Enabling DM_Crypt Functionality in SDK release 6.00
Note: This document is intended for use with SDK release 6.00 and Ubuntu 10.04LTS. If using a
different release, certain steps such as the exportation of the PATH directory will be different.
Proceed accordingly.
Code Steps will be shown in Courier New Font.
Assumptions: This tutorial assumes one has a clean install of SDK 6.00 and that setup.sh has
been run with all needed setup scripts. Run create-sdcard.sh once on the chosen SD card once to
create a fresh install for later modification.
Note: Some SD card readers will automount the boot and rootfs filesystems as read only. These
must be remounted as RW or else this tutorial will fail
Building the Kernel
In order to build the Linux kernel you will need a cross compiler installed on your system
which can generate object code for the ARM core in your Sitara device. In the case of the
AMSDK this compiler can be found inside of the SDK in the <sdk install dir>/linuxdevkit/bin directory. If you have not already done so you should add this compiler to your
path by doing:
export PATH="<sdk install dir>/linux-devkit/sysroots/i686-aragolinux/usr/bin:$PATH"
Where <sdk install dir> should be replaced with the directory where the SDK was
installed.
It is important that when using the GCC toolchain provided with the SDK or stand-alone
from TI that you do NOT source the environment-setup file included with the toolchain
when building the kernel. Doing so will cause the compilation of host side components
within the kernel tree to fail.
The following commands are intended to be run from the root of the kernel tree unless
otherwise specified. The root of the kernel tree is the top-level directory and can be
identified by looking for the "MAINTAINERS" file.
Next, enter the kernel build directory and clean the kernel sources:
cd <sdk install dir>/board-support/linux*
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- mrproper
Configure the kernel for the default AM335x installation:
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- am335x_evm_defconfig
Next, it is important to further modify the kernel configuration to enable DM_Crypt.
Enter menuconfig.
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- menuconfig
Enter “Device Drivers”
Press Y to enable “Multiple devices driver support (RAID and LVM)”
Press enter and Y to enable “Device mapper support (NEW)”
Press Y to enable “Device mapper debugging support (NEW)”
Press Y to enable “Crypt target support (NEW)”
Hardware Acceleration for Crypto should be enabled by default.
Affirm that “Cryptographic API->Hardware crypto devices” is enabled
Affirm that “Cryptographic API->Hardware crypto devices->Support for OMAP4 AES
hw engine” is enabled
Affirm that “Cryptographic API->Hardware crypto devices->Support for OMAP4
SHA/MD5 hw engine” is enabled
Exit menuconfig and build the kernel. This should take around 10 minutes.
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- uImage
This will result in a kernel image file being created in the arch/arm/boot/ directory called
uImage. This file should be copied over to the /boot partition of your SD card. Another
uImage should be overwritten.
Cross Compiling Cryptsetup
export PATH="<sdk install dir>/linux-devkit/sysroots/i686-aragolinux/usr/bin:$PATH"
source <SDK INSTALL DIR>/linux-devkit/environment-setup
cd <SDK INSTALL DIR>/linux-devkit/sysroots/armv7ahf-vfp-neon-3.2-oelinux-gnueabi
Cross compile libgpg-error
wget ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.9.tar.bz2
bzcat libgpg-error-1.9.tar.bz2 | tar xv
cd libgpg-error-1.9
./configure --enable-static --host=arm-linux-gnueabihf --prefix=<
mount-point of sd-card root>/usr
(NOTE: The command above will likely look something like
./configure --enable-static --host=arm-arago-linux-gnueabi -prefix=/media/rootfs/usr)
make
make install
./configure --enable-static --host=arm-linux-gnueabihf --prefix=<sdk
root directory>/linux-devkit/sysroots/i686-arago-linux/usr/
make
make install
cd ../
NOTE: there should be no compilation-halting failures
Cross compile libgcrypt
wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.bz2
bzcat libgcrypt-1.5.2.tar.bz2 | tar xv
cd libgcrypt-1.5.2
./autogen.sh
./configure --enable-static --host=arm-linux-gnueabihf --prefix=<sdk
root directory>/linux-devkit/sysroots/i686-arago-linux/usr/
make
make install
./configure --enable-static --host=arm-linux-gnueabihf --prefix=<
mount-point of sd-card root>/usr
make
make install
cd ../
NOTE: there should be no compilation-halting failures
Cross compile LVM2
wget ftp://sources.redhat.com/pub/lvm2/LVM2.2.02.98.tgz
tar xzvf LVM2.2.02.98.tgz
cd LVM2.2.02.98
export ac_cv_func_malloc_0_nonnull=yes
c_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes
