Search code examples
opensslembedded-linuxopenvpnhardware-accelerationzynq

Accessing a custom hardware accelerator from linux: for use with openVPN/openSSL

I am trying to get openVPN to use a custom hardware accelerator that I designed for its cryptographic operations (For the sake of simplicity, lets say that I am just trying to get openVPN to use a custom AES accelerator that I have designed on an FPGA). I'd be using openVPN on a Xilinx ZYNQ platform running linux, and I will have memory mapped access to FPGA logic.

I have already written and verified the accelerators for multiple cryptographic operations (RSA, SHA256, AES) but only managed to use them through a bare-metal programming interface.

I'm seeking a way to get openVPN to use these accelerators, but am getting nowhere and need some pointers.

I know openVPN uses openSSL libraries, which can be configured to use the /dev/Crypto (cryptodev) API through the use of their "engines", but I still have no idea what exactly needs to be done in order to make the connection between my accelerator blocks and openSSL. There is almost no documentation for CryptoDev and I'm struggling to even understand how it works with openSSL.

I know I will need to write some sort of kernel module/device driver (or could maybe just mmap() the memory addresses of my accelerator into kernel space?) but that just allows linux to "see" my accelerators.

Please help me understand what I would need to do in order to get openSSL (and therefore openVPN) to be able to use my hardware accelerators. This can be at a high level, but I just need to know roughly what steps need to be taken so I can get off the ground.

edit: don't let the Xilinx ZYNQ scare you if you don't know anything about it, just assume that I made my own hardware accelerator that is magically mapped into physical memory. Now I just need to integrate it into openSSL/cryptodev.

Thanks!

Solution

  • The first thing you need to do is have a kernel space driver for your accelerator. Next you need to register your supported ciphers (using crypto_register_algs function from linux/crypto.h) by providing a list of your supported AES ciphers in your accelerator (struct crypto_alg)

    You can find more information here:

    Next use cryptoDev module to allow userspace access to your custom crypto driver (accelerator) which is registered through the cryptoAPI.

    Recompile OpenSSL to use CryptoDev with -DHAVE_CRYPTODEV. Use the cryptodev engine using the "-engine cryptodev" option