhetan lays it down ...
> > Hi David,
> >                  I have noticed that with every release of OCF-Linux
> > backward compatibilty is not taken care of.
> >
> > For example in cryptosoft.c file you declared a new instance of
> > blkcipher_desc structure, this structure is no defined upto 2.6.18. I
> > could find it on 2.6.20.1. I dont know about version of kernel in
> > between.
> >
> > Is this a specific observation, or backward compatibilty is not
> > considered at all?
>
> Ok,  if you are looking in the current 2007 based releases,  cryptosoft
> doesn't even work in that release :-(
>
> The version I am trying to put up this week has full backward compat to
> 2.4 so that is just an aberation (a long one :-(
>
> In general,  backwards compat is high on the list of things to provide.
> It helps ensure that the HW drivers are easier to maintain if nothing
> else ;-)
>
> Cheers,
> Davidm
>
> > On 7/18/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
> > >
> > >Jivin Nawang Chhetan lays it down ...
> > >> Hi David,
> > >>         Thanks for the reply. Since there is no proper API
> > >> documentation for the OCF-Linux, can we refer to original OpenBsd
> > >> Cryptographic Documentaton . Like the one in the following link:
> > >>
> > >> http://www.digipedia.pl/man/crypto.9.html
> > >>
> > >>
> > >> I just cross checked few API's and realized they are almost the same.
> > >
> > >They are the same :-)  Its a linux port of the FreeBSD version of the
> > >OpenBSD crypto API.
> > >
> > >Have you looked at:
> > >
> > >       http://www.thought.net/jason/ocfpaper/
> > >       http://www.usenix.org/publications/library/proceedings/bsdcon03/tech/leffler_crypto/leffler_crypto.pdf
> > >
> > >All available from the links page on:
> > >
> > >       http://ocf-linux.sourceforge.net/links.html
> > >
> > >Cheers,
> > >Davidm
> > >
> > >> On 7/18/07, David McCullough <David_Mccullough@securecomputing.com>
> > >wrote:
> > >> >
> > >> >Jivin Nawang Chhetan lays it down ...
> > >> >> Hi David,
> > >> >>   Thanks for the reply. I have been using the SafeXcel 1141 card on
> > >> >> x86 platform. Need to investigate this further as suggested by you.
> > >> >
> > >> >Make sure you have the latest safenet driver from the 2007 tarball,
> > >> >there are some bus width fixes in there IIRC for all the PCI drivers.
> > >> >
> > >> >Other than that,  it's debug time.
> > >> >
> > >> >> I have a question, I have noticed that list of hardware accelerators
> > >> >> are supported with OCF-Linux is a bit unclear, even though these
> > >> >> hardware accelerators are mentioned clearly:
> > >> >>
> > >> >> 1.    Hifn-7751
> > >> >
> > >> >hifn 7751, 7956
> > >> >
> > >> >safenet 1141, 1741
> > >> >
> > >> >Intel IXP (465 425 and 422)
> > >> >
> > >> >Freescale SEC (talitos)
> > >> >
> > >> >There is also a Via padlock driver in freebsd that would be trivial to
> > >> >port.
> > >> >
> > >> >Software (using linux kernel crypto API,  which may also use hardware
> > >:-)
> > >> >
> > >> >> Is this the exhaustive list ?
> > >> >
> > >> >The list above is,
> > >> >
> > >> >Cheers,
> > >> >Davidm
> > >> >
> > >> >> On 7/17/07, David McCullough <David_Mccullough@securecomputing.com>
> > >> >wrote:
> > >> >> >
> > >> >> >Jivin Nawang Chhetan lays it down ...
> > >> >> >> Hi All,
> > >> >> >>
> > >> >> >> I am trying to integrate OCF-linux with Quicksec on linux 2.6
> > >kernels.
> > >> >> >> Many versions of OCF-Linux have been released but wtihout clear
> > >> >> >> demarcation of 2.6 kernel versions they support. All they mention
> > >is
> > >> >> >> support for kernel verison 2.6.11 and later and the README within
> > >the
> > >> >> >> distributions states it can be easily modified to support recent
> > >> >> >> version of kernels( which is true, I did it for 2.6.17.7 )
> > >> >> >> My Question here is that:
> > >> >> >> Is there any good OCF-Linux documentation available ?
> > >> >> >
> > >> >> >Only whats on the website.  Your best bet is to ask.
> > >> >> >The current releases work for kernels up to 2.6.18 without
> > >> >> >any major issues.  I should be doing a release this week with
> > >> >> >everything up to 2.6.22 supported fully.  Just finishing off the
> > >> >> >testing.
> > >> >> >
> > >> >> >> What is/are the version of 2.6 kernel, the OCF-Linux is most
> > >> >> >> stable/tested/developed for ?
> > >> >> >> Further I tried to use SafeXcel-1141 hardware accelerator ( which
> > >is
> > >> >> >> claimed to be supported) with OCF-Linux, but inserting the module
> > >> >> >> safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine (Kernel
> > >> >> >> version 2.6.17.6 .).
> > >> >> >> Do I need to insmod the SafeXcel-1141 driver too ?
> > >> >> >
> > >> >> >I have used the safenet driver on SuperH and ARM platforms. It works
> > >> >> >fine there.  I don't have any way to test it on x86 though.
> > >> >> >
> > >> >> >It should work fine on 2.6.17, load everything with debug enabled
> > >> >> >and see what happens.
> > >> >> >
> > >> >> >If you are running on an x86_64 system, disable all the code in
> > >> >> >"random.c" however,  it was broken on 64bits arches in older
> > >versions.
> > >> >> >
> > >> >> >Cheers,
> > >> >> >Davidm
> > >> >> >
> > >> >> >--
> > >> >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61
> > >> >734352815
> > >> >> >Secure Computing - SnapGear  http://www.uCdot.org
> > >> >http://www.cyberguard.com
> > >> >> >
> > >> >>
> > >> >>
> > >> >> --
> > >> >> Nawang Chhetan
> > >> >> Software Engineer
> > >> >> SafeNet India.
> > >> >>
> > >> >
> > >> >--
> > >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61
> > >734352815
> > >> >Secure Computing - SnapGear  http://www.uCdot.org
> > >http://www.cyberguard.com
> > >> >
> > >>
> > >>
> > >> --
> > >> Nawang Chhetan
> > >> Software Engineer
> > >> SafeNet India.
> > >>
> > >
> > >--
> > >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> > >Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
> > >
> >
> >
> > --
> > Nawang Chhetan
> > Software Engineer
> > SafeNet India.
> >
>
> --
> David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
>


