openssl: disable cryptodev by default

Cryptodev is a way for userspace to access the kernel crypto drivers (and so,
hardware crypto).

Not all hardware supports cryptodev so this is something that should be enabled
in a BSP layer instead of in oe-core.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/recipes-connectivity/openssl/openssl.inc       | 2 ++
 meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | 5 -----
 2 files changed, 2 insertions(+), 5 deletions(-)

-- 
2.8.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

On Wed, Mar 08, 2017 at 04:57:04PM +0000, Ross Burton wrote:
> Cryptodev is a way for userspace to access the kernel crypto drivers (and so,

> hardware crypto).

> 

> Not all hardware supports cryptodev so this is something that should be enabled

> in a BSP layer instead of in oe-core.


How is BSP layer supposed to enable this without being considered toxic
to all other layers which might support MACHINEs with the same
TUNE_PKGARCH?

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-connectivity/openssl/openssl.inc       | 2 ++

>  meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | 5 -----

>  2 files changed, 2 insertions(+), 5 deletions(-)

> 

> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc

> index 9afa5bd..03dee0e 100644

> --- a/meta/recipes-connectivity/openssl/openssl.inc

> +++ b/meta/recipes-connectivity/openssl/openssl.inc

> @@ -15,7 +15,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \

>            "

>  S = "${WORKDIR}/openssl-${PV}"

>  

> +PACKAGECONFIG ??= ""

>  PACKAGECONFIG[perl] = ",,,"

> +PACKAGECONFIG[cryptodev] = "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS,-UHAVE_CRYPTODEV,cryptodev-linux"

>  

>  AR_append = " r"

>  TERMIO_libc-musl = "-DTERMIOS"

> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> index 1973f81..4436ba3 100644

> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> @@ -1,10 +1,5 @@

>  require openssl.inc

>  

> -# For target side versions of openssl enable support for OCF Linux driver

> -# if they are available.

> -DEPENDS += "cryptodev-linux"

> -

> -CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"

>  CFLAG_append_class-native = " -fPIC"

>  

>  LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"

> -- 

> 2.8.1

> 

> -- 

> _______________________________________________

> Openembedded-core mailing list

> Openembedded-core@lists.openembedded.org

> http://lists.openembedded.org/mailman/listinfo/openembedded-core


-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

On 3/8/17 10:57 AM, Ross Burton wrote:
> Cryptodev is a way for userspace to access the kernel crypto drivers (and so,

> hardware crypto).


If the BSP does not support crypto dev, what is the harm in this?  It should
fall back to standard behaviors.

> Not all hardware supports cryptodev so this is something that should be enabled

> in a BSP layer instead of in oe-core.


This would make the package be machine specific, which I'm not sure is good for
a package like openssl.  (Distro specific, I'm fine with -- machine I've got
concerns.)

--Mark

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-connectivity/openssl/openssl.inc       | 2 ++

>  meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | 5 -----

>  2 files changed, 2 insertions(+), 5 deletions(-)

> 

> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc

> index 9afa5bd..03dee0e 100644

> --- a/meta/recipes-connectivity/openssl/openssl.inc

> +++ b/meta/recipes-connectivity/openssl/openssl.inc

> @@ -15,7 +15,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \

>            "

>  S = "${WORKDIR}/openssl-${PV}"

>  

> +PACKAGECONFIG ??= ""

>  PACKAGECONFIG[perl] = ",,,"

> +PACKAGECONFIG[cryptodev] = "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS,-UHAVE_CRYPTODEV,cryptodev-linux"

>  

>  AR_append = " r"

>  TERMIO_libc-musl = "-DTERMIOS"

> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> index 1973f81..4436ba3 100644

> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> @@ -1,10 +1,5 @@

>  require openssl.inc

>  

> -# For target side versions of openssl enable support for OCF Linux driver

> -# if they are available.

