Crypto/SSL/VPN Hardware Acceleration

Home Page Forums Network Management Request a new feature Crypto/SSL/VPN Hardware Acceleration

This topic contains 11 replies, has 0 voices, and was last updated by  fuse 2 years, 6 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #40995

    fuse
    Member

    I have not seen any hardware crypto acceleration support in zeroshell and perhaps I have missed it either in zeroshell or the kernel….Even in that case, I’ve stumbled acrossed a project that would expand the capabilities of zeroshell.

    http://ocf-linux.sourceforge.net

    The above project provides a framework for hardware ssl acceleration. Currently they support several cards and they continue to add support for more. This could be very useful for SSL based communications such as OpenVPN.

    Tell me what you think!

    #46383

    imported_fulvio
    Participant

    I am particulary interested in the possibility to activate the Crypto hardware inluded in the AMD Geode LX processor that are the core of the new ALIX and Soekris Net5501 embedded pc. I will investigate about the project that you propose to decide if it is convenient to include it in Zeroshell.

    Thanks
    Fulvio

    #46384

    sin
    Member

    It would be nice to support VIA C3 and C7 Padlock encryption hardware acceleration which is fully opensourced:
    http://www.via.com.tw/en/initiatives/padlock/hardware.jsp

    This CPU’s are fully x86 and used in cheap MiniITX moterboards. Some are completely passive cooled and have 2 Ethernet ports built in — ideal for budget boxes with Zeroshell.

    Padlock support is built into recent Linux kernels and requires OpenSSL patching to add Padlock crypto engine, details here:
    http://www.logix.cz/michal/devel/padlock/

    #46385

    sin
    Member

    Some info from the last link:

    OpenSSL 0.9.8 has AES support out of the box. The PadLock support is transparent. All you need to do is to use the kernel module padlock.ko instead of aes.ko. From then on use AES cipher as normally. However to use VIA C7 hash engine to speed up SHA1, SHA224 or SHA256 you need to patch OpenSSL.

    #46386

    sin
    Member

    Some benchmarks:
    http://www.logix.cz/michal/devel/padlock/bench.xp

    IPsec security is almost “for free”, in some cases speed up is 50%.

    OpenSSL speed up about 6 times!

    #46387

    sin
    Member

    This topic shows how to configure OpenSSL (/etc/ssl/openssl.cnf) to turn on Padlock by default without patching:

    http://ubuntuforums.org/showthread.php?t=710243

    #46388

    sin
    Member

    Someone got 34% speed up in OpenVPN benchmark using VIA C3 Padlock:

    http://osdir.com/ml/network.openvpn.user/2004-06/msg00474.html

    #46389

    sin
    Member

    Another Padlock OpenVPN benchmark:

    http://www.hermann-uwe.de/taxonomy/term/1941

    “there’s a measurable difference in CPU load while tranferring large files over OpenVPN: 8% CPU load with VIA Padlock (vs. 20% CPU load without VIA Padlock)”

    #46390

    sin
    Member

    Lot of recent Padlock benchmarks and setup instructions for Linux Kernel 2.6.25:

    http://www.a110wiki.de/wiki/VIA_Padlock

    #46391

    imported_fulvio
    Participant

    Interesting. At the moment I have compiled only the module geode-aes for the hardware encryption support of the Geode LX CPU availables in the ALIX and Soekris board.

    Regards
    Fulvio

    #46392

    sin
    Member

    Great! Do you have any VPN benchmarks?

    Geode LX are even cooler than VIA C7 and Soekris 4-port board is unique. Unfortunately ALIX and Soekris are not distributed here in Russia 🙁

    #46393

    imported_fulvio
    Participant

    No, I haven’t. I have just included the geode_aes module in the Kernel compilation. In the next release I am going to configure OpenSSL to use it for encrypting.

    Regards
    Fulvio

    #46394

    TheNanny
    Member

    Hi,
    I’m also interested in ZeroShell to use the hardware encryption support of the Geode LX CPU for OpenVPN.
    But I can’t find any evidence for it and the throughput in OpenVPN L2L configuration is poor. I’m using ZeroShell 3.7.1 on Alix 2D13 system.

    As I understood, the encryption of OpenVPN bases on OpenSSL. Here is the output of “openssl engine -t -c”:

    (dynamic) Dynamic engine loading support
    [ unavailable ]

    When OpenSSL could use the hardware acceleration, output should be like:

    (cryptodev) BSD cryptodev engine
    [RSA, DSA, DH, AES-128-CBC]
    [ available ]
    (dynamic) Dynamic engine loading support
    [ unavailable ]

    Is there a way to get the hardware acceleration working?

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.