- This topic is empty.
-
Posts
-
The VIA Eden CPU’s found in a lot of the newer embedded platforms, like my new iBASE FWA7304-1G’s that I just bought, include a hardware encryption acceleration engine. VIA supports Linux, in fact some of the features and code they provided are designed for Linux.
It seems like this would be a great combo with Zeroshell.Does Zeroshell currently take advantage of the VIA encryption acceleration hardware?
Thanks
Ref.
VIA Eden – http://www.via.com.tw/en/products/processors/eden_ulv/
VIA Padlock Software – http://www.via.com.tw/en/initiatives/padlock/software.jsp
iBASE FWA7304 – http://www.ibase.com.tw/2009/fwa7304g.htmlaseques posted this, I believe in answer to THIS post, but accidentally replied it to another post of mine.
I’ll quote here and then answer here to bring the conversation back here.Doing a fast search it seems that there’s no problem to have it in Linux (as far as you’ve the right versions).
Kernel newer than 2.6.19 (like zeroshell) should have support build in:
http://www.logix.cz/michal/devel/padlock/Portable openssh has support too:
https://bugzilla.mindrot.org/show_bug.cgi?id=1437Openssl 0.9.8e should have it included too (lenny’s version is 0.9.8g)
So have a look to the versions on zeroshell, and please post the results
You are right! Zeroshell 1.0beta12 does seem to have Padlock support built in. At least for OpenSSL. I’ll test more later.
For now, here are my results for OpenSSL.
root@zeroshell root> openssl speed -evp aes-128-ecb
Doing aes-128-ecb for 3s on 16 size blocks: 2514961 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 64 size blocks: 670904 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 256 size blocks: 171155 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 1024 size blocks: 43010 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 8192 size blocks: 5384 aes-128-ecb's in 3.00s
OpenSSL 0.9.8k 25 Mar 2009
built on: Sat May 9 12:34:22 CEST 2009
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-ecb 13413.13k 14312.62k 14605.23k 14680.75k 14701.91k
Now with Padlock
root@zeroshell root> openssl speed -evp aes-128-ecb -engine padlock
engine "padlock" set.
Doing aes-128-ecb for 3s on 16 size blocks: 8347197 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 64 size blocks: 5318052 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 256 size blocks: 2197573 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 1024 size blocks: 717930 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 8192 size blocks: 106649 aes-128-ecb's in 3.00s
OpenSSL 0.9.8k 25 Mar 2009
built on: Sat May 9 12:34:22 CEST 2009
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-ecb 44518.38k 113451.78k 187526.23k 245053.44k 291222.87k
As you can see, the performance increase with Padlock enabled is HUGE.
Here are the final numbers again for comparison
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
no padlock aes-128-ecb 13413.13k 14312.62k 14605.23k 14680.75k 14701.91k
w/ padlock aes-128-ecb 44518.38k 113451.78k 187526.23k 245053.44k 291222.87kIn the 8k block size, the performance improvement is 20X !
For reference and to see just how fast Padlock is, here is the same test run on my Dell server with a 3GHz PentiumD-64bit
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-ecb 97745.47k 104677.59k 110004.92k 111115.99k 110676.65k
Now I just have to figure out how to get all everything in Zeroshell to use padlock by default.
Also, if I find any other benchmarks or tests, I’ll run and post them.
Meanwhile, this is something to consider if you want to put together a high bang for the buck router.
This one I’m testing on cost under $500 Canadian with a 1GHz CPU and 1GB of RAM.FYI
root@zeroshell root> cat /proc/cpuinfo
processor : 0
vendor_id : CentaurHauls
cpu family : 6
model : 10
model name : VIA Esther processor 1000MHz
stepping : 9
cpu MHz : 997.611
cache size : 128 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr pae mce apic sep mtrr pge cmov pat clflush acpi mmx fxsr sse sse2 tm nx up pni est tm2 rng rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en
bogomips : 1997.89
clflush size : 64
From the “openvpn –help”:
–engine [name] : Enable OpenSSL hardware crypto engine functionality.
And this reference:
http://openvpn.net/archive/openvpn-users/2005-04/msg00093.htmlI think you can add this openvpn optional parameter: –engine padlock
in zeroshell to enable the padlock function.Do tell us the result, thanks! 🙂
Vincent
tamws: That’s a good tip. I’ve just gone and added it to the OpenVPN command line options.
In the bigger picture though, it would be nice to have the option to check one box and have all padlock supported functions be accelerated on supported hardware. This way you don’t have to add options or edit configs for every function individually. Given the number of VIA embedded platform options out there, this would be a good way for less technical users to take advantage of the encryption acceleration. It would even help more technical sysadmins as it would be much quicker than digging through the system to enable all accelerated functions plus it would make it less likely that one would be missed or that a typo in one would break something. Basically the KISS rule applied to the user interface.
Thanks for the reply and the excellent tip.
- You must be logged in to reply to this topic.