Creating a versatile, secure network controller using embedded Linux

By Glen Middleton, Managing Director, Arcom

Bundling all the software and hardware (including cables, power supplies, and simple enclosures) with a PC/104 board that has operational Linux already installed saves considerable time for developers. In this article Arcom provides an alternative solution for the developer who is trying to pull all these items together to make them work, a Linux Development Kit.

This article briefly describes the component technologies used to create a versatile, secure network controller using embedded Linux and the Intel® IXP425 network processor-based communications controller. One of the key technical characteristics of the IXP425 is the integrated hardware accelerated cryptography for authentication and encryption. This feature offloads a considerable amount of network activity from the core Intel XScale® processor and allows a high degree of parallel processing. The internal network processing engines of the Intel® IXP4XX network processor family are designed to handle much of the Layer 2 IP packets and can be used to accelerate VPN related tasks such as encryption (AES and 3DES) and packet authentication (SHA-1 and MD5).

Getting started
The article describes the processes used by Arcom to create a standard embedded Linux Development Kit for the Intel® IXP425 network processor-based VULCAN board. The VULCAN is a PC/104 format module powered by the 533 MHz IXP425 processor. (See Figure 1). The block diagram of the VULCAN in Figure 2 shows it is fitted with 64 MB of DRAM (133 MHz bus) and 16 or 32 MB of resident Flash along with a USB 2.0 controller and a CompactFlash port. The platform uses RedBoot to initialize the board (similar to a BIOS in a PC) and as a Linux boot loader. The RedBoot firmware is open source and comes standard with support for the Intel IXP425 network processor and network utilities such as:

  • TFTP
  • HTTP
  • DHCP

Arcom’s embedded Linux team simply used the latest version from the RedBoot Concurrent Version System (CVS) repository and added in the low-level support code for the Intel IXP425 network processor engines and to correctly map the onboard 16/32 MB AMD MirrorBit Flash devices. The RedBoot Flash Image System (FIS) is a simple file manager and divides the Flash memory into three partitions:
  • RedBoot image
  • FIS configuration files
  • JFFS2 (compressed journaling Flash File system)

The user defined configuration scripts specify the initial Linux command line, the root file system, and which Linux kernel to load from the JFFS2 file system. Using RedBoot, the VULCAN can quickly download a new Linux image from a host development system using TFTP via the Ethernet port. All the source files used to create the RedBoot firmware are included on the Development Kit CD.

Building Linux
The kernel is built from the standard Linux source. Using the standard source ensures the highest level of compatibility with developments in the Linux community and reduces the support required by customers rebuilding their Linux kernel. Arcom used the latest released version of the 2.4 kernel for the VULCAN Linux Development Kit. After downloading the source code from the Linux repository, it was then necessary to apply various patches to the kernel to match the hardware peripherals on the VULCAN and include the required communication technologies. There are several ARM compatibility patches and specific patches for the IXP425 available from the ARM Linux Project support site. The kernel build process also involves integrating the Intel® IXP400 Access Library code – essentially this contains all the libraries to fully exploit the hardware features of the IXP425 network processor (such as Ethernet MAC, DMA, and cryptography). The development was carried out using standard GNU C Compiler (gcc) tools on a PC workstation installed with the Debian Linux distribution. Arcom includes the Fedora Core 3.0 distribution (successor to Red Hat 9) of Linux as part of the Development Kit so that the user has everything available to install on a host development platform.

There are two devices attached to the local IXP425 PCI bus:
  • Philips 4 channel USB 2.0 controller (up to 480 Mbps)
  • TI CardBus controller (for the CompactFlash port and PC/104 bus)
One of the benefits of using standard Linux is that drivers were readily available for both devices. In addition, since the CompactFlash port will be used for Wi-Fi cards, the standard module for the Intersil PRISM2 chipset (now produced by Conexant) was also included in the kernel build.

The operating system build is carried out with a cross toolchain targeting the ARM CPU running on a Linux x86 workstation. The familiar tools (such as gcc and ld) are merely prefixed with armbe-linux- (e.g. armbe-linux-gcc-). These tools are preconfigured to generate code that runs to the target with no additional options required. The reference to armbe denotes that the cross compiler will use the big endian data format (i.e. 32 bit data is stored in memory with MSB in the lowest memory address). Since the x86 PC architecture is inherently little endian, most Linux kernels used today are built using the little endian configuration. The IXP425 and other devices such as the Intel® PXA255 processor are bi-endian (they can be configured for either big or little endian operation). For the IXP425, Intel has written the IXP400 Access Library (for Linux) to drive the internal Network Processor Engines in big-endian format, which defines the entire Linux build.

Adding VPN functionality
A Virtual Private Network (VPN) uses the IPsec protocol to create a secure network connection between two computers. Targeted at the market for embedded industrial gateways, the VULCAN PC/104 board might be used to implement a telemetry link between a distributed data acquisition system and an Enterprise application or a Supervisory Control and Data Acquisition (SCADA) host. By using a VPN, data can be safely transferred between two systems using various un-trusted public networks such as the Plain Old Telephone System (POTS), wired Internet, or GPRS and iDEN wireless networks. For a Linux environment, Intel used an open source implementation of IPsec (from the Linux FreeS/WAN project) and added appropriate patches to take advantage of the hardware acceleration features of the IXP425. FreeS/WAN has a user space configuration tool to select different encryption standards and exchange security keys between the two systems. To demonstrate the performance of the IXP425, the embedded Linux kernel, and the FreeS/WAN patch, two VULCAN boards were set up to serve as VPN gateways between two desktop systems. By repeatedly transferring a 100 MB file from one desktop system to the other, it was possible to achieve an impressive payload data rate (i.e., the real data rate) of nearly 50 Mbps. Table 1 shows the results for both the Advanced Encryption Standard (AES) and triple Data Encryption Standard (3DES). For reference, this is approximately five times the performance achieved without the hardware acceleration patches built into FreeS/WAN.

Custom Linux builds
It is generally accepted that many developers will want to incorporate new technologies, drivers (perhaps for other CF cards or PC/104 modules), or even Intel’s code optimized Integrated Performance Primitives (IPP) into the Linux kernel image. To simplify the process of rebuilding the kernel, Arcom includes all the associated source code and a rebuild utility within the Development Kit.

Contact Information

7500 West 161st Street
Overland Park, KS 66085
913.549.1000 Telephone
913.549.1002 Fax