--- Preparing the server --- => Make sure you use an unwanted disk (we will wipe it) that is at least 5 Gigs in size. => Install Fedora Core 4 --- end --- --- Installing Fedora Core 4 --- Insert Disk1 Power up and type "linux text" at the boot prompt. Skip the Media Test Select OK at the Welcome Screen Select English at the Language Window Select US at the Keyboard Window Select Custom at the System Configuration Selection Window Select Autopartition Select "Remove all Partitions on this system" and OK Select OK in the Partitioning Window Select "Use Grub bootloader" Do not define any special options for the Grub bootloader Do not put a Grub password Select OK on the Boot Loader Configuration Window Select to Install on Master Boot Record Choose DHCP for Network Configuration for all your devices Select DHCP at the Host Name Configuration Window Select "No Firewall" at the Firewall Window Confirm this selection in the next window Disable the Security Enhanced Linux Select and confirm your timezone Choose and enter a root password In the Package Selection Window, only select the following groups: Editors Text-Based Internet Development Tools System Tools Once you have confirmed your selection, the installation will actually begin. At this point, you might get a disk partitioning error; if this occurs, reboot the machine and start again; this error will not appear again. Stick around as the installation will ask you for all 4 FC4 CDs. In case of total panic on your part, please refer to http://fedora.redhat.com/docs/fedora-install-guide-en/fc4/ =>Once the installation is completed and the machine has rebooted, login and: yum update yum yum update yum install mkinitrd adduser -m passwd reboot --- end --- --- Building the latest version of OCF kernel --- =>As a regular user, scp #ocf from hifn.xelerance.com cd $HOME scp @hifn.xelerance.com:/hifn/MASTER/files/linux-2.6-ocf-b59b29.tgz . =>extract the tar file tar -xzvf linux-2.6-ocf-b59b29.tgz cd linux-ocf-b59b29 cp /boot/config-`uname -r` .config make oldconfig =>Answer "y" to the following items, for all others, just use the default: KLIPS26 KLIPS_OCF OCF_OCF OCF_CRYPTODEV OCF_HIFN =>Make sure CONFIG_OCF_CRYPTOSOFT is NOT set grep CONFIG_OCF_CRYPTOSOFT .config =>Make sure CONFIG_LOCALVERSION_AUTO is NOT set: grep CONFIG_LOCALVERSION_AUTO .config =>We have to set XFS off, since it prevents the kernel compile from completing. =>edit .config and set: CONFIG_XFS_FS=n =>edit Makefile and check the version, also add -ocf to the EXTRAVERSION. =>for extra debug, edit crypto/ocf/cryptodev.c and change: static int debug = 0; to static int debug = 1; [This will enable LOTS of debugging. Only use when problems are found. It will likely render any benchmarking numbers completely useless!] =>build everything: make bzImage modules --- end --- --- Installing the latest ocf kernel --- => You will need to do the following as root: su - root cd ~/linux-ocf-b59b29 =>install the modules make modules_install => install the kernel mount /boot cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.15-rc1-ocf cp .config /boot/config-2.6.15-rc1-ocf cp System.map /boot/System.map-2.6.15-rc1-ocf /sbin/mkinitrd /boot/initrd-2.6.15-rc1-ocf.img 2.6.15-rc1-ocf =>edit /etc/grub.conf and add a menu item, before any other items: title OCF Linux, kernel 2.6.15-rc1-ocf root (hd0,0) kernel /vmlinuz-2.6.15-rc1-ocf root=/dev/VolGroup00/LogVol00 ro initrd /initrd-2.6.15-rc1-ocf.img =>You are now ready to boot into the new kernel: reboot =>Select the OCF kernel in the grub menu. =>Login and verify that /dev/crypto exists. This should have been created by the OCF and udev code. You do not need to manually mknod it. If at some point it has vanished, it