[dpdk-dev] OpenSSL Cryptodev PMD and openssl engine

Trahe, Fiona fiona.trahe at intel.com
Thu Apr 27 13:50:20 CEST 2017

Hi Srivathsan,

From: Aravamudan Srivathsan [mailto:Srivathsan.Aravamudan at technicolor.com]
Sent: Thursday, April 27, 2017 2:20 AM
To: Trahe, Fiona <fiona.trahe at intel.com>; dev at dpdk.org
Cc: Doherty, Declan <declan.doherty at intel.com>
Subject: Re: OpenSSL Cryptodev PMD and openssl engine

Hi Fiona,

Thank you for the reply.

I have a crypto device that is connected to PCI. It can do standard crypto operations like AES, DES, and so on.

I have openssl engine (a plugin) for this.

Our environment is

We have DPDK application for routing, forwarding, IPSec etc. (All routing and tunnelling)

We also have IoT application which would like to use the Openssl for doing some crypto operations.

My intention is

1. To use the existing openssl infrastructure (without writing the crypto PMD) to use the hardware acclearation.

2. Share the same device not only for doing the IPsec but also for doing crypto operations outside the DPDK EAL.

Yes the OpenSSL will have extra layer and do a copy of buffer, but the crypto operations will still happen in the driver.

[Fiona] There would be other development effort needed. It's probably not a seamless port, as

the openssl engine infrastructure isn't in the OpenSSL PMD. The PMD is just a wrapper for the calls to the

encryption APIs. Engines in OpenSSL go through a phase of init to load the engine dynamic object. You would probably need to port large sections of this code to the init sequences of the PMD. It's not clear how or if this would fit in the PMD. This is on top of the performance issues already mentioned.

Let me know if i make sense.


From: Trahe, Fiona <fiona.trahe at intel.com<mailto:fiona.trahe at intel.com>>
Sent: Wednesday, April 26, 2017 9:52 PM
To: Aravamudan Srivathsan; dev at dpdk.org<mailto:dev at dpdk.org>
Cc: Trahe, Fiona; Doherty, Declan
Subject: RE: OpenSSL Cryptodev PMD and openssl engine

** WARNING: This mail is from an external source **

Hi Srivathsan,

> -----Original Message-----
> From: dev [mailto:dev-bounces at dpdk.org] On Behalf Of Aravamudan
> Srivathsan
> Sent: Wednesday, April 26, 2017 8:49 AM
> To: dev at dpdk.org<mailto:dev at dpdk.org>
> Subject: [dpdk-dev] OpenSSL Cryptodev PMD and openssl engine
> Hi All,
> We have a openssl engine available. Is it possible to use the openssl Crypto
> PMD to do the hardware offloading? I am trying to see if i can avoid writing
> the cryptopmd also to reuse the use of the device shared between the DPDK
> and other process.
> Thank you
> Srivathsan

It might be possible to plug your openssl engine in below the openssl PMD,
but you would lose the advantage of offloading bursts to the hardware and
would add an extra translation layer on the data path so it
would likely not be a performant solution.
Can you clarify a little how you want to share the device? i.e.
is the other process using the device directly with openssl and is the DPDK process
for IPSec or is this also for ssl?

More information about the dev mailing list