Enabling DM_Crypt Functionality in SDK release 5.07 This document lists steps to enable DM_Crypt functionality in SDK 05.07 Note: This document is intended for use with SDK release 5.07 and Ubuntu 10.04LTS. If using a different release, certain steps such as the exportation of the PATH directory will be different. Proceed accordingly. Code Steps will be shown in Courier New Font. Assumptions: This tutorial assumes one has a clean install of SDK 5.07 and that setup.sh has been run with all needed setup scripts. Run create-sdcard.sh once on the chosen SD card once to create a fresh install for later modification. Note: Some SD card readers will automount the boot and rootfs filesystems as read only. These must be remounted as RW or else this tutorial will fail Building the Kernel In order to build the Linux kernel you will need a cross compiler installed on your system which can generate object code for the ARM core in your Sitara device. In the case of the AMSDK this compiler can be found inside of the SDK in the <sdk install dir>/linuxdevkit/bin directory. If you have not already done so you should add this compiler to your path by doing: export PATH="<sdk install dir>/linux-devkit/bin:$path" Where <sdk install dir> should be replaced with the directory where the SDK was installed. It is important that when using the GCC toolchain provided with the SDK or stand-alone from TI that you do NOT source the environment-setup file included with the toolchain when building the kernel. Doing so will cause the compilation of host side components within the kernel tree to fail. The following commands are intended to be run from the root of the kernel tree unless otherwise specified. The root of the kernel tree is the top-level directory and can be identified by looking for the "MAINTAINERS" file. Next, enter the kernel build directory and clean the kernel sources:
cd <sdk install dir>/board-support/linux-3.2.0 psp04.06.00.10 make ARCH=arm CROSS_COMPILE=arm-arago-linux-gnueabi- mrproper Configure the kernel for the default AM335x installation: make ARCH=arm CROSS_COMPILE=arm-arago-linux-gnueabiam335x_evm_defconfig Next, it is important to further modify the kernel configuration to enable DM_Crypt. Enter menuconfig. make ARCH=arm CROSS_COMPILE=arm-arago-linux-gnueabi- menuconfig Enter Device Drivers Press Y to enable Multiple devices driver support (RAID and LVM) Press enter and Y to enable Device mapper support (NEW) Press Y to enable Device mapper debugging support (NEW) Press Y to enable Crypt target support (NEW) Hardware Acceleration for Crypto should be enabled by default. Affirm that Cryptographic API->Hardware crypto devices is enabled Affirm that Cryptographic API->Hardware crypto devices->support for OMAP4 AES hw engine is enabled Affirm that Cryptographic API->Hardware crypto devices->support for OMAP4 SHA/MD5 hw engine is enabled Exit menuconfig and build the kernel. This should take around 10 minutes. make ARCH=arm CROSS_COMPILE=arm-arago-linux-gnueabi- uimage
This will result in a kernel image file being created in the arch/arm/boot/ directory called uimage. This file should be copied over to the /boot partition of your SD card. Another uimage should be overwritten.
Cross Compiling Cryptsetup export PATH="<SDK INSTALL DIR>/linux-devkit/bin:$PATH" source <SDK INSTALL DIR>/linux-devkit/environment-setup cd <SDK INSTALL DIR>/linux-devkit/arm-arago-linux-gnueabi Cross compile libgpg-error wget ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.9.tar.bz2 bzcat libgpg-error-1.9.tar.bz2 tar xv cd libgpg-error-1.9./autogen.sh./configure --enable-static --host=arm-arago-linux-gnueabi --prefix=< mount-point of sd-card root>/usr (NOTE: The command above will likely look something like./configure --enable-static --host=arm-arago-linux-gnueabi -- prefix=/media/rootfs/usr) make make install cd../ NOTE: there should be no compilation-halting failures Cross compile libgcrypt wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.bz2 bzcat libgcrypt-1.5.2.tar.bz2 tar xv cd libgcrypt-1.5.2./autogen.sh./configure --enable-static --host=arm-arago-linux-gnueabi --prefix=< mount-point of sd-card root>/usr --with-gpg-error-prefix=<mount-point of sd-card root>/usr make make install cd../ NOTE: there should be no compilation-halting failures
