【DIY教程】D1 SDK可支持openssl对接CE硬件加解密模块

DOT小文哥 LV 8

D1 SDK可支持openssl对接CE，验证方法如下：

① tina/package加入补丁

diff --git a/libs/openssl/Makefile b/libs/openssl/Makefile
index c755f8adf..dbb608fdf 100755
--- a/libs/openssl/Makefile
+++ b/libs/openssl/Makefile
@@ -137,7 +137,7 @@ define Package/libopenssl-afalg
   $(call Package/openssl/Default)
   SUBMENU:=SSL
   TITLE:=AFALG hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE +@KERNEL_AIO @!LINUX_3_18 @LINUX_4_4||@LINUX_4_9
+  DEPENDS:=libopenssl @OPENSSL_ENGINE +@KERNEL_AIO @!LINUX_3_18 @LINUX_4_4||@LINUX_4_9||@LINUX_5_4
 endef

 define Package/libopenssl-padlock
@@ -210,7 +210,7 @@ ifdef CONFIG_OPENSSL_ENGINE
   ifndef CONFIG_PACKAGE_libopenssl-afalg
     OPENSSL_OPTIONS += no-afalgeng
   else
-    ifneq ($(CONFIG_PLATFORM_v5)$(CONFIG_PLATFORM_r328s2)$(CONFIG_PLATFORM_r328s3)$(CONFIG_PLATFORM_r18)$(CONFIG_PLATFORM_r329),)
+    ifneq ($(CONFIG_PLATFORM_v5)$(CONFIG_PLATFORM_r328s2)$(CONFIG_PLATFORM_r328s3)$(CONFIG_PLATFORM_r18)$(CONFIG_PLATFORM_r329)$(CONFIG_PLATFORM_r528)$(CONFIG_PLATFORM_d1),)
       OPENSSL_OPTIONS += -DSUPPORT_CE_V3_1
     else
       OPENSSL_OPTIONS += -DSUPPORT_CE_V3_2

② tina配置，make menconfig

Tina Configuration
    Libraries  --->
        SSL  --->
            -*- libopenssl........................... Open source SSL toolkit (libraries)  --->
[*]   Enable engine support
[*]     Support dynamic engine (NEW)
[*]   Support Zero-Copy mode to call kernel's algorithms
<*>   libopenssl-afalg...................... AFALG hardware acceleration engine

说明：可以将tina/lichee/linux-5.4/drivers/crypto/sunxi-ce/Makefile中的ccflags-y += -DDEBUG打开，这样每次调用CE时，就会产生debug打印。

③ 内核配置（参考显杨文档中的配置dts等），make kernel_menuconfig

Linux/riscv 5.4.61 Kernel Configuration
[*] Networking support  --->
-*- Cryptographic API  --->
[*]   Disable run-time self tests
<*>   CBC support 
<*>   CFB support 
-*-   CTR support 
<*>   CTS support 
-*-   ECB support 
<*>   OFB support 
<*>   XTS support 
<*>   MD5 digest algorithm
<*>   SHA1 digest algorithm              
-*-   SHA224 and SHA256 digest algorithm 
<*>   SHA384 and SHA512 digest algorithms
-*-   AES cipher algorithms
<*>   User-space interface for hash algorithms                   
<*>   User-space interface for symmetric key cipher algorithms   
<*>   User-space interface for random number generator algorithms
<*>   User-space interface for AEAD cipher algorithms            
[*]   Hardware crypto devices  --->                              
<*>   Support for Allwinner Sunxi CryptoEngine

④ 编译，将afalgtest程序adb push到设备上运行
PC端： adb push tina/out/d1-nezha/compile_dir/target/openssl-1.1.0i/test/aflagtest /tmp/
设备端： /tmp/aflagtest
该测试程序会对当前已经对接好CE的算法（主要是AES与Hash）进行测试。

大家可以参考tina/out/d1-nezha/compile_dir/target/openssl-1.1.0i/test/aflagtest.c进行编程即可使用CE加解密。

mengxp LV 5

使用afalg小块性能非常拉胯，可能是受限于内核通信或硬件中断之类的吧。

engine "afalg" set.
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 62569 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 57975 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 55735 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 43987 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 16572 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 9685 aes-128-cbc's in 3.00s
OpenSSL 1.1.1m  14 Dec 2021
built on: Fri Dec 31 05:37:09 2021 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr) 
compiler: arm-linux-gnueabihf-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc        333.70k     1236.80k     4756.05k    15014.23k    45252.61k    52893.01k

不开afalg加速性能如下

You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 4299138 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 1332727 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 357553 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 91071 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 11447 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 5724 aes-128-cbc's in 3.00s
OpenSSL 1.1.1m  14 Dec 2021
built on: Fri Dec 31 05:37:09 2021 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr) 
compiler: arm-linux-gnueabihf-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      22928.74k    28431.51k    30511.19k    31085.57k    31257.94k    31260.67k

平台: R328-S3