means the OCF kernel code crashed. --- end --- --- Install crypto-tools --- => As a normal user, go to http://ocf-linux.sourceforge.net/ and download crypto-tools-20060331.tgz and ocf-linux20060331.tgz wget http://superb-west.dl.sourceforge.net/sourceforge/ocf-linux/crypto-tools-20060331.tar.gz wget http://superb-west.dl.sourceforge.net/sourceforge/ocf-linux/ocf-linux-20060331.tar.gz tar -zxvf crypto-tools-20060331.tar.gz tar -zxvf ocf-linux-20060331.tar.gz cd ocf-linux-20060331 tar -xzvf ocf-linux.tar.gz =>install some files as root su root mkdir /usr/include/crypto cp ocf/cryptodev.h /usr/include/crypto/ => get out of root account exit cd .. cd crypto-tools make --- end --- --- Test with crypto-tools --- => Switch to root and run a test su - root cd ~ cd crypto-tools ./cryptotest -a 3des 100000 1400 =>You should see that with the Hifn card in, at least 150 Mb/sec. If the command returns immediatly without any output, it is because it cannot access any ocf devices, and since we ONLY enabled Hifn device in OCF, this means that we are either not booted into the correct kernel, or we did not enable OCF and Hifn card properly in the kernel config before we compiled the kernel. So, restart the --- Building the latest version of OCF kernel --- and --- Installing the latest ocf kernel --- steps. [if OCF debugging was enabled in the kernel, you will see a LOT of messages] -- end --- --- Compiling openSSL 0.9.8a --- => As root, su - root => download openssl-0.9.8a-6ocf.src.rpm from hifn.xelerance.com scp @hifn.xelerance.com:/hifn/MASTER/files/openssl-0.9.8a-6ocf.src.rpm /usr/src/redhat/SRPMS/ => also download openssl097f-0.9.7f-1 scp @hifn.xelerance.com:/hifn/MASTER/files/openssl097f-0.9.7f-1.i386.rpm /usr/src/redhat/RPMS/i386/ => Install the openssl compat rpm overriding dependancies rpm --force --nodeps -ihv /usr/src/redhat/RPMS/i386/openssl097* => build and install the new openssl-ocf package rpm -ihv /usr/src/redhat/SRPMS/openssl-0.9.8a-6ocf.src.rpm rpmbuild -ba /usr/src/redhat/SPECS/openssl.spec rpm -Uhv /usr/src/redhat/RPMS/i386/openssl*0.9.8* --- end --- --- Making a base self-contained testrun --- =>Remove the card =>lspci to make sure the card is not there =>Note your kernel version =>Note your processor speed =>Note your Bogomips and amount of CPUs active openssl speed -evp -elapsed -engine none =>Run the same with golden packets =>Also show how to do it with only certain algos --- end --- --- Making a comparative self-contained testrun --- =>Insert the card =>lspci to see the card =>Note your kernel version =>Note your processor speed =>Note your Bogomips and amount of CPUs active openssl speed -evp -elapsed -engine cryptodev =>Run the same with golden packets =>Also show how to do it with only certain algos --- end --- --- Configuring a manually keyed IPSec SA with Openswan --- => As root, start Openswan: /etc/init.d/ipsec start => As root, run the following commands: ipsec eroute --clear ipsec spi --clear OURIP= HISIP= OURKEY=0x0123456789abcdef02468ace13579bdf123456789abcdef0 HISKEY=0x0123456789abcdef02468ace13579bdf123456789abcdef0 OURAUTH=0x123456789abcdef02468ace013579bdf HISAUTH=0x123456789abcdef02468ace013579bdf route delete -host $HISIP gw $HISIP dev ipsec0 ipsec spi --af inet --edst $HISIP --dst $HISIP --spi 0x101 --proto esp --src $OURIP --esp 3des-md5-96 --enckey $HISKEY --authkey $HISAUTH ipsec spi --af inet --edst $OURIP --dst $OURIP --spi 0x100 --proto esp --src $HISIP --esp 3des-md5-96 --enckey $OURKEY --authkey $OURAUTH ipsec spigrp inet $HISIP 0x101 esp ipsec spigrp inet $OURIP 0x100 esp ipsec eroute --add --eraf inet --src $OURIP/32 --dst $HISIP/32 --said esp0x101@$HISIP route add -host $HISIP gw $HISIP dev ipsec0 --- end ---