Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenSSL and AMD Cryptographic CoProcessor (CCP)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Gatak
Apprentice
Apprentice


Joined: 04 Jan 2004
Posts: 172

PostPosted: Thu Jul 23, 2020 11:43 am    Post subject: OpenSSL and AMD Cryptographic CoProcessor (CCP) Reply with quote

Hi!

I have a AMD CPU with Cryptographic CoProcessor (CCP).

Is it possible to use the hardware crypto for things like OpenSSL/OpenSSH or TCP checksum calculations?

# openssl engine
Code:
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support


# Kernel config
Code:

CONFIG_CRYPTO_DEV_CCP=y
CONFIG_CRYPTO_DEV_CCP_DD=y
CONFIG_CRYPTO_DEV_SP_CCP=y
CONFIG_CRYPTO_DEV_CCP_CRYPTO=y
CONFIG_CRYPTO_DEV_CCP_DEBUGFS=y
 | ┌────────────────────────────────────────────────────────────────────┐ │
 │ │    --- Hardware crypto devices                                     │ │
 │ │    < >   Support for VIA PadLock ACE                               │ │
 │ │    < >   Support for Microchip / Atmel ECC hw accelerator          │ │
 │ │    < >   Support for Microchip / Atmel SHA accelerator and RNG     │ │
 │ │    [*]   Support for AMD Secure Processor                          │ │
 │ │    <*>     Secure Processor device driver                          │ │
 │ │    [*]       Cryptographic Coprocessor device                      │ │
 │ │    <*>         Encryption and hashing offload support              │ │
 │ │    [*]       Platform Security Processor (PSP) device              │ │
 │ │    [*]     Enable CCP Internals in DebugFS                         │ │
 │ │    < >   Support for Intel(R) DH895xCC                             │ │


# dmesg | grep -i ccp
Code:

[    3.201014] ccp 0000:07:00.2: ccp enabled
[    3.211267] ccp 0000:07:00.2: tee enabled
[    3.211451] ccp 0000:07:00.2: psp enabled


# grep -i ccp /proc/crypto
Code:

# grep -i ccp /proc/crypto
driver       : rsa-ccp
driver       : hmac-sha512-ccp
driver       : sha512-ccp
driver       : hmac-sha384-ccp
driver       : sha384-ccp
driver       : hmac-sha256-ccp
driver       : sha256-ccp
driver       : hmac-sha224-ccp
driver       : sha224-ccp
driver       : hmac-sha1-ccp
driver       : sha1-ccp
driver       : cbc-des3-ccp
driver       : ecb-des3-ccp
driver       : gcm-aes-ccp
driver       : xts-aes-ccp
driver       : cmac-aes-ccp
driver       : rfc3686-ctr-aes-ccp
driver       : ctr-aes-ccp
driver       : ofb-aes-ccp
driver       : cfb-aes-ccp
driver       : cbc-aes-ccp
driver       : ecb-aes-ccp


