Using the UltraSPARC T2 crypto accelerators
By sprack on Aug 23, 2007
Ease of use is central to ensuring widespread use of the UltraSPARC T2 cryptographic accelerators. With Solaris, we have tried to make the process of accessing the accelerators as seamless as possible;
Access to the UltraSPARC T2 accelerators from userland is controlled by the Solaris Cryptographic framework (SCF) and there are a variety of simple routes via which a userland application can offload to the accelerators:
Direct offload -; the SCF uses the PKCS#11 Cryptographic Token Interface (Cryptoki). In order to communicate directly with the SCF an application should leverage the PKCS#11 API. For PKCS#11 compliant applications, its then just a simple matter of linking with libpkcs11.so (located in /usr/lib). Given the fairly widespread use of the PKCS11 interface, especially with respect to traditional off-chip crypto accelerators, many applications already leverage PKCS#11. If an application doesn't already use the PKCS#11 interface, it is pretty straightforward to modify the application. A number of good docs about the SCF and developing simple PKCS#11 compliant applications can be found here and here.
OpenSSL Offload -; if the application uses OpenSSL (and many do), access to the accelerators can be achieved by linking with the OpenSSL libraries supplied with Solaris 10 (has the PKCS#11 engine built-in). These are located in /usr/sfw/lib:
cc -fast -I /usr/sfw/include -L /usr/sfw/lib -lcrypto aes_test.c -o aes_test.out
Additionally, it is necessary to force the use of the pkcs11 engine; this procedure is documented here. Something akin to the following does the trick:
ENGINE \*e; ENGINE_load_builtin_engines(); e = ENGINE_by_id("pkcs11"); ENGINE_set_default_ciphers(e); EVP_CIPHER_CTX_init (&ctx); EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv); EVP_EncryptUpdate (.....);
Java Offload -; for applications that utilize the Java Cryptographic Extensions (JCE), the application should simply be configured to utilize the SunPKCS11-Solaris provider in order to use the hardware accelerators on the T2 processor. Good Java security info tips can be found here.
Its also possible to access the accelerators via NSS, as described here.
This isn't a definitive guide to accessing the accelerators. I plan to have more details available going forward.