Parallel Crypto Engine for the Linux Kernel¶
- Table of contents
- Parallel Crypto Engine for the Linux Kernel
The Linux kernel encrypts and decrypt IPsec packets on a single CPU core only by default. Since 2.6.34 the pcrypt module (CONFIG_CRYPTO_PCRYPT
) allows parallelizing this to all available cores.
The module may be loaded with modprobe pcrypt
.
Instantiating Algorithm Drivers¶
To actually use pcrypt, specific crypto drivers must be instantiated with tcrypt or crconf.
tcrypt¶
The crypto testing module tcrypt (CONFIG_CRYPTO_TEST
) is intended for self-testing algorithm implementations, but may be used to instantiate crypto algorithms.
For instance, to parallelize IPsec SAs that use AES with SHA-256 use this (type 3 is AEAD):
modprobe tcrypt alg="pcrypt(authenc(hmac(sha256),cbc(aes)))" type=3
This command is expected to fail with something like:
modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable
To parallelized AES-GCM the following may be used:
modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
It's also possible to select a specific implementation of the algorithms, the most efficient implementation should usually be selected automatically, though:
modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes-aesni)))" type=3
crconf¶
crconf uses Netlink to manage the Linux crypto framework. It requires CONFIG_CRYPTO_USER
(modprobe crypto_user
) in the kernel (available since 3.2).
For instance, to instantiate the same driver as in the first example above use:
crconf add driver "pcrypt(authenc(hmac(sha256),cbc(aes)))" type 3
With crconf it's also possible to remove such instances again with crconf del
, refer to the man page for details.
Expected Result¶
After running either of the above commands to instantiate a driver with AES and SHA-256 /proc/crypto
should show something like this (crconf show all
produces similar output):
name : authenc(hmac(sha256),cbc(aes)) driver : pcrypt(authenc(hmac(sha256-generic),cbc-aes-aesni)) module : pcrypt priority : 4100 refcnt : 1 selftest : passed type : aead async : yes blocksize : 16 ivsize : 16 maxauthsize : 32 geniv : <built-in>