记录一下最近一段时间配合硬件开发人员安装、调试问天量子加密卡的过程及遇到问题的解决方式。
安装前准备
检查加密卡
- 查看加密卡外观是否存在弯曲、破损等状况。
- 查看加密卡型号是否正确。当前使用产品序号为:
20240328001(贴纸打印)。
注意:问天机密卡背面主板有小按钮(SW1),该按钮为重置加密卡按钮。
安装加密卡
服务器操作
安装加密卡之前,将服务器进行关机操作。
由于遗留原因,建业机房192.168.2.198服务器无法正常通过指令及点击按钮关机,需拔出电源线。
移除其他加密卡
测试发现,192.168.2.198服务器仅有一个PCIE卡槽可用。因此需要移除服务器上渔翁加密卡,。
安装加密卡
将问天加密卡插入原渔翁加密卡卡槽中,固定好卡位,确认插入、卡位到位。
重启服务器
将服务器重启,待加载完成进行卡相关操作。
加密卡环境配置
确认卡识别
在 shell 终端下,执行 lspci -n 确认是否硬件已经识别到加密卡。
+ 列表中有 9000:0003 或者 9000:0007 都说明卡已经正确识别;
+ 列表中没有 9000:xxxx 的设备,说明主板或者加密卡或者插槽存在问题。
gure@gure-tm1701:~$ lspci -n | grep 9000
06:00.0 0500: 9000:0007 (rev 01)
06:00.1 0500: 9000:9081 (rev 01)
驱动检查
首先通过lsmod确认驱动是否安装。
+ 列表中有 PCIE_CCP903T 、 insmod ntl_crypto ,说明驱动已经安装;
+ 列表中没有 PCIE_CCP903T 和 insmod ntl_crypto ,那么驱动则没有安装。
gure@gure-tm1701:~$ lsmod | grep PCIE
gure@gure-tm1701:~$
驱动安装
如果检查驱动时发现驱动未安装,需通过insmod命令安装两个驱动。同时通过dmesg 查看内核缓冲区日志判断驱动是否正常安装。
+ 如果输出以下日志,证明驱动加载成功。
gure@gure-tm1701:~$ insmod PCIE_CCP903T.ko
gure@gure-tm1701:~$ dmesg
CCP903T: Start to initializing crypto card.
CCP903T 9000:0007 (vendor:device) crypto card found.
CCP903T: Registered irq handler to binding irq 72 for processing sec jobs.
CCP903T: SEC engine initialized.
CCP903T: PCI driver probe crypto card initialized.
CCP903T: New crypto card pci device driver registered.
CCP903T: Crypto card driver initialized.
```
```
gure@gure-tm1701:~$ iinsmod ntl_crypto.ko
gure@gure-tm1701:~$ dmesg
ntl_init_pci_dev_list:pci device num:1
ntl ccore module init!
两个驱动安装过程中,输出中会掺杂很多无用信息,可以过滤查看。
注意:驱动需要和内核相关,当服务器内核调整时,驱动需要重新编译 ,驱动编译方式如下:
在指定内核电脑上,进入CCP907_SEC_MODULE\CCP903_SEC_BASE路径下,执行make命令。
命令执行完成后,会在CCP907_SEC_MODULE\CCP903_SEC_BASE路径下生成PCIE_CCP903T.ko驱动程序。
至此,加密卡初始化工作完成。
加密卡测试
使用问天量子脚本测试
步骤
登录 192.168.2.198 服务器,进入 /home/testPcie/sdf_test 路径,以下执行命令进行测试:
[root@csizg sdf_test]# ./sdftest
##########################Main Menu#########################
| -0 card Init
| -1 Device Management
| -2 Key Management
| -3 Asymm Algorithm Calc
| -4 Symm Algorithm Calc
| -5 MAC Calc
| -6 Hash Algorithm Calc
| -7 Files Management
| -8 Performance test
Any other key will return to the previous test
###########################################################
If the card is used for the first time, run 0 then 1 to init
###########################################################
Please input Parament:1
######################Device Management###################
-1 Open and close device
-2 get dev info
-3 sdf rand test
-4 key access test
Any other key will return to the previous test
##########################################################
Please input Parament:3
sdf rand test:
open session ok
sdf_rand()-start
---------------------------------------------
random data:
bb 43 1f c6 66 0c d0 84 1c 14 c4 7e 47 13 51 25
---------------------------------------------
close session ok
注意
(a)若
./sdftest不存在,需进行编译生成,进入sdf_test路径:执行make clean、make命令编译。(b)若提示
./sdftest: error while loading shared libraries: libsdf_crypto.so: cannot open shared object file: No such file or directory,需添加环境变量:[root@csizg sdf_test]# ./sdftest ./sdftest: error while loading shared libraries: libsdf_crypto.so: cannot open shared object file: No such file or directory [root@csizg sdf_test]# source ./run_command.sh [root@csizg sdf_test]#(c)若提示
权限不够,需添加执行权限:
[root@csizg sdf_test]# source run_command.sh
-bash: run_command.sh: 权限不够
[root@csizg sdf_test]# sudo chmod +x ./run_command.sh #使脚本具有执行权限
- (d)产生的随机数需要实现每一位都是随机,不能整体作为随机数判断,比如一下结果随机性较差,需要卡商解决:
Please input Parament:3
sdf rand test:
open session ok
sdf_rand()-start
---------------------------------------------
random data:
38 38 38 38 21 21 48 48 48 48 48 48 59 5b 5b 5b
---------------------------------------------
close session ok
使用Java代码测试
步骤
登录 192.168.2.198 服务器,进入 /home/testPcie/testDemo0718_2/JNI_Test 路径,以下执行 Java 命令进行测试:
[root@csizg JNI_Test]# ls
com libcom_ccore_CcoreSDF.so libsdf.so run_command.sh
[root@csizg JNI_Test]# java -Djava.library.path=. com.ccore.MainTest
///////// OpenDevice /////////
libpath:/home/testPcie/testDemo0718_2/JNI_Test/libsdf.so
OpenDevice phDeviceHandle = 140666421152224
