1、报错信息
在LPB3588上开启Crypto硬件加密时,遇到了一些问题,具体表现为在启用IPSec时,内核报错“rk-crypto complete_op err = -110”,导致加密解包异常缓慢。
问题分析:此问题通常与硬件加密加速器的配置和内核驱动有关,没有正确配置Crypto V2硬件加密加速器。
2、开启Crypto V2硬件加密
首先下载《Rockchip_Developer_Guide_Crypto_HWRNG_CN.pdf》并了解Crypto V2
内核配置中启用Crypto V2硬件加密加速器:
--- a/kernel/drivers/crypto/Kconfig
+++ b/kernel/drivers/crypto/Kconfig
@@ -775,6 +775,36 @@ config CRYPTO_DEV_ROCKCHIP
source "drivers/crypto/rockchip/Kconfig"
+config CRYPTO_DEV_ROCKCHIP2
+ tristate "Rockchip's cryptographic offloader V2"
+ depends on OF && ARCH_ROCKCHIP
+ depends on PM
+ select CRYPTO_ECB
+ select CRYPTO_CBC
+ select CRYPTO_AES
+ select CRYPTO_MD5
+ select CRYPTO_SHA1
+ select CRYPTO_SHA256
+ select CRYPTO_SHA512
+ select CRYPTO_SM3_GENERIC
+ select CRYPTO_HASH
+ select CRYPTO_SKCIPHER
+ select CRYPTO_ENGINE
+
+ help
+ This driver interfaces with the hardware crypto offloader present
+ on RK3566, RK3568 and RK3588.
+
+config CRYPTO_DEV_ROCKCHIP2_DEBUG
+ bool "Enable Rockchip V2 crypto stats"
+ depends on CRYPTO_DEV_ROCKCHIP2
+ depends on DEBUG_FS
+ help
+ Say y to enable Rockchip crypto debug stats.
+ This will create /sys/kernel/debug/rk3588_crypto/stats for displaying
+ the number of requests per algorithm and other internal stats.
+
+
config CRYPTO_DEV_ZYNQMP_AES
config CRYPTO_DEV_ROCKCHIP2:
功能: 该配置用于启用Rockchip平台的V2硬件加密加速器支持,特别适用于RK3566、RK3568和RK3588系列芯片。这些加速器可以在处理对称加密(如AES)、哈希(如SHA1、SHA256)等加密任务时提供硬件加速,从而减轻CPU的计算负担。
依赖: 该配置依赖于Rockchip架构(ARCH_ROCKCHIP)和设备树(OF),并且需要启用电源管理(PM)。
加密算法选择: 该配置会选择常见的加密和哈希算法模块,如ECB、CBC、AES、MD5、SHA1、SHA256、SHA512、SM3等。
硬件引擎支持: 选择CRYPTO_ENGINE以使用硬件加速功能。
config CRYPTO_DEV_ROCKCHIP2_DEBUG:
功能: 这是一个用于调试的选项,启用后会在/sys/kernel/debug/rk3588_crypto/stats路径下生成调试信息,用于显示不同算法的请求次数和其他内部统计数据。
依赖: 依赖于DEBUG_FS,这是Linux内核中用于调试的文件系统。
默认启用Crypto V2硬件加密
--- a/kernel/arch/arm64/configs/rockchip_linux_defconfig
+++ b/kernel/arch/arm64/configs/rockchip_linux_defconfig
CONFIG_CRYPTO_DEV_ROCKCHIP_DEV=y
+CONFIG_CRYPTO_DEV_ROCKCHIP2=y
CONFIG_CRC_T10DIF=y
CONFIG_CRC7=y
# CONFIG_XZ_DEC_X86 is not set
3、开启ipsec demo使用到内核配置
--- a/kernel/arch/arm64/configs/rockchip_linux_defconfig
+++ b/kernel/arch/arm64/configs/rockchip_linux_defconfig
CONFIG_CRYPTO_USER_API_SKCIPHER=y
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_REDIR=m
+CONFIG_NFT_NAT=m
+CONFIG_NFT_TUNNEL=m
+CONFIG_NFT_OBJREF=m
+CONFIG_NFT_QUEUE=m
+CONFIG_NFT_QUOTA=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_COMPAT=m
+CONFIG_NFT_HASH=m
+CONFIG_NFT_FIB=m
+CONFIG_NFT_FIB_INET=m
+CONFIG_NFT_XFRM=m
+CONFIG_NFT_SOCKET=m
+CONFIG_NFT_OSF=m
+CONFIG_NFT_TPROXY=m
+CONFIG_NFT_SYNPROXY=m
+CONFIG_NF_DUP_NETDEV=m
+CONFIG_NFT_DUP_NETDEV=m
+CONFIG_NFT_FWD_NETDEV=m
+CONFIG_NFT_FIB_NETDEV=m
+CONFIG_NF_FLOW_TABLE_INET=m
+CONFIG_NF_FLOW_TABLE=m
+CONFIG_NETFILTER_XTABLES=m
+CONFIG_NF_CT_PROTO_GRE=y
+CONFIG_DUMMY=y
CONFIG_NETFILTER_XT_MARK=y
4、编译并更新LPB3588内核
完成配置后,重新编译内核并烧录到LPB3588平台。烧录完成后,通过以下命令验证硬件加速器是否正常工作:
root@LPA3588:/home/neardi/ipsec-demo# cat /proc/crypto | grep rk
正常情况下,类似如下的输出,表示硬件加密驱动已经加载:
root@LPA3588:/home/neardi/ipsec-demo# cat /proc/crypto | grep rk
driver : authenc(hmac-sha256-rk,ecb-cipher_null)
driver : rsa-rk
driver : hmac-sm3-rk
driver : hmac-md5-rk
driver : hmac-sha512-rk
driver : hmac-sha256-rk
driver : hmac-sha1-rk
driver : sm3-rk
driver : md5-rk
driver : sha512-rk
driver : sha384-rk
driver : sha256-rk
driver : sha224-rk
driver : sha1-rk
driver : ofb-des3_ede-rk
driver : cfb-des3_ede-rk
driver : cbc-des3_ede-rk
driver : ecb-des3_ede-rk
driver : ofb-des-rk
driver : cfb-des-rk
driver : cbc-des-rk
driver : ecb-des-rk
driver : gcm-aes-rk
driver : ctr-aes-rk
driver : ofb-aes-rk
driver : cfb-aes-rk
driver : cbc-aes-rk
