Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Using KAE to Improve SM4-XTS Algorithm Performance

KAE supports the XTS mode of the symmetric encryption algorithm SM4 to improve algorithm performance. This mode can be used only in kernel mode through transparent partition/disk encryption based on dm-crypt.

dm-crypt is presented as a target device of the device mapper. After being mapped and mounted, dm-crypt can be used as a transparent encrypted partition or drive.

The dm-crypt algorithm is registered in the Crypto module. After the hisi_sec2 driver is installed, the SM4-XTS algorithm is registered in the Crypto module. You can implement hardware encryption and decryption using the Linux Unified Key Setup (LUKS) for configuration.

An operation on an encryption drive occupies 24 queues. Currently, the accelerator restricts the number of queues to 256 x 2. If more encryption drives need to be operated, you need to enable all the 1024 x 2 accelerator queues. To enable all the accelerator queues, modify the pf_q_num parameter in the /etc/modprobe.d/hisi_sec2.conf configuration file and restart the system for the modification to take effect.

Environment Requirements

  • The hisi_sec2 driver has been installed. For details about installation, see Installing KAE.
  • To improve the performance of the SM4-XTS algorithm, upgrade cryptsetup (the LUKS tool) to version 2.2.0.

    The built-in cryptsetup software of the OS may not be able to use the SM4-XTS algorithm to encrypt drive. You need to upgrade the software. Download the cryptsetup-2.2.0 source code to the environment. The following uses EulerOS 2.8 as an example to describe how to upgrade the cryptsetup software:

    1. Install the dependency packages in sequence: libuuid-devel, device-mapper-devel, popt-devel, json-c-devel, and libblkid-devel.
      1
2
3
4
5
      yum install libuuid-devel
yum install device-mapper-devel
yum install popt-devel
yum install json-c-devel
yum install libblkid-devel
    2. Perform the compilation and installation in the cryptsetup-2.2.0 source code directory.
      1
2
      ./configure 
make && make install

    libuuid-devel, device-mapper-devel, popt-devel, json-c-devel, and libblkid-devel are dependencies of cryptsetup.

