Since I couldn’t find any documentation within the web, and others might be interested in this as well: below are the steps that are required to get the mv_cesa crypto device also running within a LXC container:
- check for the device number of the crypto device within the host:
$ ls -lh /dev/crypto
crw-rw-rw- 1 root root 10, 58 Sep 9 04:37 /dev/crypto
- add the following with the appropriate device numbers to the LXC config:
lxc.cgroup.devices.allow = c 10:58 rwm
lxc.mount.entry=/dev/crypto dev/crypto none bind
- start and attach to the LXC container with the example name LXCNAME:
$ lxc-start -n LXCNAME
$ lxc-attach -n LXCNAME
- install the cryptodev variant of the openssl package within the LXC container, e.g. ArchLinux ARM:
$ pacman -S openssl-cryptodev
- double check if CESA is not available yet:
$ openssl engine
(dynamic) Dynamic engine loading support
- create device within the LXC container:
$ mknod -m 666 /dev/crypto c 10 58
- recheck if CESA is available now:
$ openssl engine
(cryptodev) BSD cryptodev engine
(dynamic) Dynamic engine loading support
- Well, one would like to make the crypto dev sticky. There are two solutions, one clean one and the hack. Clean: the host creates it; hack: systemd within the LXC container creates it. Let’s go for the clean approach. First shutdown the LXC container, which will automatically bring the console back to the host:
$ shutdown -h now
- within the host create a hook-dev.sh bash file:
$ touch /srv/lxc/LXCNAME/hook-dev.sh
- fill the hook-dev.sh bash file with:
#!/bin/sh
mknod -m 666 ${LXC_ROOTFS_MOUNT}/dev/crypto c 10 58
- make it executable:
chmod +x /srv/lxc/LXCNAME/hook-dev.sh
- and add the following to the LXC config:
lxc.autodev = 1
lxc.hook.autodev = /srv/lxc/LXCNAME/hook-dev.sh
- restart the LXC container again and check if crypto device exists.
$ lxc-start -n LXCNAME
$ lxc-attach -n LXCNAME
$ ls -lh /dev/crypto
Performance difference of OpenSSL running in a LXC container on Turris Omnia (LXC: ArchLinux ARM, OpenSSL 1.1.0f 25 May 2017):
without CESA:
openssl speed -elapsed
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 52244.84k 56235.95k 57947.65k 58386.77k 58485.42k 58512.73k
aes-192 cbc 45435.00k 48243.46k 49410.82k 49787.90k 49886.55k 49949.35k
aes-256 cbc 40156.08k 42207.68k 43060.57k 43287.55k 43409.41k 43401.22kopenssl speed -elapsed -evp
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 45071.30k 54032.15k 57328.55k 58189.82k 58482.69k 58250.58k
aes-192-cbc 39709.57k 46521.62k 48943.36k 49591.64k 49793.71k 49790.98k
aes-256-cbc 35532.03k 40856.53k 42719.83k 43228.84k 43141.80k 43275.61k
with CESA (implicit):
openssl speed -elapsed
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 52273.96k 56370.39k 57992.36k 58381.65k 58488.15k 58376.19k
aes-192 cbc 45454.22k 48287.32k 49451.09k 49746.26k 49815.55k 49829.21k
aes-256 cbc 40128.84k 42223.34k 43119.79k 43339.43k 43423.06k 43357.53kopenssl speed -elapsed -evp
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 932.09k 3736.49k 10498.40k 34319.70k 87375.87k 95114.58k
aes-192-cbc 937.24k 3734.06k 10391.81k 33792.00k 83580.25k 91630.25k
aes-256-cbc 933.85k 3736.28k 10356.48k 33200.13k 80584.70k 87233.88k
with CESA (explicit):
openssl speed -elapsed -engine cryptodev
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 52359.45k 56383.15k 57976.49k 58405.55k 58518.19k 58359.81k
aes-192 cbc 45462.99k 48312.41k 49441.62k 49732.61k 49831.94k 49856.51k
aes-256 cbc 40145.91k 42265.07k 43119.96k 43331.58k 43376.64k 43461.29kopenssl speed -elapsed -engine cryptodev -evp
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 928.81k 3707.54k 10409.73k 34230.27k 87075.50k 95262.04k
aes-192-cbc 934.06k 3733.74k 10384.90k 33594.03k 82944.00k 90576.21k
aes-256-cbc 931.14k 3701.72k 10309.55k 33102.17k 80557.40k 87457.79k
Similar approach, but on bare metal Turris Omnia not tackling LXC containers has been pursued here: https://forum.test.turris.cz/t/hw-crypto-marvell-cesa-working/1276