driver : ecb-aes-rk
driver : gcm-sm4-rk
driver : ctr-sm4-rk
driver : ofb-sm4-rk
driver : cfb-sm4-rk
driver : cbc-sm4-rk
driver : ecb-sm4-rk
LPB3588 crypto
打开的配置打印:
root@LPA3588:/home/neardi/ipsec-demo# zcat /proc/config.gz | grep -i 'crypto.*=\(y\|m\)'
CONFIG_ARM64_CRYPTO=y
CONFIG_CRYPTO_SHA256_ARM64=y
CONFIG_CRYPTO_SHA1_ARM64_CE=y
CONFIG_CRYPTO_SHA2_ARM64_CE=y
CONFIG_CRYPTO_GHASH_ARM64_CE=y
CONFIG_CRYPTO_AES_ARM64_CE=y
CONFIG_CRYPTO_AES_ARM64_CE_CCM=y
CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_FIPS140=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_SKCIPHER=y
CONFIG_CRYPTO_SKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_KPP=y
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_ENGINE=y
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_ECC=y
CONFIG_CRYPTO_ECDH=y
CONFIG_CRYPTO_CCM=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_ECHAINIV=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CFB=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_OFB=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_CMAC=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_XXHASH=y
CONFIG_CRYPTO_BLAKE2B=y
CONFIG_CRYPTO_CRCT10DIF=y
CONFIG_CRYPTO_GHASH=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_SM3=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_SM4=y
CONFIG_CRYPTO_TWOFISH=y
CONFIG_CRYPTO_TWOFISH_COMMON=y
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_ZSTD=y
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_HMAC=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_CRYPTO_LIB_AES=y
CONFIG_CRYPTO_LIB_ARC4=y
CONFIG_CRYPTO_LIB_DES=y
CONFIG_CRYPTO_LIB_SHA256=y
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_ROCKCHIP=y
CONFIG_CRYPTO_DEV_ROCKCHIP_V1=y
CONFIG_CRYPTO_DEV_ROCKCHIP_V2=y
CONFIG_CRYPTO_DEV_ROCKCHIP_DEV=y
CONFIG_CRYPTO_DEV_ROCKCHIP2=y
打开Crypto V2的内核下载链接
5、验证 IPsec Demo 步骤
下载ipsec-demo
拷贝ipsec demo
到LPB3588并解压
查看README.md
sudo docker load -i strongswan-image.tar.gz
sudo bash create-docker-net.sh
sudo bash raise-moon.sh
sudo bash raise-sun.sh
# In moon container
ping 10.3.0.1
# In sun container
ping 10.1.0.1
加载 Docker 镜像
root@LPA3588:/home/neardi/ipsec-demo# sudo docker load -i strongswan-image.tar.gz
cbfdc55280b4: Loading layer [==================================================>] 68.11MB/68.11MB
cc5ac0dc51c2: Loading layer [==================================================>] 30.9MB/30.9MB
9e0b93e8a059: Loading layer [==================================================>] 151.6MB/151.6MB
16f50c47248c: Loading layer [==================================================>] 82.66MB/82.66MB
9394cc91f843: Loading layer [==================================================>] 42.07MB/42.07MB
2869eaf18303: Loading layer [==================================================>] 156.7MB/156.7MB
c3e5ce05c7f6: Loading layer [==================================================>] 11.72MB/11.72MB
957651950bc3: Loading layer [==================================================>] 4.062MB/4.062MB
31066a1e0f2b: Loading layer [==================================================>] 80.26MB/80.26MB
ce304440b511: Loading layer [==================================================>] 4.72MB/4.72MB
09cfe54993d6: Loading layer [==================================================>] 70.77MB/70.77MB
Loaded image: acr.io.aw/main/strongswan:5.9.8-focal-full-arm64
创建 Docker 网络
root@LPA3588:/home/neardi/ipsec-demo# sudo bash create-docker-net.sh
1dadfc4b28456af1650157e0c4bfe77299d0112c4b9c6817107946b0a567ac29
启动 Moon 和 Sun 容器
打开两个终端会话:
终端 1 (Moon):
root@LPA3588:/home/neardi/ipsec-demo# sudo bash raise-moon.sh
Starting strongSwan 5.9.8 IPsec [starter]...
