in BeagleBone, Crypto, Tor 862 Words

Tor and Hardware Acceleration with the BeagleBone Black

I’ve made some progress with using hardware acceleration on the BeagleBone Black (BBB) and running Tor.  It appears that OpenSSL cryptodev engine does not use all the algorithms that the linux-cryptodev module makes available.  I believe this can be changed with a patch for the OpenSSL cryptodev engine.  But otherwise, at least from running Tor as a client, initial results seem better than before.

Specific AES modes in the AM335X

The documentation seems to be vague on what modes and key sizes the AM335x supports. However, a post on the TI boards seems to indicate they support a nice swath of modes and key sizes (128, 192, and 256).

Getting Tor and cryptodev enabled OpenSSL to play nicely

I was initially having trouble getting Tor to interact cleanly with my cryptodev compiled OpenSSL.  Compiling OpenSSL by scratch drops everything under /usr/local/ssl but the Debian package places things where Debian wants.  Fortunately, I found a very helpful post that suggests modifying the Debian source package and statically compiling with OpenSSL.  The instructions are updated here for the current version and hardware acceleration:

OpenSSL:

 wget https://www.openssl.org/source/openssl-1.0.1e.tar.gz
 tar xfz openssl-1.0.1e.tar.gz
 cd openssl-*
 ./config -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS shared
 make
 make test
 make install

Tor:

Add Tor sources to apt (replace DIST with your current distribution, eg. wheezy):

deb-src http://deb.torproject.org/torproject.org DIST main
deb-src http://deb.torproject.org/torproject.org DIST main
deb-src http://deb.torproject.org/torproject.org experimental-DIST main

Install required packages for building Tor and an own package:

apt-get update
apt-get install build-essential fakeroot devscripts
apt-get build-dep tor

Download current Tor sources to ~/debian-packages:

mkdir ~/debian-packages; cd ~/debian-packages
apt-get source tor
cd tor-*

Edit configuration: Edit debian/rules, find the following section:

override_dh_auto_configure:
    ! [ -e debian/micro-revision.i ] || cp debian/micro-revision.i src/or/micro-revision.i
    dh_auto_configure -- \
            $(confflags) \
            --prefix=/usr \
            --mandir=\$${prefix}/share/man \
            --infodir=\$${prefix}/share/info \
            --localstatedir=/var \
            --sysconfdir=/etc \
            --disable-silent-rules

Change to (highlighted):

override_dh_auto_configure:
    ! [ -e debian/micro-revision.i ] || cp debian/micro-revision.i src/or/micro-revision.i
    dh_auto_configure -- \
            $(confflags) \
            --enable-static-openssl \
            --with-openssl-dir=/usr/local/ssl \
            --prefix=/usr \
            --mandir=\$${prefix}/share/man \
            --infodir=\$${prefix}/share/info \
            --localstatedir=/var \
            --sysconfdir=/etc \
            --disable-silent-rules

Now, compile and build your own package and install it:

debuild -rfakeroot -uc -us
cd ..
sudo dpkg -i tor_*.deb

I did not the OpenBSD malloc option; I will have to experiment with that later.

Finally, edit /usr/share/tor/tor-service-defaults-torrc with the following:

HardwareAccel 1
AccelName cryptodev

Restart tor: sudo /etc/init.d/tor restart

Logging of HW Engines from Tor

I was a bit surprised in my Tor log that I only saw cryptodev being used for RSA and DH:

[notice] Using OpenSSL engine cryptodev engine [cryptodev] for RSA
[notice] Using OpenSSL engine cryptodev engine [cryptodev] for DH

After a brief chat on tor-dev, I’ve submitted a patch that should improve the logging.  However even with the logging, notice that cryptodev is not using all of the algorithms provided by Tor:

[info] crypto_global_init(): OpenSSL version matches version from headers (1000105f: OpenSSL 1.0.1e 11 Feb 2013).
[info] crypto_global_init(): Initializing OpenSSL engine support.
[info] crypto_global_init(): Initializing dynamic OpenSSL engine "cryptodev" acceleration support.
[info] crypto_global_init(): Loaded dynamic OpenSSL engine "cryptodev".
[info] crypto_global_init(): Loaded OpenSSL hardware acceleration engine, setting default ciphers.
[notice] Using OpenSSL engine cryptodev engine [cryptodev] for RSA
[notice] Using OpenSSL engine cryptodev engine [cryptodev] for DH
[info] log_engine(): Using default implementation for ECDH
[info] log_engine(): Using default implementation for ECDSA
[info] log_engine(): Using default implementation for RAND
[info] log_engine(): Using default implementation for SHA1
[notice] Using OpenSSL engine cryptodev engine [cryptodev] for 3DES-CBC
[info] log_engine(): Using default implementation for AES-128-ECB
[notice] Using OpenSSL engine cryptodev engine [cryptodev] for AES-128-CBC
[notice] Using OpenSSL engine cryptodev engine [cryptodev] for AES-256-CBC
[info] evaluate_evp_for_aes(): No AES engine found; using AES_* functions.
[info] evaluate_ctr_for_aes(): This OpenSSL has a good implementation of counter mode; using it.
[info] crypto_strongest_rand(): Reading entropy from "/dev/urandom"
[info] tor_tls_init(): OpenSSL OpenSSL 1.0.1e 11 Feb 2013 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation

Specifically, I expected SHA1 and RAND to be provided.

Cryptodev in OpenSSL

Looking at OpenSSL’s eng_cryptodev.c, it doesn’t support AES-128-ECB, so that explains that.  I’m at a loss for SHA1 though.  I’m also a bit confused by the line “No AES engine found; using AES* functions.”  So that needs further investigation.

Related articles

2 thoughts on “Tor and Hardware Acceleration with the BeagleBone Black

  1. One of your openssl config script parameters has a typo. It should be “-DUSE_CRYPTODEV_DIGESTS” instead of “-DUSE_CRYPTDEV_DIGESTS”.

Comments are closed.