-- 
Nawang Chhetan
Software Engineer
SafeNet India.

Re: OCF Support on linux 2.6.

[David McCullough]

Jivin Nawang Chhetan lays it down ...
> Hi David,
>             In the meanwhile I was browsing through ocf-bech code. I
> see implementation is based on work queues and the maximum request at
> any time is 20. Any specific reason to do this(i.e. work queue and
> limiting maximum requests) ?
> 
> I am asking this because I also have to implement something similar.

ocf-bench was just a quick hack for me to see how much ocf was costing
me as a framework over the crypto library,  turns out it was
insignificant.  IIRC I made all the those values parameters so I could try
things and see.

20 sounds small,  most of the other drivers (include klips itself) Q a
lot more.  Of course under a benchmark situation the number you can Q is
fairly acadaemic, you can only go as fast as the HW,  once you are
faster than the HW the Q is full, and stays full ;-)

Cheers,
Davidm

> On 7/19/07, David McCullough <David_Mccullough@securecomputing.com> wrote:
> >
> >Jivin Nawang Chhetan lays it down ...
> >> Hi David,
> >>                  I have noticed that with every release of OCF-Linux
> >> backward compatibilty is not taken care of.
> >>
> >> For example in cryptosoft.c file you declared a new instance of
> >> blkcipher_desc structure, this structure is no defined upto 2.6.18. I
> >> could find it on 2.6.20.1. I dont know about version of kernel in
> >> between.
> >>
> >> Is this a specific observation, or backward compatibilty is not
> >> considered at all?
> >
> >Ok,  if you are looking in the current 2007 based releases,  cryptosoft
> >doesn't even work in that release :-(
> >
> >The version I am trying to put up this week has full backward compat to
> >2.4 so that is just an aberation (a long one :-(
> >
> >In general,  backwards compat is high on the list of things to provide.
> >It helps ensure that the HW drivers are easier to maintain if nothing
> >else ;-)
> >
> >Cheers,
> >Davidm
> >
> >> On 7/18/07, David McCullough <David_Mccullough@securecomputing.com> 
> >wrote:
> >> >
> >> >Jivin Nawang Chhetan lays it down ...
> >> >> Hi David,
> >> >>         Thanks for the reply. Since there is no proper API
> >> >> documentation for the OCF-Linux, can we refer to original OpenBsd
> >> >> Cryptographic Documentaton . Like the one in the following link:
> >> >>
> >> >> http://www.digipedia.pl/man/crypto.9.html
> >> >>
> >> >>
> >> >> I just cross checked few API's and realized they are almost the same.
> >> >
> >> >They are the same :-)  Its a linux port of the FreeBSD version of the
> >> >OpenBSD crypto API.
> >> >
> >> >Have you looked at:
> >> >
> >> >       http://www.thought.net/jason/ocfpaper/
> >> >       
> >http://www.usenix.org/publications/library/proceedings/bsdcon03/tech/leffler_crypto/leffler_crypto.pdf
> >> >
> >> >All available from the links page on:
> >> >
> >> >       http://ocf-linux.sourceforge.net/links.html
> >> >
> >> >Cheers,
> >> >Davidm
> >> >
> >> >> On 7/18/07, David McCullough <David_Mccullough@securecomputing.com>
> >> >wrote:
> >> >> >
> >> >> >Jivin Nawang Chhetan lays it down ...
> >> >> >> Hi David,
> >> >> >>   Thanks for the reply. I have been using the SafeXcel 1141 card on
> >> >> >> x86 platform. Need to investigate this further as suggested by you.
> >> >> >
> >> >> >Make sure you have the latest safenet driver from the 2007 tarball,
> >> >> >there are some bus width fixes in there IIRC for all the PCI drivers.
> >> >> >
> >> >> >Other than that,  it's debug time.
> >> >> >
> >> >> >> I have a question, I have noticed that list of hardware 
> >accelerators
> >> >> >> are supported with OCF-Linux is a bit unclear, even though these
> >> >> >> hardware accelerators are mentioned clearly:
> >> >> >>
> >> >> >> 1.    Hifn-7751
> >> >> >