Cross compile LVM2 wget ftp://sources.redhat.com/pub/lvm2/lvm2.2.02.98.tgz tar xzvf LVM2.2.02.98.tgz cd LVM2.2.02.98 export ac_cv_func_malloc_0_nonnull=yes c_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes./configure --host=arm-arago-linux-gnueabi --enable-static --enablelvm1_fallback --enable-fsadm --with-clvmd=cman --with-cluster=internal --with-pool=internal --with-user= --with-group= --with-dmdir=devicemapper.0 --with-device-uid=0 --with-device-gid=6 --with-devicemode=0660 --enable-pkgconfig --with-static-link --with-clvmd=none -- with-pool=none --with-cluster=none --with-snapshots=none --withmirrors=none --prefix=<mount-point of sd-card root>/usr make make install cd../ NOTE: there should be no compilation-halting failures Cross compile cryptsetup wget http://cryptsetup.googlecode.com/files/cryptsetup-1.6.1.tar.bz2 bzcat cryptsetup-1.6.1.tar.bz2 tar xv cd cryptsetup-1.6.1 c_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes./configure --host=arm-arago-linux-gnueabi --build=arm-linux --enablestatic --prefix=<mount-point of sd-card root>/usr --with-libgcryptprefix=<mount-point of sd-card root>/usr make make install cd../ NOTE: there should be no compilation-halting failures
Using Cryptsetup Remove the SD card from your computer and place it in the SD card port on the AM335x EVM. This tutorial assumes a USB drive has enumerated to /dev/sda1. It is also possible to mount a loopback device (/dev/loop0) as an encrypted partition or the RAM (/dev/ram0) if one wishes. To create and mount encrypted partition: cryptsetup --cipher aes-cbc-null --key-size 128 --hash sha256 luksformat /dev/sda1 cryptsetup luksopen /dev/sda1 enc-pv mke2fs -T ext2 /dev/mapper/enc-pv mount /dev/mapper/enc-pv /mnt To mount an already created encrypted partition: cryptsetup luksopen /dev/sda1 enc-pv mount /dev/mapper/enc-pv /mnt To unmount an encrypted partition: umount /mnt cryptsetup luksclose enc-pv Verification of Hardware Crypto Accelerators for Cryptsetup To verify that Hardware Accelerators (referred to as HWA) are active at all, run time -v openssl speed -evp aes-128-cbc -engine cryptodev If HWA are active, the Percent of CPU this job got: should be around 40-50% If HWA are inactive, the Percent of CPU this job got: should be around 80-90%
Now that HWA are confirmed to be active, they need to be confirmed active and functioning for cryptsetup. For this task, there are two recommended methods. One checks for HWA routines in memory and requires an external JTAG and access to code composer. The other is an empirical approach that checks for an excessive number of EDMA IRQs (IRQ #12). The first approach should be used to confirm if the equipment is available since it is a more guaranteed method. HWA Routine Method Connect a JTAG emulator to the AM335x and connect in code composer to ARM A8 while running linux. If code composer is resetting the AM335x memory on connection, comment out the internals of the OnTargetConnect() function in the used ARM A8 GEL file. This will prevent the gel file from initializing the AM335x on connection so the memory of the actively running linux will not be reset. Open View->Disassembly To find where to put the hardware breakpoints for the HWA functions, use the leftmost column of the following functions ran in linux: cat /proc/kallsyms grep omap4_aes_cbc_encrypt cat /proc/kallsyms grep omap4_aes_crypt cat /proc/kallsyms grep omap4_aes_cbc_decrypt Place hardware breakpoints at these locations and mount an encrypted filesystem. cd <mount-point of encrypted filesystem> dd if=/dev/zero of=bigfile bs=1m count=100 This is an example of creating a file in the encrypted filesystem. One should now observe the omap4_aes_cbc_encrypt and omap4_aes_crypt breakpoints being activated in code composer. cat /mnt/bigfile This is an example of reading a file from the encrypted filesystem. One should now observe the omap4_aes_cbc_decrypt breakpoint being activated in code composer.
EDMA Observation Method Mount an encrypted filesystem and enter the directory. cd <mount-point of encrypted filesystem> Note the number of EDMA interrupts that have occurred using the following: cat /proc/interrupts Create a file in the encrypted file system using the following: time v dd if=/dev/zero of=bigfile bs=1m count=100 Note the number of EDMA interrupts that have now occurred using the following: cat /proc/interrupts Subtract the number of EDMA interrupts from the second /proc/interrupts call from the first /proc/interrupts call and divide by the number of wall seconds given from the time v dd command. If the number of EDMA interrupts per wall second is above 1000, it is highly likely that cryptsetup is using the HWA drivers. Perform this trial multiple times to remove false positives and negatives.