www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Crypto/SSL/VPN Hardware Acceleration

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Request a new feature
View previous topic :: View next topic  
Author Message
fuse



Joined: 15 Apr 2008
Posts: 1
Location: Maryland

PostPosted: Tue Apr 15, 2008 1:45 pm    Post subject: Crypto/SSL/VPN Hardware Acceleration Reply with quote

I have not seen any hardware crypto acceleration support in zeroshell and perhaps I have missed it either in zeroshell or the kernel....Even in that case, I've stumbled acrossed a project that would expand the capabilities of zeroshell.

http://ocf-linux.sourceforge.net

The above project provides a framework for hardware ssl acceleration. Currently they support several cards and they continue to add support for more. This could be very useful for SSL based communications such as OpenVPN.

Tell me what you think!
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1070

PostPosted: Wed Apr 16, 2008 6:06 pm    Post subject: Reply with quote

I am particulary interested in the possibility to activate the Crypto hardware inluded in the AMD Geode LX processor that are the core of the new ALIX and Soekris Net5501 embedded pc. I will investigate about the project that you propose to decide if it is convenient to include it in Zeroshell.

Thanks
Fulvio
Back to top
View user's profile Send private message Send e-mail
sin



Joined: 30 Jun 2008
Posts: 8

PostPosted: Mon Jun 30, 2008 9:56 am    Post subject: VIA C3 and C7 Padlock encryption hardware acceleration Reply with quote

It would be nice to support VIA C3 and C7 Padlock encryption hardware acceleration which is fully opensourced:
http://www.via.com.tw/en/initiatives/padlock/hardware.jsp

This CPU's are fully x86 and used in cheap MiniITX moterboards. Some are completely passive cooled and have 2 Ethernet ports built in -- ideal for budget boxes with Zeroshell.

Padlock support is built into recent Linux kernels and requires OpenSSL patching to add Padlock crypto engine, details here:
http://www.logix.cz/michal/devel/padlock/
Back to top
View user's profile Send private message
sin



Joined: 30 Jun 2008
Posts: 8

PostPosted: Mon Jun 30, 2008 10:06 am    Post subject: Reply with quote

Some info from the last link:

OpenSSL 0.9.8 has AES support out of the box. The PadLock support is transparent. All you need to do is to use the kernel module padlock.ko instead of aes.ko. From then on use AES cipher as normally. However to use VIA C7 hash engine to speed up SHA1, SHA224 or SHA256 you need to patch OpenSSL.
Back to top
View user's profile Send private message
sin



Joined: 30 Jun 2008
Posts: 8

PostPosted: Mon Jun 30, 2008 10:17 am    Post subject: Benchmarks Reply with quote

Some benchmarks:
http://www.logix.cz/michal/devel/padlock/bench.xp

IPsec security is almost "for free", in some cases speed up is 50%.

OpenSSL speed up about 6 times!
Back to top
View user's profile Send private message
sin



Joined: 30 Jun 2008
Posts: 8

PostPosted: Mon Jun 30, 2008 10:31 am    Post subject: Configure OpenSSL to use Padlock Reply with quote

This topic shows how to configure OpenSSL (/etc/ssl/openssl.cnf) to turn on Padlock by default without patching:

http://ubuntuforums.org/showthread.php?t=710243
Back to top
View user's profile Send private message
sin



Joined: 30 Jun 2008
Posts: 8

PostPosted: Mon Jun 30, 2008 10:34 am    Post subject: Benchmarking OpenVPN Reply with quote

Someone got 34% speed up in OpenVPN benchmark using VIA C3 Padlock:

http://osdir.com/ml/network.openvpn.user/2004-06/msg00474.html
Back to top
View user's profile Send private message
sin



Joined: 30 Jun 2008
Posts: 8

PostPosted: Mon Jun 30, 2008 10:38 am    Post subject: Padlock OpenVPN CPU Load Reply with quote

Another Padlock OpenVPN benchmark:

http://www.hermann-uwe.de/taxonomy/term/1941

"there's a measurable difference in CPU load while tranferring large files over OpenVPN: 8% CPU load with VIA Padlock (vs. 20% CPU load without VIA Padlock)"
Back to top
View user's profile Send private message
sin



Joined: 30 Jun 2008
Posts: 8

PostPosted: Mon Jun 30, 2008 10:40 am    Post subject: Reply with quote

Lot of recent Padlock benchmarks and setup instructions for Linux Kernel 2.6.25:

http://www.a110wiki.de/wiki/VIA_Padlock
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1070

PostPosted: Mon Jun 30, 2008 6:23 pm    Post subject: Reply with quote

Interesting. At the moment I have compiled only the module geode-aes for the hardware encryption support of the Geode LX CPU availables in the ALIX and Soekris board.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
sin



Joined: 30 Jun 2008
Posts: 8

PostPosted: Mon Jun 30, 2008 7:06 pm    Post subject: Reply with quote

Great! Do you have any VPN benchmarks?

Geode LX are even cooler than VIA C7 and Soekris 4-port board is unique. Unfortunately ALIX and Soekris are not distributed here in Russia Sad
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1070

PostPosted: Mon Jun 30, 2008 7:33 pm    Post subject: Reply with quote

No, I haven't. I have just included the geode_aes module in the Kernel compilation. In the next release I am going to configure OpenSSL to use it for encrypting.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
TheNanny



Joined: 06 Mar 2013
Posts: 17

PostPosted: Fri Mar 24, 2017 10:51 am    Post subject: fg Reply with quote

Hi,
I'm also interested in ZeroShell to use the hardware encryption support of the Geode LX CPU for OpenVPN.
But I can't find any evidence for it and the throughput in OpenVPN L2L configuration is poor. I'm using ZeroShell 3.7.1 on Alix 2D13 system.

As I understood, the encryption of OpenVPN bases on OpenSSL. Here is the output of "openssl engine -t -c":
Code:
(dynamic) Dynamic engine loading support
     [ unavailable ]

When OpenSSL could use the hardware acceleration, output should be like:
Code:
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]

Is there a way to get the hardware acceleration working?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Request a new feature All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group