# ls /dev/crypto
Code:
ls: cannot access '/dev/crypto': No such file or directory


# grep . /sys/kernel/debug/ccp/ -R
Code:

/sys/kernel/debug/ccp/ccp-1/q4/stats:  Total Queue Operations: 0
/sys/kernel/debug/ccp/ccp-1/q4/stats:                     AES: 0
/sys/kernel/debug/ccp/ccp-1/q4/stats:                 XTS AES: 0
/sys/kernel/debug/ccp/ccp-1/q4/stats:                     SHA: 0
/sys/kernel/debug/ccp/ccp-1/q4/stats:                     SHA: 0
/sys/kernel/debug/ccp/ccp-1/q4/stats:                     RSA: 0
/sys/kernel/debug/ccp/ccp-1/q4/stats:               Pass-Thru: 0
/sys/kernel/debug/ccp/ccp-1/q4/stats:                     ECC: 0
/sys/kernel/debug/ccp/ccp-1/q4/stats:      Enabled Interrupts: ERROR COMPLETION
/sys/kernel/debug/ccp/ccp-1/q3/stats:  Total Queue Operations: 0
/sys/kernel/debug/ccp/ccp-1/q3/stats:                     AES: 0
/sys/kernel/debug/ccp/ccp-1/q3/stats:                 XTS AES: 0
/sys/kernel/debug/ccp/ccp-1/q3/stats:                     SHA: 0
/sys/kernel/debug/ccp/ccp-1/q3/stats:                     SHA: 0
/sys/kernel/debug/ccp/ccp-1/q3/stats:                     RSA: 0
/sys/kernel/debug/ccp/ccp-1/q3/stats:               Pass-Thru: 0
/sys/kernel/debug/ccp/ccp-1/q3/stats:                     ECC: 0
/sys/kernel/debug/ccp/ccp-1/q3/stats:      Enabled Interrupts: ERROR COMPLETION
/sys/kernel/debug/ccp/ccp-1/q2/stats:  Total Queue Operations: 0
/sys/kernel/debug/ccp/ccp-1/q2/stats:                     AES: 0
/sys/kernel/debug/ccp/ccp-1/q2/stats:                 XTS AES: 0
/sys/kernel/debug/ccp/ccp-1/q2/stats:                     SHA: 0
/sys/kernel/debug/ccp/ccp-1/q2/stats:                     SHA: 0
/sys/kernel/debug/ccp/ccp-1/q2/stats:                     RSA: 0
/sys/kernel/debug/ccp/ccp-1/q2/stats:               Pass-Thru: 0
/sys/kernel/debug/ccp/ccp-1/q2/stats:                     ECC: 0
/sys/kernel/debug/ccp/ccp-1/q2/stats:      Enabled Interrupts: ERROR COMPLETION
/sys/kernel/debug/ccp/ccp-1/stats:Total Interrupts Handled: 0
/sys/kernel/debug/ccp/ccp-1/stats:        Total Operations: 0
/sys/kernel/debug/ccp/ccp-1/stats:                     AES: 0
/sys/kernel/debug/ccp/ccp-1/stats:                 XTS AES: 0
/sys/kernel/debug/ccp/ccp-1/stats:                     SHA: 0
/sys/kernel/debug/ccp/ccp-1/stats:                     SHA: 0
/sys/kernel/debug/ccp/ccp-1/stats:                     RSA: 0
/sys/kernel/debug/ccp/ccp-1/stats:               Pass-Thru: 0
/sys/kernel/debug/ccp/ccp-1/stats:                     ECC: 0
/sys/kernel/debug/ccp/ccp-1/info:Device name: ccp-1
/sys/kernel/debug/ccp/ccp-1/info:   RNG name: ccp-1-rng
/sys/kernel/debug/ccp/ccp-1/info:   # Queues: 3
/sys/kernel/debug/ccp/ccp-1/info:     # Cmds: 0
/sys/kernel/debug/ccp/ccp-1/info:    Version: 5
/sys/kernel/debug/ccp/ccp-1/info:    Engines: AES 3DES SHA RSA ECC ZDE TRNG
/sys/kernel/debug/ccp/ccp-1/info:     Queues: 5
/sys/kernel/debug/ccp/ccp-1/info:LSB Entries: 128


# lscpu
Code:

Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   43 bits physical, 48 bits virtual
CPU(s):                          4
On-line CPU(s) list:             0-3
Thread(s) per core:              2
Core(s) per socket:              2
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       AuthenticAMD
CPU family:                      23
Model:                           24
Model name:                      AMD Athlon 3000G with Radeon Vega Graphics
Stepping:                        1
Frequency boost:                 enabled
CPU MHz:                         3673.187
CPU max MHz:                     3900.0000
CPU min MHz:                     1600.0000
BogoMIPS:                        7785.76
Virtualization:                  AMD-V
L1d cache:                       64 KiB
L1i cache:                       128 KiB
L2 cache:                        1 MiB
L3 cache:                        4 MiB
NUMA node0 CPU(s):               0-3
Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Not affected
Vulnerability Meltdown:          Not affected
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Vulnerable: __user pointer sanitization and use
                                 rcopy barriers only; no swapgs barriers
Vulnerability Spectre v2:        Vulnerable, IBPB: disabled, STIBP: disabled
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtr
                                 r pge mca cmov pat pse36 clflush mmx fxsr sse s
                                 se2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtsc
                                 p lm constant_tsc rep_good nopl nonstop_tsc cpu
                                 id extd_apicid aperfmperf pni pclmulqdq monitor
                                  ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes
                                 xsave avx f16c rdrand lahf_lm cmp_legacy svm ex
                                 tapic cr8_legacy abm sse4a misalignsse 3dnowpre
                                 fetch osvw skinit wdt tce topoext perfctr_core
                                 perfctr_nb bpext perfctr_llc mwaitx cpb hw_psta
                                 te sme ssbd sev ibpb vmmcall fsgsbase bmi1 avx2
                                  smep bmi2 rdseed adx smap clflushopt sha_ni xs
                                 aveopt xsavec xgetbv1 xsaves clzero irperf xsav
                                 eerptr arat npt lbrv svm_lock nrip_save tsc_sca
                                 le vmcb_clean flushbyasid decodeassists pausefi
                                 lter pfthreshold avic v_vmsave_vmload vgif over
                                 flow_recov succor smca
Back to top
View user's profile Send private message
Gatak
Apprentice
Apprentice