./configure --host=arm-linux-gnueabihf --enable-lvm1_fallback -enable-fsadm --with-clvmd=cman --with-cluster=internal --withpool=internal --with-user= --with-group= --with-device-uid=0 --withdevice-gid=6 --with-device-mode=0660 --enable-pkgconfig --withclvmd=none --with-pool=none --with-cluster=none --with-snapshots=none
--with-mirrors=none --prefix=<sdk root directory>/linuxdevkit/sysroots/armv7ahf-vfp-neon-3.2-oe-linux-gnueabi/usr/
make
make install
c_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes
./configure --host=arm-linux-gnueabihf --enable-lvm1_fallback -enable-fsadm --with-clvmd=cman --with-cluster=internal --withpool=internal --with-user= --with-group= --with-device-uid=0 --withdevice-gid=6 --with-device-mode=0660 --enable-pkgconfig --withclvmd=none --with-pool=none --with-cluster=none --with-snapshots=none
--with-mirrors=none --prefix=<mount-point of sd-card root>/usr
make
make install
cd ../
NOTE: there should be no compilation-halting failures
Cross compile cryptsetup
wget http://cryptsetup.googlecode.com/files/cryptsetup-1.6.1.tar.bz2
bzcat cryptsetup-1.6.1.tar.bz2| tar xv
cd cryptsetup-1.6.1
c_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes
./configure --host=arm-linux-gnueabihf --build=arm-linux --enablestatic --prefix=<mount-point of sd-card root>/usr
make
make install
cd ../
NOTE: there should be no compilation-halting failures
Using Cryptsetup
Remove the SD card from your computer and place it in the SD card port on the AM335x
EVM. This tutorial assumes a USB drive has enumerated to /dev/sda1. It is also possible
to mount a loopback device (/dev/loop0) as an encrypted partition or the RAM
(/dev/ram0) if one wishes.
To create and mount encrypted partition:
cryptsetup --cipher aes-cbc-null --key-size 128 --hash sha256
luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 enc-pv
mke2fs -T ext2 /dev/mapper/enc-pv
mount /dev/mapper/enc-pv /mnt
To mount an already created encrypted partition:
cryptsetup luksOpen /dev/sda1 enc-pv
mount /dev/mapper/enc-pv /mnt
To unmount an encrypted partition:
umount /mnt
cryptsetup luksClose enc-pv
Verification of Hardware Crypto Accelerators for Cryptsetup
To verify that Hardware Accelerators (referred to as HWA) are active at all, run
time -v openssl speed -evp aes-128-cbc -engine cryptodev
If HWA are active, the “Percent of CPU this job got:” should be around 40-50%
If HWA are inactive, the “Percent of CPU this job got:” should be around 80-90%
Now that HWA are confirmed to be active, they need to be confirmed active and
functioning for cryptsetup.
For this task, there are two recommended methods. One checks for HWA routines in
memory and requires an external JTAG and access to code composer. The other is an
empirical approach that checks for an excessive number of EDMA IRQs (IRQ #12). The
first approach should be used to confirm if the equipment is available since it is a more
guaranteed method.
HWA Routine Method
Connect a JTAG emulator to the AM335x and connect in code composer to ARM A8
while running linux. If code composer is resetting the AM335x memory on
connection, comment out the internals of the OnTargetConnect() function in the used
ARM A8 GEL file. This will prevent the gel file from initializing the AM335x on
connection so the memory of the actively running linux will not be reset.
Open “View->Disassembly”
To find where to put the hardware breakpoints for the HWA functions, use the
leftmost column of the following functions ran in linux:
cat /proc/kallsyms | grep “omap4_aes_cbc_encrypt”
cat /proc/kallsyms | grep “omap4_aes_crypt”
cat /proc/kallsyms | grep “omap4_aes_cbc_decrypt”
Place hardware breakpoints at these locations and mount an encrypted filesystem.
cd <mount-point of encrypted filesystem>
dd if=/dev/zero of=bigfile bs=1M
count=100
This is an example of creating a file in the encrypted filesystem. One should now
observe the omap4_aes_cbc_encrypt and omap4_aes_crypt breakpoints being
activated in code composer.
cat /mnt/bigfile
This is an example of reading a file from the encrypted filesystem. One should now
observe the omap4_aes_cbc_decrypt breakpoint being activated in code composer.
EDMA Observation Method
Mount an encrypted filesystem and enter the directory.
cd <mount-point of encrypted filesystem>
Note the number of EDMA interrupts that have occurred using the following:
cat /proc/interrupts
Create a file in the encrypted file system using the following:
time –v dd if=/dev/zero of=bigfile bs=1M
count=100
Note the number of EDMA interrupts that have now occurred using the following:
cat /proc/interrupts
Subtract the number of EDMA interrupts from the second /proc/interrupts call from
the first /proc/interrupts call and divide by the number of wall seconds given from the
time –v dd command. If the number of EDMA interrupts per wall second is above
1000, it is highly likely that cryptsetup is using the HWA drivers. Perform this trial
multiple times to remove false positives and negatives.