///////// OpenSession /////////
OpenSession phSessionHandle = 140666421177472
///////// GetDeviceInfo /////////
Devinfo.BufferSize: = 1887840
Devinfo.DeviceVersion: = 257
Devinfo.StandardVersion: = 1581074
Devinfo.SymAlgAbility: = 1823
evinfo.HashAlgAbility: = 127
devinfo.AsymAlgAbility[0]: = 1792
devinfo.AsymAlgAbility[1]: = 2
devinfo.IssuerName: = CCORE
devinfo.DeviceName: = CCP907 PCIECARD
devinfo.DeviceSerial: = 2021122039030B14
///////// GetPrivateKeyAccessRight /////////
GetPrivateKeyAccessRight ok
///////// EVDF_CreateKeyPair_ECC /////////
EVDF_CreateKeyPair_ECC error 密钥已存在。 ret = 0x0100001a EVDF_CreateKeyPair_ECC pucPublicKeyEcc.bits:0
EVDF_CreateKeyPair_ECC pucPublicKeyEcc.x:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EVDF_CreateKeyPair_ECC pucPublicKeyEcc.y:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
///////// InternalEncrypt_ECC /////////
InternalDecrypt_ECC pucDataInput:
02 01 02 03 04
InternalEncrypt_ECC pucEncDataOut.x:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 73 db 03 88 87 84 00 68 f6 ac 8d 3a 96 5e 69 e8 35 d9 23 76 8a e7 1b 56 38 f6 1a 51 77 06 20 69
InternalSign_ECC pucEncDataOut.y:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6b 27 be 17 d0 12 70 0e da d8 24 c5 c0 0e 00 66 19 7d 83 2f 01 df a5 cb fa 4d 4c 39 19 c3 d7 73
InternalEncrypt_ECC pucEncDataOut.M:
77 10 9d a5 7e 29 cc 60 61 0c df d0 49 9e 43 44 98 1f cd c5 1d 4c 24 d3 92 f5 63 ae 45 b7 44 89
InternalSign_ECC pucEncDataOut.C:
17 66 f7 c6 21 70 90 64 3d 6e bc 84 55 ed 65 a8 1c ee c7 de a3 81 c3 16 c6 1b e0 d9 0e 12 10 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
///////// InternalDecrypt_ECC /////////
InternalDecrypt_ECC pucData:
02 01 02 03 04
InternalDecrypt_ECC puiDataLength:32
[root@csizg JNI_Test]#
注意
(a)若提示
ret = 0x01000005,需初始化卡片:///////// GetPrivateKeyAccessRight ///////// eeGetPrivateKeyAccessRight error ret = 0x01000005 [root@csizg JNI_Test]# cd .. [root@csizg sdf_test]# ./sdftest ##########################Main Menu######################### | -0 card Init | -1 Device Management | -2 Key Management | -3 Asymm Algorithm Calc | -4 Symm Algorithm Calc | -5 MAC Calc | -6 Hash Algorithm Calc | -7 Files Management | -8 Performance test Any other key will return to the previous test ########################################################### If the card is used for the first time, run 0 then 1 to init ########################################################### Please input Parament:0 card init: soft version:CCP907T SDFINUK 4.10 20230829 V1 hard version:CCP907T PCIE CRYPTO CARD V2.0 --------------------------------------------- ****************************** slot index:1 rsa sign key non exist rsa enc key non exist ecc sign key non exist ecc enc key non exist // 省略日志输出 slot index:15 rsa sign key exist -- key len[2048] rsa enc key exist -- key len[2048] ecc sign key exist -- key len[256] ecc enc key exist -- key len[256] ---------------------------------------------(b)操作密钥之前,需要先获取密钥对应索引位置的操作权限,否则操作均会失败:
int uiSignFlag = 0; //1:签名密钥对 0:加密密钥对 int uiKeyIndex = 3; /////GetPrivateKeyAccessRight///// System.out.println("\n///////// GetPrivateKeyAccessRight /////////"); ret = CcoreSDF.GetPrivateKeyAccessRight(phSessionHandle[0], uiKeyIndex, "11111111",8); if(ret != 0) { System.out.printf("eeGetPrivateKeyAccessRight error ret = 0x%08x ",ret); return; } System.out.println("GetPrivateKeyAccessRight ok");(c)操作生成密钥时,返回结果除了判断成功(结果码0),同时需要判断密钥已存在结果码(0x0100001a),否则对于已存在密钥的情况会当作生成失败处理:
///// EVDF_CreateKeyPair_ECC ///// System.out.println("\n///////// EVDF_CreateKeyPair_ECC /////////"); CcoreSDF.ECCrefPublicKey pucPublicKeyEcc = new CcoreSDF.ECCrefPublicKey(); //CcoreSDF.ECCrefPrivateKey pucPrivateKeyEcc = new CcoreSDF.ECCrefPrivateKey(); ret = CcoreSDF.EVDFCreateKeyPairECC(phSessionHandle[0], uiSignFlag, uiKeyIndex, pucPublicKeyEcc); if(ret == 0x0100001a) { System.out.printf("EVDF_CreateKeyPair_ECC error 密钥已存在。 ret = 0x%08x ",ret); } else if(ret != 0) { System.out.printf("EVDF_CreateKeyPair_ECC error ret = 0x%08x ",ret); return; }
