[openssl-dev] Engine support for enabling Intel Atom Security (SEP) processor

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-dev] Engine support for enabling Intel Atom Security (SEP) processor

Johnson, Donald K
Hello,
I am starting to work on development of an openssl engine
to enable access to the security processor, for Intel Atom
chipsets.

Is this the right forum for asking design questions, and
submitting patches?

Thank you,

Don Johnson
Ultra-Mobility Group
Intel Corporation
Office: 503-712-9898
[hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Engine support for enabling Intel Atom Security (SEP) processor

Darryl Miles
Johnson, Donald K wrote:
> Is this the right forum for asking design questions, and
> submitting patches?

Sure.

Patches are prefered to be submitted with ticket at RT
http://www.openssl.org/support/rt.html  (even if documentation still
says to use the mailing-list).


Can you cite any online references for the "SEP" and the scope of things
you are looking into ?  (I have an interest in the MeeGo project myself)


Which things describe what "SEP" is ?

  * SIMD optimizations (AES instructions, OpenSSL asm optimizations)
  * Trusted Execution Technology (TPM/TXT)
  * Hardware asynchronous crypto offloading/coprocessor (OpenSSL Engine)
  * Something else


Darryl
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [openssl-dev] Engine support for enabling Intel Atom Security (SEP) processor

Johnson, Donald K
>-----Original Message-----
>From: Darryl Miles [mailto:[hidden email]]
>Sent: Tuesday, August 03, 2010 3:52 AM
>To: [hidden email]
>Cc: Johnson, Donald K
>Subject: Re: [openssl-dev] Engine support for enabling Intel
>Atom Security (SEP) processor
>
>Johnson, Donald K wrote:
>> Is this the right forum for asking design questions, and
>> submitting patches?
>
>Sure.
>
>Patches are prefered to be submitted with ticket at RT
>http://www.openssl.org/support/rt.html  (even if
>documentation still
>says to use the mailing-list).
>
>
>Can you cite any online references for the "SEP" and the
>scope of things
>you are looking into ?  (I have an interest in the MeeGo
>project myself)
>
>
>Which things describe what "SEP" is ?
>
>  * SIMD optimizations (AES instructions, OpenSSL asm
>optimizations)
>  * Trusted Execution Technology (TPM/TXT)
>  * Hardware asynchronous crypto offloading/coprocessor
>(OpenSSL Engine)
>  * Something else
>
There isn't a lot of online information at this time.
The product name is: Intel Smart & Secure Technology (Intel S&ST).
A very brief high level description is in this Intel Atom Processor
fact sheet:

http://download.intel.com/pressroom/kits/atom/z6xx/pdf/Fact_Sheet_Intel_Atom_Processor_Platform.pdf

The S&ST component is part of the Intel Platform Controller Hub (PCH) MP20.

Don J.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Engine support for enabling Intel Atom Security (SEP) processor

Andy Polyakov
>> Which things describe what "SEP" is ?
>>
> There isn't a lot of online information at this time.
> The product name is: Intel Smart & Secure Technology (Intel S&ST).
> A very brief high level description is in this Intel Atom Processor
> fact sheet:
>
> http://download.intel.com/pressroom/kits/atom/z6xx/pdf/Fact_Sheet_Intel_Atom_Processor_Platform.pdf
>
> The S&ST component is part of the Intel Platform Controller Hub (PCH) MP20.

It doesn't sound like it will available for direct access from user-land
for example through instruction set extension, i.e. access would have to
be assisted by kernel driver. Given that primary goal would be Linux
(a.k.a. Android, MeeGo), it would be time to wish there was equivalent
to BSD's /dev/crypto. At least it would be hardly appropriate to develop
kernel module targeting some specific user-land library such as OpenSSL.
But anyway. What I would like to point out in the context is impact
kernel call overhead has on performance, naturally on small blocks. Or
rather that as far as kernel-assisted crypto access goes my vote would
go for "synthetic" implementation, which would turn to kernel only when
it actually pays off to do so and rely on user-land software
implementation otherwise. A.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Engine support for enabling Intel Atom Security (SEP) processor

Andy Polyakov
> What I would like to point out in the context is impact
> kernel call overhead has on performance,

where "kernel call" doesn't refer to privilege level transition per se,
but rather to overhead of talking to off-CPU hardware. I mean even if
sustained performance is high, persuading hardware to process small
amount of data at a time is likely (and was actually observed) to be
essentially prohibitive. A.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [openssl-dev] Engine support for enabling Intel Atom Security (SEP) processor

Johnson, Donald K
In reply to this post by Andy Polyakov


>-----Original Message-----
>From: [hidden email] [mailto:owner-openssl-
>[hidden email]] On Behalf Of Andy Polyakov
>Sent: Tuesday, August 03, 2010 1:47 PM
>To: [hidden email]
>Subject: Re: [openssl-dev] Engine support for enabling Intel
>Atom Security (SEP) processor
>
>>> Which things describe what "SEP" is ?
>>>
>> There isn't a lot of online information at this time.
>> The product name is: Intel Smart & Secure Technology (Intel
>S&ST).
>> A very brief high level description is in this Intel Atom
>Processor
>> fact sheet:
>>
>>
>http://download.intel.com/pressroom/kits/atom/z6xx/pdf/Fact_S
>heet_Intel_Atom_Processor_Platform.pdf
>>
>> The S&ST component is part of the Intel Platform Controller
>Hub (PCH) MP20.
>
>It doesn't sound like it will available for direct access
>from user-land
>for example through instruction set extension, i.e. access
>would have to
>be assisted by kernel driver.

Yes, access to the S&ST engine would be through the driver.

>Given that primary goal would
>be Linux
>(a.k.a. Android, MeeGo), it would be time to wish there was
>equivalent
>to BSD's /dev/crypto. At least it would be hardly appropriate
>to develop
>kernel module targeting some specific user-land library such
>as OpenSSL.
>But anyway. What I would like to point out in the context is
>impact
>kernel call overhead has on performance, naturally on small
>blocks. Or
>rather that as far as kernel-assisted crypto access goes my
>vote would
>go for "synthetic" implementation, which would turn to kernel
>only when
>it actually pays off to do so and rely on user-land software
>implementation otherwise. A.

Just to make sure I understand what you are saying.

Would this implementation do something like applying some rules
to the requested operation, based on the parameters passed, and
then decide whether to use the S&ST HW, or the OpenSSL SW function?
For the performance reasons you listed, I have been thinking
about doing something along those lines.

Is there an good reference example for this type of implementation?

Thank you,

Don J.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Engine support for enabling Intel Atom Security (SEP) processor

Andy Polyakov
>> ... "synthetic" implementation, which would turn to kernel
>> only when it actually pays off to do so and rely on user-land
>> software implementation otherwise.
>
> Just to make sure I understand what you are saying.
>
> Would this implementation do something like applying some rules to
> the requested operation, based on the parameters passed, and then
> decide whether to use the S&ST HW, or the OpenSSL SW function?

Yes.

> For
> the performance reasons you listed, I have been thinking about doing
> something along those lines.

Good.

> Is there an good reference example for this type of implementation?

Unfortunately no. A.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]