Difference between revisions of "Crypto API overview"

[quality revision] [quality revision]
m
 
m (Update LUCK reference)


Template:ArticleMainWriter Template:ArticleApprovedVersion


SUMMARY
The Crypto API is a cryptography framework in the Linux® kernel. It is dedicated to the parts of the kernel that deal with cryptography, such as IPsec and dm-crypt.

1 Framework purpose[edit]

The purpose of this article is to introduce the Crypto API framework:

  • general information
  • main component/stakeholders
  • how to use the Crypto API
  • use cases

The Crypto API framework mainly includes all popular hash and block ciphers (encryption) functions.

A hash is a string or number generated from a text string. The length of the resulting string or number is fixed and widely varies with small variations of the input. The best hashing algorithms are designed so that it is impossible to turn a hash back into its original string. Hashing is particularly useful to compare a value with a stored value. However it cannot store its plain representation for security reasons. This makes hashing an ideal solution to store passwords.

Encryption turns data into a series of unreadable characters which length is not fixed. The encrypted strings can reversed back into their original decrypted form if the right key is not provided. Encrypting a confidential file is a good way to prevent anyone from accessing its content.

Drivers for CRYP (block cipher), HASH (hash) and CRC (cyclic redundancy check) are integrated within the Crypto API kernel service.

2 System overview[edit]

Alternate text
Crypto API

2.1 Description of the components[edit]

Info.png OpenSSL and dm-crypt are not part of the Crypto API framework but they are typical users of the Crypto API services.

From User space to hardware

  • OpenSSL (User space)

OpenSSL[1] is a software library supporting the TLS and SSL protocols as well as cryptographic functions. Openssl is available in OpenSTLinux distribution.

  • dm-crypt (Kernel space)

dm-crypt[2] is a kernel disk encryption subsystem. It is natively available in the standard Linux kernel.

  • Cryptodev (Kernel space)

Cryptodev[3] is a device driver which provides a general interface for userland applications. Although it is not part of the standard Linux kernel, it is available in OpenSTLinux distribution.

  • CryptoAPI core (Kernel space)

This layer represents the standard Linux kernel cryptographic framework.

  • hash, cryp and crc32 (Kernel space)

These are the cryptographic Linux drivers handling the HW blocks.

  • HASH, CRYP and CRC (Hardware)

These HW blocks handle hash, ciphering, and CRC checksum.

2.2 API description[edit]

The Crypto API is documented in the Linux Kernel Crypto API section of the Linux Kernel documentation[4]. It offers both a kernel and a userland interface:

  • kernel internal interface, used in particular by dm-crypt.
  • userland algorithm interface (socket) named AF_ALG[5]. OpenSSL can use this interface.

In addition to the socket user interface, a more friendly interface, the cryptodev, can be used. It offers the /dev/crypto ioctl API. It is roughly described by the cryptodev.h[6] header file. OpenSSL can be configured to use this interface as an alternative to the historical AF_ALG interface.

3 Configuration[edit]

The Crypto API is activated by default in ST deliveries. Nevertheless, if a specific configuration is required, you can use Linux Menuconfig tool: Menuconfig or how to configure kernel and select:

[*] Cryptographic API  --->
    [*]   Hardware crypto devices  --->
        [*]   Support for STM32 crc accelerators
        [*]   Support for STM32 hash accelerators
        [*]   Support for STM32 crypto accelerators

4 How to use the Crypto API framework[edit]

The Crypto API framework can be used by other kernel modules.

The Crypto API documentation provides kernel code examples[7]:

  • Symmetric-key cipher operation.
  • Operational state memory with SHASH.

5 Use cases[edit]

  • Disk encryption

This is a typical example of Crypto API framework usage. Refer to LUKS[8] for a standard disk encryption process.

6 How to trace and debug the framework[edit]

6.1 How to monitor[edit]

The list of available ciphers is given in /proc/crypto:

Board $> cat /proc/crypto

Output part showing that an STM32 driver provides with the CRC32 cipher:

...
name         : crc32
driver       : stm32-crc32
module       : kernel
priority     : 200
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 1
digestsize   : 4 
...

6.2 How to trace[edit]

There are no specific traces for this framework.

6.3 How to debug[edit]

There are no specific debug means for this framework.

7 Generic source code location[edit]

8 References[edit]

  1. OpenSSL a software library supporting the TLS and SSL protocols as well as cryptographic functions.
  2. dm-crypt a kernel disk encryption subsystem
  3. Cryptodev a device driver which provides a general interface for userland applications
  4. Linux Kernel Crypto API the official crypto API kernel documentation
  5. Crypto API Userland interface specification of the userland API
  6. cryptodev.h cryptodev header file specifying the userland API
  7. Crypto API kernel code examples some kernel code examples using the Crypto API framework
  8. LUKS (Linux Unified Key Setup ) a disk encryption specification
<noinclude>

{{ArticleBasedOnModel | [[Framework overview article model]]}}
{{ArticleMainWriter | FabienD}}
{{ArticleApprovedVersion | FabienD | LionelD, Jean-PhilippeR | FabienD - 21Sept'17 | AnneJ - 29'June18 - 7954 | 29'June18}}

[[Category:Crypto|0]]
{{ReviewsComments|JCT 1840: alignment needed with the last version of the model [[Framework overview article model]]<br>

[[Category:ToBeAlignedWithModel]]
}}</noinclude>


'''SUMMARY '''<br>

The Crypto API is a cryptography framework in the Linux<sup>&reg;</sup> kernel. It is dedicated to the parts of the kernel that deal with cryptography, such as IPsec and dm-crypt.

== Framework purpose ==
The purpose of this article is to introduce the Crypto API framework:
* general information
* main component/stakeholders
* how to use the Crypto API
* use cases

The Crypto API framework mainly includes all popular '''hash''' and '''block ciphers''' (encryption) functions.

A '''hash''' is a string or number generated from a text string. The length of the resulting string or number is fixed and widely varies with small variations of the input. The best hashing algorithms are designed so that it is impossible to turn a hash back into its original string. Hashing is particularly useful to compare a value with a stored value. However it cannot store its plain representation for security reasons. This makes hashing an ideal solution to store passwords.

'''Encryption''' turns data into a series of unreadable characters which length is not fixed. The encrypted strings can reversed back into their original decrypted form if the right key is not provided. Encrypting a confidential file is a good way to prevent anyone from accessing its content.

Drivers for CRYP (block cipher), HASH (hash) and CRC (cyclic redundancy check) are integrated within the Crypto API kernel service.

==System overview==
[[File:cryptoapi.png|thumb|center|766px|link=|alt=Alternate text|Crypto API]]

===Description of the components===
{{Info| OpenSSL and dm-crypt are not part of the Crypto API framework  but they are typical users of the Crypto API services.}}

''From User space to hardware''
*'''OpenSSL''' (User space)
OpenSSL<ref>[https://www.openssl.org/ OpenSSL] a software library supporting the TLS and SSL protocols as well as cryptographic functions.</ref> is a software library supporting the TLS and SSL protocols as well as cryptographic functions. Openssl is available in OpenSTLinux distribution.

*'''dm-crypt''' (Kernel space)
dm-crypt<ref>[https://en.wikipedia.org/wiki/Dm-crypt dm-crypt] a kernel disk encryption subsystem</ref> is a kernel disk encryption subsystem. It is natively available in the standard Linux kernel.

*'''Cryptodev''' (Kernel space)
Cryptodev<ref>[http://www.logix.cz/michal/devel/cryptodev/ Cryptodev] a device driver which provides a general interface for userland applications</ref> is a device driver which provides a general interface for userland applications. Although it is not part of the standard Linux kernel, it is available in OpenSTLinux distribution.

*'''CryptoAPI core''' (Kernel space)
This layer represents the standard Linux kernel cryptographic framework.

*'''hash''', '''cryp''' and '''crc32''' (Kernel space)
These are the cryptographic Linux drivers handling the HW blocks.

*'''HASH''', '''CRYP''' and '''CRC''' (Hardware)
These HW blocks handle hash, ciphering, and CRC checksum.

===API description===
The Crypto API is documented in the Linux Kernel Crypto API section of the Linux Kernel documentation<ref>[https://www.kernel.org/doc/html/latest/crypto/index.html Linux Kernel Crypto API] the official crypto API kernel documentation</ref>. It offers both a kernel and a userland interface:
*kernel internal interface, used in particular by dm-crypt.
*userland algorithm interface (socket) named AF_ALG<ref>[https://www.kernel.org/doc/html/latest/crypto/userspace-if.html Crypto API Userland interface] specification of the userland API</ref>. OpenSSL can use this interface.

In addition to the socket user interface, a more friendly interface, the cryptodev, can be used. It offers the /dev/crypto ioctl API. It is roughly described by the cryptodev.h<ref>[https://github.com/nmav/cryptodev-linux/blob/master/crypto/cryptodev.h cryptodev.h] cryptodev header file specifying the userland API</ref> header file. OpenSSL can be configured to use this interface as an alternative to the historical AF_ALG interface.

==Configuration ==
The Crypto API is activated by default in ST deliveries. Nevertheless, if a specific configuration is required, you can use Linux Menuconfig tool: [[Menuconfig or how to configure kernel | Menuconfig or how to configure kernel ]] and select:
<pre>

[*] Cryptographic API  --->
    [*]   Hardware crypto devices  --->
        [*]   Support for STM32 crc accelerators
        [*]   Support for STM32 hash accelerators
        [*]   Support for STM32 crypto accelerators</pre>


== How to use the Crypto API framework==
The Crypto API framework can be used by other kernel modules.

The Crypto API documentation provides kernel code examples<ref>[https://www.kernel.org/doc/html/latest/crypto/api-samples.html Crypto API kernel code examples] some kernel code examples using the Crypto API framework</ref>:
* Symmetric-key cipher operation.
* Operational state memory with SHASH.

== Use cases==
* Disk encryption
This is a typical example of Crypto API framework usage. Refer to LUKS<ref>[https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.mdwikis/home LUKS (Linux Unified Key Setup )] a disk encryption specification</ref> for a standard disk encryption process.

==How to trace and debug the framework==

=== How to monitor ===
The list of available ciphers is given in /proc/crypto:
 {{Board$}} cat /proc/crypto
Output part showing that an STM32 driver provides with the CRC32 cipher:
 ...
 name         : '''crc32'''
 driver       : '''stm32-crc32'''
 module       : kernel
 priority     : 200
 refcnt       : 1
 selftest     : passed
 internal     : no
 type         : shash
 blocksize    : 1
 digestsize   : 4 
 ...

=== How to trace ===
There are no specific traces for this framework.

=== How to debug ===
There are no specific debug means for this framework.

==Generic source code location==
*{{CodeSource | Linux kernel | crypto | CryptoAPI core}}
*{{CodeSource | Linux kernel | include/linux/crypto.h | CryptoAPI interface}}
*{{CodeSource | Linux kernel | drivers/crypto/stm32 | stm32 crypto drivers}}

==References==
<references />
Line 80: Line 80:
 
== Use cases==
 
== Use cases==
 
* Disk encryption
 
* Disk encryption
This is a typical example of Crypto API framework usage. Refer to LUKS<ref>[https://gitlab.com/cryptsetup/cryptsetup/wikis/home LUKS (Linux Unified Key Setup )] a disk encryption specification</ref> for a standard disk encryption process.
+
This is a typical example of Crypto API framework usage. Refer to LUKS<ref>[https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md LUKS (Linux Unified Key Setup )] a disk encryption specification</ref> for a standard disk encryption process.
   
 
==How to trace and debug the framework==
 
==How to trace and debug the framework==

Attachments

Discussions