dtrace discuss - Mar 2010 - Monitoring Sun Crypto Engine On T2's

Hello,

I was wondering if it''s possible to monitor the UltraSparc T2 Plus
security
co-processors built into the CPU with DTrace. This allows the CPU to
off-load cryptographic functions to the co-processor. Can this process be
monitored and/or probed with DTrace and any associated apps that use this
function?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20100317/82493a2f/attachment.html>

On 03/17/10 01:21 PM, Tony MacDoodle wrote:
> Hello,
>
> I was wondering if it''s possible to monitor the UltraSparc T2 Plus
> security co-processors built into the CPU with DTrace. This allows the
> CPU to off-load cryptographic functions to the co-processor. Can this
> process be monitored and/or probed with DTrace and any associated apps
> that use this function?
Off-loading to ncp/n2cp/n2rng drivers can be observed through fbt probes 
in said drivers.

One level above you can activate the probes in Kernel Crypto Framework 
scheduler (kcf_get_hardware_provider{,_nomech}()/kcf_get_mech_provider() 
or kcf_submit_request()+CRYPTO_HW_PROVIDER).

Yet one level above you can see the ioctl() requests going from 
pkcs11_kernel.so to /dev/crypto by observing crypto module entry points 
(this will help you to get the userland consumer side data) like 
crypto_ioctl()+CRYPTO_{ENCRYPT,DECRYPT,...}.

What exactly do you have in mind ?


v.

Tony MacDoodle wrote:
> I would like to know if a web application is using the onboard crypto 
> units or not in some sort of script......
Is the app single process or group of processes ? Also, which language ? 
What sort of mechanisms (symmetric/asymmetric/digest/RNG) are you 
interested in ?

Here''s simple example for observing digest operations made by single 
process:

fbt:crypto:digest_init:entry
/curpsinfo->pr_pid == $target/
{
         self->t = 1;
}

fbt:kcf:kcf_get_hardware_provider:entry
/self->t/
{
         self->new = arg2;
}

fbt:kcf:kcf_get_hardware_provider:return
/self->new/
{
         self->p = *(kcf_provider_desc_t **)(self->new);
         printf("%s", stringof(((kcf_provider_desc_t 
*)(self->p))->pd_name));
         self->p = 0;
         self->new = 0;
}

This can be easily extended to check ''pd_prov_type == 
CRYPTO_HW_PROVIDER'' in the last probe and/or following the request up
to
kcf_submit_request() to be absolutely sure this is a hardware provider 
but for quick verification this is not necessary given we''re following 
the ioctl() path (pkcs11_kernel.so only goes to kernel if there is at 
least one HW provider capable of processing the request and not 
blacklisted by cryptoadm(1M) policy configuration).

For example on a T5120 machine (assuming /etc/password is not too big):

# dtrace -q -s digest-kcf.d -c "/usr/bin/digest -a md5 /etc/passwd"
092828140ffbd5f5140eea8d3098dda2
n2cp

Which means that in this case n2cp driver was used for submitting the 
request to the hardware.


v.

On 03/26/10 01:15 AM, Tony MacDoodle wrote:
> It''s an IBM Apache webserver running on T5140''s in an
LDom
> configuration...... Our CPU''s are saturated...
<attachment omitted>

My knowledge of any IBM webserver is exactly zero. Anyhow, for apache 
shipped with Solaris, OpenSSL PKCS#11 engine is enabled by default so it 
can leverage HW crypto (if there''s any).

With the example dtrace script in hand you should be able to tweak 
it/rewrite it so that it answers your question, that is ''is my app
using
n2cp/ncp/n2rng ?'' (using execname instead of curpsinfo to get the data 
for the whole process group or by looking at pgid) or ''how much is my 
app using n2cp/ncp/n2rng ?'' (using aggregations)


v.
>
>
>
>
> On Thu, Mar 25, 2010 at 8:31 PM, Vladimir Kotal <Vladimir.Kotal at
sun.com
> <mailto:Vladimir.Kotal at sun.com>> wrote:
>
>     Tony MacDoodle wrote:
>
>         I would like to know if a web application is using the onboard
>         crypto units or not in some sort of script......
>
>
>     Is the app single process or group of processes ? Also, which
>     language ? What sort of mechanisms (symmetric/asymmetric/digest/RNG)
>     are you interested in ?
>
>     Here''s simple example for observing digest operations made by
single
>     process:
>
>     fbt:crypto:digest_init:entry
>     /curpsinfo->pr_pid == $target/
>     {
>             self->t = 1;
>     }
>
>     fbt:kcf:kcf_get_hardware_provider:entry
>     /self->t/
>     {
>             self->new = arg2;
>     }
>
>     fbt:kcf:kcf_get_hardware_provider:return
>     /self->new/
>     {
>             self->p = *(kcf_provider_desc_t **)(self->new);
>             printf("%s", stringof(((kcf_provider_desc_t
>     *)(self->p))->pd_name));
>             self->p = 0;
>             self->new = 0;
>     }
>
>     This can be easily extended to check ''pd_prov_type =>    
CRYPTO_HW_PROVIDER'' in the last probe and/or following the request
>     up to kcf_submit_request() to be absolutely sure this is a hardware
>     provider but for quick verification this is not necessary given
>     we''re following the ioctl() path (pkcs11_kernel.so only goes
to
>     kernel if there is at least one HW provider capable of processing
>     the request and not blacklisted by cryptoadm(1M) policy configuration).
>
>     For example on a T5120 machine (assuming /etc/password is not too big):
>
>     # dtrace -q -s digest-kcf.d -c "/usr/bin/digest -a md5
/etc/passwd"
>     092828140ffbd5f5140eea8d3098dda2
>     n2cp
>
>     Which means that in this case n2cp driver was used for submitting
>     the request to the hardware.
>
>
>     v.
>
>