Contents

Crypto engine commands· 1

crypto-engine accelerator enable gm-algorithm·· 1

display crypto-engine· 2

display crypto-engine accelerator gm-algorithm status· 4

display crypto-engine statistics· 5

reset crypto-engine statistics· 7

Crypto engine commands

crypto-engine accelerator enable gm-algorithm

Use crypto-engine accelerator enable gm-algorithm to enable the GM-capable hardware crypto engine for GM algorithms.

Use undo crypto-engine accelerator enable gm-algorithm to disable the GM-capable hardware crypto engine for GM algorithms.

Syntax

crypto-engine accelerator enable gm-algorithm { sm2 | sm3 | sm4 } *

undo crypto-engine accelerator enable gm-algorithm { sm2 | sm3 | sm4 } *

Default

The GM-capable hardware crypto engine is disabled for GM algorithms.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

sm2: Specifies the SM2 algorithm.

sm3: Specifies the SM3 algorithm.

sm4: Specifies the SM4 algorithm.

Usage guidelines

Restrictions and guidelines

Before you execute this command, make sure the device is installed with the GM-capable hardware crypto engine. If you fail to do so, data encryption/decryption by GM algorithms might terminates due to lack of the corresponding hardware crypto engine, which will interrupts the services related with GM algorithms. To identify whether a GM-capable hardware crypto engine is available, execute the display crypto-engine accelerator gm-algorithm status command. As a best practice, do not use the GM-capable hardware crypto engine for device management services. If you fail to do so, you will fail to log in to the device when the GM-capable hardware crypto engine is faulty.

Compatibility description

Only the devices with GM-capable hardware crypto engines support this command.

Application scenarios

By default, the device uses software crypto engines for data encryption/decryption by GM algorithms, including SM2, SM3, and SM4 algorithms. That is, the system uses its own software algorithms for data encryption/decryption. This consumes system resources and is less efficient. When the device is installed with the GM-capable hardware crypto engine, you can execute this command to enable the hardware crypto engine for a specific GM algorithm. Then, data encryption/decryption by that GM algorithm will not consume system resources, which improves device processing efficiency.

Usage guidelines

You can execute this command multiple times to specify multiple GM algorithms.

Examples

# Enable the GM-capable hardware crypto engine for SM2 algorithm.

<Sysname> system-view

[Sysname] crypto-engine accelerator enable gm-algorithm sm2

Related commands

display crypto-engine accelerator gm-algorithm status

display crypto-engine

Use display crypto-engine to display crypto engine information.

Syntax

display crypto-engine

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

If the device does not have hardware crypto engines, this command displays information only about software crypto engines.

Examples

# Display crypto engine information.

<Sysname> display crypto-engine

  Crypto engine name: Cavium crypto driver

  Crypto engine state: Enabled

  Crypto engine type: Hardware

  Slot ID: 1

  CPU ID: 0

  Crypto engine ID: 0

  Crypto device name: cavium crypto

  Crypto device serial number:

  Symmetric algorithms: des-cbc des-ecb 3des-cbc 3des-ecb aes-cbc aes-ecb aes-ctr md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-hmac sha2-512-hmac aes-xcbc-hmac

  Asymmetric algorithms: dh-group1 dh-group2 dh-group5 dh-group14

  Random number generation function: Supported

 

  Crypto engine name: Software crypto engine

  Crypto engine state: Enabled

  Crypto engine type: Software

  Slot ID: 1

  CPU ID: 0

  Crypto engine ID: 1

  Crypto device name: Software

  Crypto device serial number:

  Symmetric algorithms:  des-cbc des-ecb 3des-cbc aes-cbc aes-ecb aes-ctr camellia_cbc md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-hmac sha2-512-hmac aes-xcbc aes-xcbc-hmac sm3 sm3-hmac sm4-cbc

  Asymmetric algorithms:

  Random number generation function: Supported

              

  Crypto engine name: Cavium crypto driver

  Crypto engine state: Enabled

  Crypto engine type: Hardware

  Slot ID: 2  

  CPU ID: 0   

  Crypto engine ID: 0

  Crypto device name: cavium crypto

  Crypto device serial number:

  Symmetric algorithms: des-cbc des-ecb 3des-cbc 3des-ecb aes-cbc aes-ecb aes-ctr md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-hmac sha2-512-hmac aes-xcbc-hmac

  Asymmetric algorithms: dh-group1 dh-group2 dh-group5 dh-group14

  Random number generation function: Supported

              

  Crypto engine name: Software crypto engine

  Crypto engine state: Enabled

  Crypto engine type: Software

  Slot ID: 2  

  CPU ID: 0   

  Crypto engine ID: 1

  Crypto device name: Software

  Crypto device serial number:

  Symmetric algorithms:  des-cbc des-ecb 3des-cbc aes-cbc aes-ecb aes-ctr camellia_cbc md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-hmac sha2-512-hmac aes-xcbc aes-xcbc-hmac sm3 sm3-hmac sm4-cbc

  Asymmetric algorithms:

  Random number generation function: Supported

Table 1 Command output

Field	Description
Crypto engine state	Hardware crypto engine state: ·     Enabled. ·     Disabled. This field always displays Enabled for software crypto engines.
Crypto engine type	Crypto engine type: ·     Hardware. ·     Software.
Crypto device name	Name of the crypto device. This field displays Software for software crypto engines. This field displays cavium crypto for hardware crypto engines.
Crypto device serial number	Serial number of the crypto device. This field is always empty for software crypto engines. This field is always empty for hardware crypto engines.
Symmetric algorithms	Supported symmetric algorithms.
Asymmetric algorithms	Supported asymmetric algorithms.
Random number generation function	Whether random number generation function is supported: ·     Supported. ·     Not supported.