Joined: 04 Jan 2004
Posts: 172

PostPosted: Thu Jul 23, 2020 1:43 pm    Post subject: Use openssl -engine afalg Reply with quote

So it seems possible to use the AMD CCP using openssl -engine afalg

The speed improvement for AES is huge when you use larger block sizes! :D

# openssl speed -evp aes-192-cbc -engine afalg
Code:
engine "afalg" set.
Doing aes-192-cbc for 3s on 16 size blocks: 1685326 aes-192-cbc's in 0.45s
Doing aes-192-cbc for 3s on 64 size blocks: 1722473 aes-192-cbc's in 0.41s
Doing aes-192-cbc for 3s on 256 size blocks: 1543359 aes-192-cbc's in 0.40s
Doing aes-192-cbc for 3s on 1024 size blocks: 1127194 aes-192-cbc's in 0.33s
Doing aes-192-cbc for 3s on 8192 size blocks: 335502 aes-192-cbc's in 0.09s
Doing aes-192-cbc for 3s on 16384 size blocks: 180981 aes-192-cbc's in 0.06s
OpenSSL 1.1.1g  21 Apr 2020
built on: Thu Jul 23 11:19:52 2020 UTC
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: x86_64-pc-linux-gnu-gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -march=native -pipe -fno-strict-aliasing -Wa,--noexecstack -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG  -DOPENSSL_NO_BUF_FREELISTS
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-192-cbc      59922.70k   268873.83k   987749.76k  3497717.14k 30538137.60k 49419878.40k


# openssl speed -evp aes-192-cbc
Code:
Doing aes-192-cbc for 3s on 16 size blocks: 139159126 aes-192-cbc's in 2.99s
Doing aes-192-cbc for 3s on 64 size blocks: 51864313 aes-192-cbc's in 2.99s
Doing aes-192-cbc for 3s on 256 size blocks: 13886330 aes-192-cbc's in 2.99s
Doing aes-192-cbc for 3s on 1024 size blocks: 3540324 aes-192-cbc's in 3.00s
Doing aes-192-cbc for 3s on 8192 size blocks: 444244 aes-192-cbc's in 2.99s
Doing aes-192-cbc for 3s on 16384 size blocks: 222334 aes-192-cbc's in 2.99s
OpenSSL 1.1.1g  21 Apr 2020
built on: Thu Jul 23 11:19:52 2020 UTC
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: x86_64-pc-linux-gnu-gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -march=native -pipe -fno-strict-aliasing -Wa,--noexecstack -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG  -DOPENSSL_NO_BUF_FREELISTS
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-192-cbc     744664.22k  1110139.14k  1188929.93k  1208430.59k  1217139.41k  1218301.09k
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6687

PostPosted: Thu Jul 23, 2020 9:56 pm    Post subject: Reply with quote

That's some interesting numbers. My CPU's CCP isn't accessible because Gigabyte doesn't know how to write a BIOS. I don't care that much about it, because nothing on my computer can do sustained 50GB/s IO anyway, but it is annoying having dmesg remind me every boot…
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4773
Location: Dallas area

PostPosted: Thu Jul 23, 2020 10:22 pm    Post subject: Reply with quote

Ant P. wrote:
That's some interesting numbers. My CPU's CCP isn't accessible because Gigabyte doesn't know how to write a BIOS. I don't care that much about it, because nothing on my computer can do sustained 50GB/s IO anyway, but it is annoying having dmesg remind me every boot…


Mine doesn't work either, so I unticked "AMD Secure Encrypted Virtualization (SEV) support" for kvm and blacklisted the ccp module.
_________________
PRIME x570-pro, 3700x, RX 550 & 560 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Gatak
Apprentice
Apprentice


Joined: 04 Jan 2004
Posts: 172

PostPosted: Thu Jul 23, 2020 10:31 pm    Post subject: Reply with quote

Ant P. wrote:
That's some interesting numbers. My CPU's CCP isn't accessible because Gigabyte doesn't know how to write a BIOS. I don't care that much about it, because nothing on my computer can do sustained 50GB/s IO anyway, but it is annoying having dmesg remind me every boot…


I have a Gigabyte MB. https://www.gigabyte.com/Motherboard/B450M-DS3H-rev-10/

It was their last BIOS released in July that fixed this. I filed a support ticket earlier about another issue with iGPU RAM under Linux and they sent me a fix. Perhaps if you do the same they will start looking at Linux more?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum