Using the UltraSPARC T2 crypto accelerators

Ease of use is central to ensuring widespread use of the UltraSPARC T2 cryptographic accelerators. With Solaris, we have tried to make the process of accessing the accelerators as seamless as possible;

Access to the UltraSPARC T2 accelerators from userland is controlled by the Solaris Cryptographic framework (SCF) and there are a variety of simple routes via which a userland application can offload to the accelerators:

Direct offload -; the SCF uses the PKCS#11 Cryptographic Token Interface (Cryptoki). In order to communicate directly with the SCF an application should leverage the PKCS#11 API. For PKCS#11 compliant applications, its then just a simple matter of linking with libpkcs11.so (located in /usr/lib). Given the fairly widespread use of the PKCS11 interface, especially with respect to traditional off-chip crypto accelerators, many applications already leverage PKCS#11. If an application doesn't already use the PKCS#11 interface, it is pretty straightforward to modify the application. A number of good docs about the SCF and developing simple PKCS#11 compliant applications can be found here and here.

OpenSSL Offload -; if the application uses OpenSSL (and many do), access to the accelerators can be achieved by linking with the OpenSSL libraries supplied with Solaris 10 (has the PKCS#11 engine built-in). These are located in /usr/sfw/lib:

cc -fast -I /usr/sfw/include -L /usr/sfw/lib -lcrypto aes_test.c -o aes_test.out

Additionally, it is necessary to force the use of the pkcs11 engine; this procedure is documented here. Something akin to the following does the trick:

ENGINE \*e;
ENGINE_load_builtin_engines();
e = ENGINE_by_id("pkcs11");
ENGINE_set_default_ciphers(e);
EVP_CIPHER_CTX_init (&ctx);
EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv);
EVP_EncryptUpdate (.....);

Java Offload -; for applications that utilize the Java Cryptographic Extensions (JCE), the application should simply be configured to utilize the SunPKCS11-Solaris provider in order to use the hardware accelerators on the T2 processor. Good Java security info tips can be found here.

Its also possible to access the accelerators via NSS, as described here.

This isn't a definitive guide to accessing the accelerators. I plan to have more details available going forward.



Comments:

i need anty filter

Posted by saeed on August 23, 2007 at 09:06 AM PDT #

Interesting post, thanks. Do you know if there is some kind of legal FAQ on the consequences of using the crypto hardware accelerator?

Posted by Marc on August 24, 2007 at 12:01 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Dr. Spracklen is a senior staff engineer in the Architecture Technology Group (Sun Microelectronics), that is focused on architecting and modeling next-generation SPARC processors. His current focus is hardware accelerators.

Search

Top Tags
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today