> >> >> >hifn 7751, 7956
> >> >> >
> >> >> >safenet 1141, 1741
> >> >> >
> >> >> >Intel IXP (465 425 and 422)
> >> >> >
> >> >> >Freescale SEC (talitos)
> >> >> >
> >> >> >There is also a Via padlock driver in freebsd that would be trivial 
> >to
> >> >> >port.
> >> >> >
> >> >> >Software (using linux kernel crypto API,  which may also use hardware
> >> >:-)
> >> >> >
> >> >> >> Is this the exhaustive list ?
> >> >> >
> >> >> >The list above is,
> >> >> >
> >> >> >Cheers,
> >> >> >Davidm
> >> >> >
> >> >> >> On 7/17/07, David McCullough <David_Mccullough@securecomputing.com>
> >> >> >wrote:
> >> >> >> >
> >> >> >> >Jivin Nawang Chhetan lays it down ...
> >> >> >> >> Hi All,
> >> >> >> >>
> >> >> >> >> I am trying to integrate OCF-linux with Quicksec on linux 2.6
> >> >kernels.
> >> >> >> >> Many versions of OCF-Linux have been released but wtihout clear
> >> >> >> >> demarcation of 2.6 kernel versions they support. All they 
> >mention
> >> >is
> >> >> >> >> support for kernel verison 2.6.11 and later and the README 
> >within
> >> >the
> >> >> >> >> distributions states it can be easily modified to support recent
> >> >> >> >> version of kernels( which is true, I did it for 2.6.17.7 )
> >> >> >> >> My Question here is that:
> >> >> >> >> Is there any good OCF-Linux documentation available ?
> >> >> >> >
> >> >> >> >Only whats on the website.  Your best bet is to ask.
> >> >> >> >The current releases work for kernels up to 2.6.18 without
> >> >> >> >any major issues.  I should be doing a release this week with
> >> >> >> >everything up to 2.6.22 supported fully.  Just finishing off the
> >> >> >> >testing.
> >> >> >> >
> >> >> >> >> What is/are the version of 2.6 kernel, the OCF-Linux is most
> >> >> >> >> stable/tested/developed for ?
> >> >> >> >> Further I tried to use SafeXcel-1141 hardware accelerator ( 
> >which
> >> >is
> >> >> >> >> claimed to be supported) with OCF-Linux, but inserting the 
> >module
> >> >> >> >> safe.ko (after ocf.ko and cryptodev.ko ) hangs the machine 
> >(Kernel
> >> >> >> >> version 2.6.17.6 .).
> >> >> >> >> Do I need to insmod the SafeXcel-1141 driver too ?
> >> >> >> >
> >> >> >> >I have used the safenet driver on SuperH and ARM platforms. It 
> >works
> >> >> >> >fine there.  I don't have any way to test it on x86 though.
> >> >> >> >
> >> >> >> >It should work fine on 2.6.17, load everything with debug enabled
> >> >> >> >and see what happens.
> >> >> >> >
> >> >> >> >If you are running on an x86_64 system, disable all the code in
> >> >> >> >"random.c" however,  it was broken on 64bits arches in older
> >> >versions.
> >> >> >> >
> >> >> >> >Cheers,
> >> >> >> >Davidm
> >> >> >> >
> >> >> >> >--
> >> >> >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61
> >> >> >734352815
> >> >> >> >Secure Computing - SnapGear  http://www.uCdot.org
> >> >> >http://www.cyberguard.com
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Nawang Chhetan
> >> >> >> Software Engineer
> >> >> >> SafeNet India.
> >> >> >>
> >> >> >
> >> >> >--
> >> >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61
> >> >734352815
> >> >> >Secure Computing - SnapGear  http://www.uCdot.org
> >> >http://www.cyberguard.com
> >> >> >
> >> >>
> >> >>
> >> >> --
> >> >> Nawang Chhetan
> >> >> Software Engineer
> >> >> SafeNet India.
> >> >>
> >> >
> >> >--
> >> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 
> >734352815
> >> >Secure Computing - SnapGear  http://www.uCdot.org 
> >http://www.cyberguard.com
> >> >
> >>
> >>
> >> --
> >> Nawang Chhetan
> >> Software Engineer
> >> SafeNet India.
> >>
> >
> >--
> >David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
> >Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com
> >
> 
> 
> -- 
> Nawang Chhetan
> Software Engineer
> SafeNet India.
> 

-- 
David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com