‌

display crypto-engine accelerator gm-algorithm status

Use display crypto-engine accelerator gm-algorithm status to display the enabling status of the GM-capable hardware crypto engine for GM algorithms.

Syntax

display crypto-engine accelerator gm-algorithm status

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Usage guidelines

You can install a GM-capable hardware crypto engine to the device and execute the crypto-engine accelerator enable gm-algorithm command to enable the GM-capable hardware crypto engine for GM algorithms. In this case, you can execute the display crypto-engine accelerator gm-algorithm status command to obtain whether the GM-capable hardware crypto engine is available and enabled for the specified GM algorithms.

Examples

# Display crypto engine acceleration status for GM algorithms when a GM-capable hardware crypto engine is installed.

<Sysname> display crypto-engine accelerator gm-algorithm status

   sm2:  Accelerating

   sm3:  Accelerating

   sm4:  Disable

Table 2 Command output

Field	Description
sm2	Status of the GM-capable hardware crypto engine for SM2 algorithm: ·     Accelerating—The GM-capable hardware crypto engine is enabled for SM2 algorithm. ·     Not accelerating (no available hardware engine)—No GM-capable hardware crypto engine is available. ·     Disable—The GM-capable hardware crypto engine is disabled for SM2 algorithm.
sm3	Status of the GM-capable hardware crypto engine for SM3 algorithm: ·     Accelerating—The GM-capable hardware crypto engine is enabled for SM2 algorithm. ·     Not accelerating (no available hardware engine)—No GM-capable hardware crypto engine is available. ·     Disable—The GM-capable hardware crypto engine is disabled for SM3 algorithm.
sm4	Status of the GM-capable hardware crypto engine for SM4 algorithm: ·     Accelerating—The GM-capable hardware crypto engine is enabled for SM4 algorithm. ·     Not accelerating (no available hardware engine)—No GM-capable hardware crypto engine is available. ·     Disable—The GM-capable hardware crypto engine is disabled for SM4 algorithm.

 

Related commands

crypto-engine accelerator enable gm-algorithm

display crypto-engine statistics

Use display crypto-engine statistics to display crypto engine statistics.

Syntax

In standalone mode:

display crypto-engine statistics [ engine-id engine-id slot slot-number ]

In IRF mode:

display crypto-engine statistics [ engine-id engine-id chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

engine-id engine-id: Specifies a crypto engine by its ID.The value range for the engine-id argument is 0 to 4294967295.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)

Usage guidelines

If hardware crypto engines are not enabled or the device does not have hardware crypto engines, this command displays statistics only for software crypto engines.

(In standalone mode.) If you do not specify any parameters, this command displays crypto engine statistics for all cards.

(In IRF mode.) If you do not specify any parameters, this command displays crypto engine statistics for all cards.

Examples

# (In standalone mode.) Display all crypto engine statistics.

<Sysname> display crypto-engine statistics

  Slot ID: 1

  CPU ID: 0

  Crypto engine ID: 0

  Submitted sessions: 0

  Failed sessions: 0

  Symmetric operations: 0

  Symmetric errors: 0

  Asymmetric operations: 0

  Asymmetric errors: 0

  Get-random operations: 0

  Get-random errors: 0

# (In standalone mode.) Display statistics for crypto engine 1 on the specified slot.

<Sysname> display crypto-engine statistics engine-id 1 slot 1

  Submitted sessions: 0

  Failed sessions: 0

  Symmetric operations: 0

  Symmetric errors: 0

  Asymmetric operations: 0

  Asymmetric errors: 0

  Get-random operations: 0

  Get-random errors: 0

Table 3 Command output

Field	Description
Submitted sessions	Number of established sessions.
Failed sessions	Number of failed sessions.
Symmetric operations	Number of operations using symmetric algorithms.
Symmetric errors	Number of failed operations using symmetric algorithms.
Asymmetric operations	Number of operations using asymmetric algorithms.
Asymmetric errors	Number of failed operations using asymmetric algorithms.
Get-random operations	Number of operations for obtaining random numbers.
Get-random errors	Number of failed operations for obtaining random numbers.

 

Related commands

reset crypto-engine statistics

reset crypto-engine statistics

Use reset crypto-engine statistics to clear crypto engine statistics.

Syntax

In standalone mode:

reset crypto-engine statistics [ engine-id engine-id slot slot-number ]

In IRF mode:

reset crypto-engine statistics [ engine-id engine-id chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

engine-id engine-id: Specifies a crypto engine by its ID.The value range for the engine-id argument is 0 to 4294967295.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)

Usage guidelines

(In standalone mode.) If you do not specify any parameters, this command clears crypto engine statistics for all cards.

(In IRF mode.) If you do not specify any parameters, this command clears crypto engine statistics for all cards.

Examples

# Clear statistics for all crypto engines.

<Sysname> reset crypto-engine statistics

# Clear statistics for crypto engine 1 on the specified slot.

<Sysname> reset crypto-engine statistics engine-id 1 slot 1

Related commands

display crypto-engine statistics