Check out the new USENIX Web site. next up previous
Next: Use of the OCF Up: The Cryptographic Framework Previous: The Cryptographic Framework

Device Drivers

  The drivers for the various crypto devices must be able to cope with a wide variety of hardware design decisions (and bugs) made by the manufacturers. These drivers register the algorithms supported by the device and export the appropriate callback functions to the OCF.

The hifn driver supports the Hifn 7751, 7811, and 7951 chips and contains around 3,000 lines of code and definitions. The driver supports the symmetric operations and hashes available on all these chips. Additionally, it supports the random-number generators available on the 7811 and 7951, but does not support the public key unit on the 7951; the latter was clearly designed for SSL server implementations, as it requires a large amount of CPU-intensive initialization which can be precomputed and used repeatedly on a server but not a client. All these chips support copying-through header and trailer data to the destination buffer, and include full support for scatter-gather I/O. Unfortunately, there is no easy way to coalesce interrupts on this chip, which generates one interrupt per operation, resulting in considerable system overhead. Another important detail is that all of the Hifn symmetric crypto chips poll their descriptor rings in main memory for data to process.

The nofn driver supports the Hifn 7814, 7851, and 7854 chips (also known as HIPP1 packet processors). Currently, there is no support for the symmetric unit on these chips. Fitting these into the current framework is not currently done because they are designed to replace almost all of the IPsec processing (IV generation, MAC checking, replay window handling, etc.). In the future, we intend to add support for the IPsec unit by adding a combined-class algorithm and checking for this in IPsec. On the other hand, the public-key unit is almost exactly the same as the Hifn 6500 described below.

The lofn driver supports the Hifn 6500 chip, which contains a public-key unit and a random-number generator. This chip is essentially a simple big-number arithmetic logic unit (i.e., it is an ALU capable of performing operations on 1024-bit registers). Unlike all of the other chips, the 6500 is not a bus-master ( i.e., has no support for DMA); instead, registers exist within its PCI memory-mapped address space. Because of the expense of modular exponentiations, the somewhat higher overhead of writes to these I/O addresses is still small compared to doing the exponentiation in software.

The ubsec driver, which supports the Broadcom 5801, 5802, 5805, 5820, 5821, and 5822 chips, consists of slightly less than 3,000 lines of code and definitions. The symmetric-crypto units on all of the chips are very similar, but the 580x series and 582x series require different formatting for the big numbers on the asymmetric unit. These chips support interrupt coalescing by chaining several commands together, and scatter-gather I/O. Unlike Hifn, these chips do not poll main memory.

We have a variety of other device drivers in various stages of completion. We are aware of other and more modern products from a variety of vendors, but many of them are hesitant to give us the information we need.

next up previous
Next: Use of the OCF Up: The Cryptographic Framework Previous: The Cryptographic Framework
Angelos D. Keromytis