Encrypting a Partition or Drive

  1. Generate the keyfile in the root directory of the system.
    1
    dd if=/dev/random of=/home/EncryptKeyFile bs=4k count=1
    The command output is displayed as follows:
    1
2
3
    0+1 records in
0+1 records out
115 bytes copied, 0.00010976 s, 1.0 MB/s
  2. Encrypt the partition or drive.
    1
    cryptsetup --batch-mode --cipher sm4-xts-plain64 --key-size 256 --hash sha256 --sector-size=4096 --type=luks2 --key-file /home/EncryptKeyFile luksFormat /dev/sdb
  3. Map the partition or drive.
    1
    cryptsetup --key-file /home/EncryptKeyFile luksOpen /dev/sdb sx_disk
  4. Check whether the partition or drive is encrypted.
    1
    lsblk
    If crypt is displayed, the partition or drive has been encrypted.
    1
2
3
4
5
6
7
8
9
    NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
loop0            7:0    0   5.5G  1 loop  /os_lhl
sda              8:0    0   2.2T  0 disk
├─sda1           8:1    0     1G  0 part  /boot/efi
└─sda2           8:2    0   2.2T  0 part
  ├─vg_os-swap 254:0    0    20G  0 lvm   [SWAP]
  └─vg_os-root 254:1    0   2.2T  0 lvm   /
sdb              8:16   0 278.5G  0 disk
└─sx_disk      254:2    0 278.5G  0 crypt
  5. Format the partition or drive.
    1
    mkfs.xfs /dev/mapper/sx_disk
    The command output is displayed as follows:
    1
2
3
4
5
6
7
8
9
    meta-data=/dev/mapper/sx_disk    isize=512    agcount=16, agsize=4562368 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=1, sparse=0, rmapbt=0, reflink=0
data     =                       bsize=4096   blocks=72997376, imaxpct=25
         =                       sunit=64     swidth=64 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal log           bsize=4096   blocks=35648, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
  6. Create a mounting directory.
    1
    mkdir /home/sec_test
  7. Mount the partition or drive to the directory.
    1
2
    mount /dev/mapper/sx_disk /home/sec_test/
df -h
    The command output is displayed as follows:
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    Filesystem              Size  Used Avail Use% Mounted on
devtmpfs                 63G     0   63G   0% /dev
tmpfs                    63G     0   63G   0% /dev/shm
tmpfs                    63G   28M   63G   1% /run
tmpfs                    63G     0   63G   0% /sys/fs/cgroup
/dev/mapper/vg_os-root  2.2T   18G  2.1T   1% /
/dev/sda1              1022M  172K 1022M   1% /boot/efi
tmpfs                    13G   20K   13G   1% /run/user/472
tmpfs                    13G     0   13G   0% /run/user/0
/dev/loop0              5.5G  5.5G     0 100% /os_lhl
/dev/mapper/sx_disk     279G  317M  279G   1% /home/sec_test
  8. Ensure that the directory can be accessed.
    1
    cd /home/sec_test/;ll
  9. Check that the partition or drive is encrypted in the /home/sec_test directory and that the partition or drive corresponds to the directory.
    1
    lsblk
    The command output is displayed as follows:
    1
2
3
4
5
6
7
8
9
    NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
loop0            7:0    0   5.5G  1 loop  /os_lhl
sda              8:0    0   2.2T  0 disk
├─sda1           8:1    0     1G  0 part  /boot/efi
└─sda2           8:2    0   2.2T  0 part
  ├─vg_os-swap 254:0    0    20G  0 lvm   [SWAP]
  └─vg_os-root 254:1    0   2.2T  0 lvm   /
sdb              8:16   0 278.5G  0 disk
└─sx_disk      254:2    0 278.5G  0 crypt /home/sec_test
  10. View the detailed encryption information about the partition or drive in the /home directory.
    1
    cryptsetup status /dev/mapper/sx_disk
    The command output is as follows:
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    /dev/mapper/sx_disk is active and is in use.
  type:    LUKS1
  cipher:  sm4-xts-plain64
  keysize: 256 bits
  key location: dm-crypt
  device:  /dev/sdb
  sector size:  512
  offset:  4096 sectors
  size:    583979008 sectors
  mode:    read/write
  11. Perform 2 to 10 to encrypt multiple partitions or drives.

Deleting an Encrypted Partition or Drive

  1. Unmount the partition or drive from the mounting directory.

    Before running this command, you must exit the directory.

    If multiple partitions or drives are mounted, you need to run this command for multiple times.

    1
    umount -l /home/sec_test
  2. Run the lsblk command to check whether the partition or drive mounting directory is unmounted.
    1
    lsblk
    The command output is displayed as follows:
    1
2
3
4
5
6
7
8
9
    NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
loop0            7:0    0   5.5G  1 loop  /os_lhl
sda              8:0    0   2.2T  0 disk
├─sda1           8:1    0     1G  0 part  /boot/efi
└─sda2           8:2    0   2.2T  0 part
  ├─vg_os-swap 254:0    0    20G  0 lvm   [SWAP]
  └─vg_os-root 254:1    0   2.2T  0 lvm   /
sdb              8:16   0 278.5G  0 disk
└─sx_disk      254:2    0 278.5G  0 crypt
  3. Disable the mapping.

    You need to run this command for multiple times to disable the mapping of all partitions or drives.

    1
    cryptsetup luksClose sx_disk
  4. Check whether the mapping is disabled.
    1
    ll /dev/mapper/
    The command output is as follows:
    1
2
3
4
    total 0                       
crw---- 1 root root 10, 236 Jul 31 22:27 control
lrwxrwxrwx 1 root root       7 Jul 31 22:27 vg_os-root -> ../dm-1
lrwxrwxrwx 1 root root       7 Jul 31 22:27 vg_os-swap -> ../dm-0