Home Page › Forums › Network Management › Request a new feature › Crypto/SSL/VPN Hardware Acceleration
- This topic is empty.
-
AuthorPosts
-
April 15, 2008 at 1:45 pm #40995
fuse
MemberI have not seen any hardware crypto acceleration support in zeroshell and perhaps I have missed it either in zeroshell or the kernel….Even in that case, I’ve stumbled acrossed a project that would expand the capabilities of zeroshell.
http://ocf-linux.sourceforge.net
The above project provides a framework for hardware ssl acceleration. Currently they support several cards and they continue to add support for more. This could be very useful for SSL based communications such as OpenVPN.
Tell me what you think!
April 16, 2008 at 6:06 pm #46383imported_fulvio
ParticipantI am particulary interested in the possibility to activate the Crypto hardware inluded in the AMD Geode LX processor that are the core of the new ALIX and Soekris Net5501 embedded pc. I will investigate about the project that you propose to decide if it is convenient to include it in Zeroshell.
Thanks
FulvioJune 30, 2008 at 9:56 am #46384sin
MemberIt would be nice to support VIA C3 and C7 Padlock encryption hardware acceleration which is fully opensourced:
http://www.via.com.tw/en/initiatives/padlock/hardware.jspThis CPU’s are fully x86 and used in cheap MiniITX moterboards. Some are completely passive cooled and have 2 Ethernet ports built in — ideal for budget boxes with Zeroshell.
Padlock support is built into recent Linux kernels and requires OpenSSL patching to add Padlock crypto engine, details here:
http://www.logix.cz/michal/devel/padlock/June 30, 2008 at 10:06 am #46385sin
MemberSome info from the last link:
OpenSSL 0.9.8 has AES support out of the box. The PadLock support is transparent. All you need to do is to use the kernel module padlock.ko instead of aes.ko. From then on use AES cipher as normally. However to use VIA C7 hash engine to speed up SHA1, SHA224 or SHA256 you need to patch OpenSSL.
June 30, 2008 at 10:17 am #46386sin
MemberSome benchmarks:
http://www.logix.cz/michal/devel/padlock/bench.xpIPsec security is almost “for free”, in some cases speed up is 50%.
OpenSSL speed up about 6 times!
June 30, 2008 at 10:31 am #46387sin
MemberThis topic shows how to configure OpenSSL (/etc/ssl/openssl.cnf) to turn on Padlock by default without patching:
June 30, 2008 at 10:34 am #46388sin
MemberSomeone got 34% speed up in OpenVPN benchmark using VIA C3 Padlock:
http://osdir.com/ml/network.openvpn.user/2004-06/msg00474.html
June 30, 2008 at 10:38 am #46389sin
MemberAnother Padlock OpenVPN benchmark:
http://www.hermann-uwe.de/taxonomy/term/1941
“there’s a measurable difference in CPU load while tranferring large files over OpenVPN: 8% CPU load with VIA Padlock (vs. 20% CPU load without VIA Padlock)”
June 30, 2008 at 10:40 am #46390sin
MemberLot of recent Padlock benchmarks and setup instructions for Linux Kernel 2.6.25:
June 30, 2008 at 6:23 pm #46391imported_fulvio
ParticipantInteresting. At the moment I have compiled only the module geode-aes for the hardware encryption support of the Geode LX CPU availables in the ALIX and Soekris board.
Regards
FulvioJune 30, 2008 at 7:06 pm #46392sin
MemberGreat! Do you have any VPN benchmarks?
Geode LX are even cooler than VIA C7 and Soekris 4-port board is unique. Unfortunately ALIX and Soekris are not distributed here in Russia 🙁
June 30, 2008 at 7:33 pm #46393imported_fulvio
ParticipantNo, I haven’t. I have just included the geode_aes module in the Kernel compilation. In the next release I am going to configure OpenSSL to use it for encrypting.
Regards
FulvioMarch 24, 2017 at 10:51 am #46394TheNanny
MemberHi,
I’m also interested in ZeroShell to use the hardware encryption support of the Geode LX CPU for OpenVPN.
But I can’t find any evidence for it and the throughput in OpenVPN L2L configuration is poor. I’m using ZeroShell 3.7.1 on Alix 2D13 system.As I understood, the encryption of OpenVPN bases on OpenSSL. Here is the output of “openssl engine -t -c”:
(dynamic) Dynamic engine loading support
[ unavailable ]
When OpenSSL could use the hardware acceleration, output should be like:
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
Is there a way to get the hardware acceleration working?
-
AuthorPosts
- You must be logged in to reply to this topic.