ipsec_starter[12]: Starting strongSwan 5.9.8 IPsec [starter]...
ipsec_starter[15]: charon (16) started after 220 ms
loaded pool 'rw_pool'
successfully loaded 1 pools, 0 unloaded
终端 2 (Sun):
root@LPA3588:/home/neardi/ipsec-demo# sudo bash raise-sun.sh
Starting strongSwan 5.9.8 IPsec [starter]...
ipsec_starter[7]: Starting strongSwan 5.9.8 IPsec [starter]...
ipsec_starter[10]: charon (11) started after 40 ms
loaded certificate from '/etc/swanctl/x509/sunCert.pem'
loaded certificate from '/etc/swanctl/x509ca/strongswanCert.pem'
loaded RSA key from '/etc/swanctl/private/sunKey.pem'
loaded connection 'home'
successfully loaded 1 connections, 0 unloaded
Moon 和 Sun 容器之间的 Ping 隧道 测试
在 Moon 容器中,ping Sun 容器的 隧道 地址(10.3.0.1):
root@73e14fa174e0:/# ping 10.3.0.1
PING 10.3.0.1 (10.3.0.1) 56(84) bytes of data.
64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.789 ms
64 bytes from 10.3.0.1: icmp_seq=2 ttl=64 time=0.735 ms
64 bytes from 10.3.0.1: icmp_seq=3 ttl=64 time=0.743 ms
64 bytes from 10.3.0.1: icmp_seq=4 ttl=64 time=0.691 ms
64 bytes from 10.3.0.1: icmp_seq=5 ttl=64 time=0.719 ms
64 bytes from 10.3.0.1: icmp_seq=6 ttl=64 time=0.654 ms
64 bytes from 10.3.0.1: icmp_seq=7 ttl=64 time=0.656 ms
64 bytes from 10.3.0.1: icmp_seq=8 ttl=64 time=0.512 ms
64 bytes from 10.3.0.1: icmp_seq=9 ttl=64 time=0.501 ms
64 bytes from 10.3.0.1: icmp_seq=10 ttl=64 time=0.513 ms
64 bytes from 10.3.0.1: icmp_seq=11 ttl=64 time=0.520 ms
64 bytes from 10.3.0.1: icmp_seq=12 ttl=64 time=0.501 ms
64 bytes from 10.3.0.1: icmp_seq=13 ttl=64 time=0.509 ms
64 bytes from 10.3.0.1: icmp_seq=14 ttl=64 time=0.510 ms
--- 10.3.0.1 ping statistics ---
14 packets transmitted, 14 received, 0% packet loss, time 13094ms
rtt min/avg/max/mdev = 0.501/0.610/0.789/0.106 ms
在 Sun 容器中,ping Moon 容器的 隧道 地址(10.1.0.1):
root@e1f1afcf25fe:/# ping 10.1.0.1
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.812 ms
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=0.680 ms
64 bytes from 10.1.0.1: icmp_seq=3 ttl=64 time=0.841 ms
64 bytes from 10.1.0.1: icmp_seq=4 ttl=64 time=0.658 ms
64 bytes from 10.1.0.1: icmp_seq=5 ttl=64 time=0.688 ms
64 bytes from 10.1.0.1: icmp_seq=6 ttl=64 time=0.601 ms
64 bytes from 10.1.0.1: icmp_seq=7 ttl=64 time=0.680 ms
64 bytes from 10.1.0.1: icmp_seq=8 ttl=64 time=0.546 ms
64 bytes from 10.1.0.1: icmp_seq=9 ttl=64 time=0.539 ms
64 bytes from 10.1.0.1: icmp_seq=10 ttl=64 time=0.508 ms
64 bytes from 10.1.0.1: icmp_seq=11 ttl=64 time=0.608 ms
64 bytes from 10.1.0.1: icmp_seq=12 ttl=64 time=0.650 ms
--- 10.1.0.1 ping statistics ---
12 packets transmitted, 12 received, 0% packet loss, time 11076ms
rtt min/avg/max/mdev = 0.508/0.650/0.841/0.097 ms
看到收发都是低延迟、无丢包情况说明正常
查看日志验证连接
在 Moon 容器中查看 charon.log 日志。该日志包含 IPsec 配置的详细信息,包括 IKE(Internet Key Exchange)协商和 IPsec 隧道建立的成功信息: