devnp-mpcsec.so

Hardware Crypto Engine driver


Note: This driver is shipped only with the BSPs that need it.

Syntax:

io-pkt-variant -d mpcsec [option[,option ...]] ... &

where variant is one of v4, v4-hc, or v6-hc.

Runs on:

Neutrino

Options:


Note: Use commas, not spaces, to separate the options. Use these options to override the defaults.

irq=N
IRQ of the interface. The driver will attempt to autodetect the IRQ; if that doesn't work, you can specify it manually using this option. Note that the 85xx sec interrupt is 29 (decimal), and the 83xx sec interrupt is 11 (decimal).
verbose=num
Be verbose. If num is 1, the driver displays configuration data; if num is 2, it also runs initialization tests and displays diagnostic counters periodically.

Description:

The devnp-mpcsec.so shared object is a Hardware Crypto Engine driver. This is a native io-pkt driver; its interface names are in the form tsecX, where X is an integer.

Some devices support hardware checksums, although some might do so in only one direction; to determine if your device does, type:

ifconfig tsecX

and look for the following in the list of supported options:

You can then use ifconfig to enable or disable whichever of these options your device supports.


Note: Native io-pkt and ported NetBSD drivers don't put entries into the /dev/io-net namespace, so a waitfor command for such an entry won't work properly in buildfiles or scripts. Use if_up -p instead; for example, instead of waitfor /dev/io-net/tsec0, use if_up -p tsec0.

Examples:

On the 85xx, start the v6 TCP/IP variant of io-pkt, using the devnp-mpcsec.so SEC driver and the TSEC Ethernet driver with IPsec enabled in the stack:

io-pkt-v6-hc -d /proc/boot/devnp-mpcsec.so verbose=2 -p tcpip-v6 \
 ipsec -d /proc/boot/devnp-mpc85xx.so mac=00112233AABBCC
# config the (2nd) ethernet port
ifconfig tsec1 10.42.110.239
# config md5-hmac ah and des-cbc esp for IPsec to peer 10.42.110.212
setkey -c << EOF
add 10.42.110.212 10.42.110.239 ah 9877 -A hmac-md5 "1234567890123456";
add 10.42.110.239 10.42.110.212 ah 9878 -A hmac-md5 "1234567890123456";
add 10.42.110.212 10.42.110.239 esp 9881 -E des-cbc "12345678";
add 10.42.110.239 10.42.110.212 esp 9882 -E des-cbc "12345678";
spdadd 10.42.110.239 10.42.110.212 any -P out ipsec esp/transport//use ah/transport//use;
EOF

# on peer 10.42.110.212 run this:
setkey -c << EOF
add 10.42.110.212 10.42.110.239 ah 9877 -A hmac-md5 "1234567890123456";
add 10.42.110.239 10.42.110.212 ah 9878 -A hmac-md5 "1234567890123456";
add 10.42.110.212 10.42.110.239 esp 9881 -E des-cbc "12345678";
add 10.42.110.239 10.42.110.212 esp 9882 -E des-cbc "12345678";
spdadd 10.42.110.212 10.42.110.239 any -P out ipsec esp/transport//use ah/transport//use;
EOF

See also:

devn-*, devnp-*, ifconfig, io-pkt, nicinfo