> -DEPENDS += "cryptodev-linux"

> -

> -CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"

>  CFLAG_append_class-native = " -fPIC"

>  

>  LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"

> 


-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

On Wed, 2017-03-08 at 11:28 -0600, Mark Hatle wrote:
> On 3/8/17 10:57 AM, Ross Burton wrote:
> > 
> > Cryptodev is a way for userspace to access the kernel crypto
> > drivers (and so,
> > hardware crypto).
> If the BSP does not support crypto dev, what is the harm in this?  It
> should fall back to standard behaviors.

Note that the implication here is that openssl depends on the kernel
building and many other pieces of the system depend on openssl so it
does bottleneck the build somewhat. 

It also means a kernel rebuild ends up triggering half the userspace to
rebuild which is annoying for users.


> > Not all hardware supports cryptodev so this is something that
> > should be enabled
> > in a BSP layer instead of in oe-core.
> This would make the package be machine specific, which I'm not sure
> is good for
> a package like openssl.  (Distro specific, I'm fine with -- machine
> I've got
> concerns.)

How commonly are kernel crypto drivers used?

Cheers,

Richard

On 8 March 2017 at 17:35, Richard Purdie <richard.purdie@linuxfoundation.org
> wrote:


> Note that the implication here is that openssl depends on the kernel

> building and many other pieces of the system depend on openssl so it

> does bottleneck the build somewhat.

>

> It also means a kernel rebuild ends up triggering half the userspace to

> rebuild which is annoying for users.

>


I swear I was seeing this, but can't see how it would happen now.  The bulk
of this patch is a sensible cleanup anyway so I shall verify my tests and
most likely resubmit.

Ross
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

On Wed, 2017-03-08 at 17:35 +0000, Richard Purdie wrote:
> On Wed, 2017-03-08 at 11:28 -0600, Mark Hatle wrote:
> > 
> > On 3/8/17 10:57 AM, Ross Burton wrote:
> > > 
> > > 
> > > Cryptodev is a way for userspace to access the kernel crypto
> > > drivers (and so,
> > > hardware crypto).
> > If the BSP does not support crypto dev, what is the harm in
> > this?  It
> > should fall back to standard behaviors.
> Note that the implication here is that openssl depends on the kernel
> building and many other pieces of the system depend on openssl so it
> does bottleneck the build somewhat. 
> 
> It also means a kernel rebuild ends up triggering half the userspace
> to rebuild which is annoying for users.

Just to clarify, it doesn't depend on the kernel module, only on a
header so it shouldn't be triggering kernel dependencies. I was getting
some recipe names confused.

I think Ross is going to take another look at this patch...

Cheers,

Richard

On 3/8/17 11:35 AM, Richard Purdie wrote:
> On Wed, 2017-03-08 at 11:28 -0600, Mark Hatle wrote:

>> On 3/8/17 10:57 AM, Ross Burton wrote:

>>>

>>> Cryptodev is a way for userspace to access the kernel crypto

>>> drivers (and so,

>>> hardware crypto).

>> If the BSP does not support crypto dev, what is the harm in this?  It

>> should fall back to standard behaviors.

> 

> Note that the implication here is that openssl depends on the kernel

> building and many other pieces of the system depend on openssl so it

> does bottleneck the build somewhat. 


I thought the crypto dev interface had been standardized and no longer required
a specific kernel-specific instance.  If this is not true, then it's effectively
machine specific already.

> It also means a kernel rebuild ends up triggering half the userspace to

> rebuild which is annoying for users.

> 

> 

>>> Not all hardware supports cryptodev so this is something that

>>> should be enabled

>>> in a BSP layer instead of in oe-core.

>> This would make the package be machine specific, which I'm not sure

>> is good for

>> a package like openssl.  (Distro specific, I'm fine with -- machine

>> I've got

>> concerns.)

> 

> How commonly are kernel crypto drivers used?


We are seeing it used a lot, especially on IA platforms.  (I have seen some
usage on an arm platform, but don't remember which.)

--Mark

> Cheers,

> 

> Richard

> 


-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core