- This topic is empty.
-
Posts
-
I have not seen any hardware crypto acceleration support in zeroshell and perhaps I have missed it either in zeroshell or the kernel….Even in that case, I’ve stumbled acrossed a project that would expand the capabilities of zeroshell.
http://ocf-linux.sourceforge.net
The above project provides a framework for hardware ssl acceleration. Currently they support several cards and they continue to add support for more. This could be very useful for SSL based communications such as OpenVPN.
Tell me what you think!
I am particulary interested in the possibility to activate the Crypto hardware inluded in the AMD Geode LX processor that are the core of the new ALIX and Soekris Net5501 embedded pc. I will investigate about the project that you propose to decide if it is convenient to include it in Zeroshell.
Thanks
FulvioIt would be nice to support VIA C3 and C7 Padlock encryption hardware acceleration which is fully opensourced:
http://www.via.com.tw/en/initiatives/padlock/hardware.jspThis CPU’s are fully x86 and used in cheap MiniITX moterboards. Some are completely passive cooled and have 2 Ethernet ports built in — ideal for budget boxes with Zeroshell.
Padlock support is built into recent Linux kernels and requires OpenSSL patching to add Padlock crypto engine, details here:
http://www.logix.cz/michal/devel/padlock/Some info from the last link:
OpenSSL 0.9.8 has AES support out of the box. The PadLock support is transparent. All you need to do is to use the kernel module padlock.ko instead of aes.ko. From then on use AES cipher as normally. However to use VIA C7 hash engine to speed up SHA1, SHA224 or SHA256 you need to patch OpenSSL.
Some benchmarks:
http://www.logix.cz/michal/devel/padlock/bench.xpIPsec security is almost “for free”, in some cases speed up is 50%.
OpenSSL speed up about 6 times!
This topic shows how to configure OpenSSL (/etc/ssl/openssl.cnf) to turn on Padlock by default without patching:
Someone got 34% speed up in OpenVPN benchmark using VIA C3 Padlock:
http://osdir.com/ml/network.openvpn.user/2004-06/msg00474.html
Another Padlock OpenVPN benchmark:
http://www.hermann-uwe.de/taxonomy/term/1941
“there’s a measurable difference in CPU load while tranferring large files over OpenVPN: 8% CPU load with VIA Padlock (vs. 20% CPU load without VIA Padlock)”
Lot of recent Padlock benchmarks and setup instructions for Linux Kernel 2.6.25:
Interesting. At the moment I have compiled only the module geode-aes for the hardware encryption support of the Geode LX CPU availables in the ALIX and Soekris board.
Regards
FulvioGreat! Do you have any VPN benchmarks?
Geode LX are even cooler than VIA C7 and Soekris 4-port board is unique. Unfortunately ALIX and Soekris are not distributed here in Russia 🙁
No, I haven’t. I have just included the geode_aes module in the Kernel compilation. In the next release I am going to configure OpenSSL to use it for encrypting.
Regards
FulvioHi,
I’m also interested in ZeroShell to use the hardware encryption support of the Geode LX CPU for OpenVPN.
But I can’t find any evidence for it and the throughput in OpenVPN L2L configuration is poor. I’m using ZeroShell 3.7.1 on Alix 2D13 system.As I understood, the encryption of OpenVPN bases on OpenSSL. Here is the output of “openssl engine -t -c”:
(dynamic) Dynamic engine loading support
[ unavailable ]
When OpenSSL could use the hardware acceleration, output should be like:
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
Is there a way to get the hardware acceleration working?
- You must be logged in to reply to this topic.