tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

GSoc2010 project suggestion: swcryptX

I've been thinking about speeding up crypto following the previous discussion, and would like to propose offering the following project for this year's Google Summer of Code:

     Abstract: The goal of this project is to provide crypto acceleration by
     utilizing multiple CPU cores. The work is to extend the existing
     software-only "swcrypto" crypto driver and hook that up with NetBSD's
     OpenCrypto framework. Work is expected to make the opencrypto(9)
     framework itself MP-safe.

Overview of operation

   The opencrypto(9) framework exists to coordinate hardware acceleration in
   NetBSD. Applications of the framework can be inside the kernel like the
   FAST_IPSEC IPsec implementation, or in userland like OpenSSL with the
   "cryptodev" engine. Crypto drivers can be realized in software or in
   hardware. Hardware drivers can be used to instruct e.g. the AMD Geode LX's
   AES block or a HIFN chip to perform cryptographic operations. Upon system
   startup, the crypto drivers at the opencrypto(9) framework, telling what
   operations they can perform. When an operation is required later, the
   framework will look which crypto device is currently not busy, and offload
   the operation to that device. Upon completion, the result is fed back to
   the application.

   The image at [1] illustrates the components and their interaction.


   Offloading the cryptographic requests involves some overhead. Data needs
   to be transferred to the hardware and back. On systems with a slow CPU,
   this overhead is relatively small compared to the operation speed of the
   CPU. On faster CPUs, the overhead becomes more of a burden, making the
   benefit of the crypto hardware negligible.

   As examples, while a hifn(4) chip can provide worthwhile speedups on
   500MHz and 1GHz CPUs, no performance win is experienced on a 2.4GHz CPU.


   The communication overhead involves data transfers over a PCI bus, which
   is of relatively low speed compared to today's modern CPUs. Preventing the
   data transfer is a worthwhile goal. In coordination with today's modern
   multi-core CPUs, using one or more CPUs solely for the purpose of crypto
   acceleration, a measurable improvement of crypto performance is expected.
   At the same time, no special hardware requirements beyond the CPU exist.
   This allows turning standard contemporary systems into fast crypto systems

   The image at [2] illustrates the idea of interoperation between a CPU

   core that runs the kernel and application codes and three cores that are
   dedicated to crypto code.

Implementation Roadmap

   This is where it gets fishy. ;) The existing opencrypto(4) framework
   probably needs to be make MP-aware at the same time, employing proper use
   of NetBSD's locking framework. The existing swcrypto(4) needs to be
   adjusted for operation on multiple CPUs at the same time. A way to decide
   how many CPUs are dedicated to run swcrypto(4) instances. CPUs that run
   swcrypto(4) need to be taken out from the usual NetBSD CPU scheduling so
   that they are available exclusively for crypto.


   In no particular order:
     * Know how to build and install a kernel
     * Understanding of fine grained SMP and locking
     * How to use NetBSD's kernel threads, code-wise
     * How to interact with NetBSD's scheduler, code-wise
     * Tell the scheduler to pin a specific kernel thread to a specific CPU
     * Interaction between applications (IPsec, OpenSSL) with opencrypto(9),
     * Interaction of crypto providers with opencrypto(9), code-wise
     * Hardware! You won't be able to do this without at least two CPU cores
       in your machine. The more the better.
     * Benchmarking & a test setup for it

Project Applications

   Please follow the NetBSD Project Application/Proposal HowTo[3] if
   you're serious to work on this project.

   If you have any questions let me know, public discussion should be led
   on the tech-crypto@ list.


P.S.: I'm not really in a position to mentor this. Mentors welcome! :)
P.P.S.: This proposal is also available at

Home | Main Index | Thread Index | Old Index