ZeroShell support for VIA Eden Padlock Security Engine?

Forums Network Management Embedded Devices ZeroShell support for VIA Eden Padlock Security Engine?

  • This topic is empty.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • July 14, 2009 at 10:11 pm #41788
    KLGIT
    Member

    The VIA Eden CPU’s found in a lot of the newer embedded platforms, like my new iBASE FWA7304-1G’s that I just bought, include a hardware encryption acceleration engine. VIA supports Linux, in fact some of the features and code they provided are designed for Linux.
    It seems like this would be a great combo with Zeroshell.

    Does Zeroshell currently take advantage of the VIA encryption acceleration hardware?

    Thanks

    Ref.
    VIA Eden – http://www.via.com.tw/en/products/processors/eden_ulv/
    VIA Padlock Software – http://www.via.com.tw/en/initiatives/padlock/software.jsp
    iBASE FWA7304 – http://www.ibase.com.tw/2009/fwa7304g.html

    July 16, 2009 at 7:11 pm #48446
    KLGIT
    Member

    aseques posted this, I believe in answer to THIS post, but accidentally replied it to another post of mine.
    I’ll quote here and then answer here to bring the conversation back here.

    Doing a fast search it seems that there’s no problem to have it in Linux (as far as you’ve the right versions).

    Kernel newer than 2.6.19 (like zeroshell) should have support build in:
    http://www.logix.cz/michal/devel/padlock/

    Portable openssh has support too:
    https://bugzilla.mindrot.org/show_bug.cgi?id=1437

    Openssl 0.9.8e should have it included too (lenny’s version is 0.9.8g)

    So have a look to the versions on zeroshell, and please post the results

    You are right! Zeroshell 1.0beta12 does seem to have Padlock support built in. At least for OpenSSL. I’ll test more later.

    For now, here are my results for OpenSSL.


    
root@zeroshell root> openssl speed -evp aes-128-ecb
    
Doing aes-128-ecb for 3s on 16 size blocks: 2514961 aes-128-ecb's in 3.00s
    
Doing aes-128-ecb for 3s on 64 size blocks: 670904 aes-128-ecb's in 3.00s
    
Doing aes-128-ecb for 3s on 256 size blocks: 171155 aes-128-ecb's in 3.00s
    
Doing aes-128-ecb for 3s on 1024 size blocks: 43010 aes-128-ecb's in 3.00s
    
Doing aes-128-ecb for 3s on 8192 size blocks: 5384 aes-128-ecb's in 3.00s
    
OpenSSL 0.9.8k 25 Mar 2009
    
built on: Sat May  9 12:34:22 CEST 2009
    
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
    
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
    
available timing options: TIMES TIMEB HZ=100 [sysconf value]
    
timing function used: times
    
The 'numbers' are in 1000s of bytes per second processed.
    
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    
aes-128-ecb      13413.13k    14312.62k    14605.23k    14680.75k    14701.91k

    Now with Padlock


    
root@zeroshell root> openssl speed -evp aes-128-ecb -engine padlock
    
engine "padlock" set.
    
Doing aes-128-ecb for 3s on 16 size blocks: 8347197 aes-128-ecb's in 3.00s
    
Doing aes-128-ecb for 3s on 64 size blocks: 5318052 aes-128-ecb's in 3.00s
    
Doing aes-128-ecb for 3s on 256 size blocks: 2197573 aes-128-ecb's in 3.00s
    
Doing aes-128-ecb for 3s on 1024 size blocks: 717930 aes-128-ecb's in 3.00s
    
Doing aes-128-ecb for 3s on 8192 size blocks: 106649 aes-128-ecb's in 3.00s
    
OpenSSL 0.9.8k 25 Mar 2009
    
built on: Sat May  9 12:34:22 CEST 2009
    
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
    
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
    
available timing options: TIMES TIMEB HZ=100 [sysconf value]
    
timing function used: times
    
The 'numbers' are in 1000s of bytes per second processed.
    
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    
aes-128-ecb      44518.38k   113451.78k   187526.23k   245053.44k   291222.87k

    As you can see, the performance increase with Padlock enabled is HUGE.

    Here are the final numbers again for comparison


    
The 'numbers' are in 1000s of bytes per second processed.
    
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    
no padlock aes-128-ecb      13413.13k    14312.62k    14605.23k    14680.75k    14701.91k
    
w/ padlock aes-128-ecb      44518.38k   113451.78k   187526.23k   245053.44k   291222.87k

    In the 8k block size, the performance improvement is 20X !

    For reference and to see just how fast Padlock is, here is the same test run on my Dell server with a 3GHz PentiumD-64bit


    
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    
aes-128-ecb      97745.47k   104677.59k   110004.92k   111115.99k   110676.65k

    Now I just have to figure out how to get all everything in Zeroshell to use padlock by default.

    Also, if I find any other benchmarks or tests, I’ll run and post them.
    Meanwhile, this is something to consider if you want to put together a high bang for the buck router.
    This one I’m testing on cost under $500 Canadian with a 1GHz CPU and 1GB of RAM.

    FYI


    
root@zeroshell root> cat /proc/cpuinfo
    
processor       : 0
    
vendor_id       : CentaurHauls
    
cpu family      : 6
    
model           : 10
    
model name      : VIA Esther processor 1000MHz
    
stepping        : 9
    
cpu MHz         : 997.611
    
cache size      : 128 KB
    
fdiv_bug        : no
    
hlt_bug         : no
    
f00f_bug        : no
    
coma_bug        : no
    
fpu             : yes
    
fpu_exception   : yes
    
cpuid level     : 1
    
wp              : yes
    
flags           : fpu vme de pse tsc msr pae mce apic sep mtrr pge cmov pat clflush acpi mmx fxsr sse sse2 tm nx up pni est tm2 rng rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en
    
bogomips        : 1997.89
    
clflush size    : 64
    

    

		
	
    

    

			
				

    
	
    
		July 22, 2009 at 11:35 am

		
		#48447

		
		
		
	
    

    


    
	
    

		
		tamws
    Member
    
		
		
	
    

	
    

		
		
    From the “openvpn –help”:
    

    –engine [name] : Enable OpenSSL hardware crypto engine functionality.
    

    And this reference:
    
http://openvpn.net/archive/openvpn-users/2005-04/msg00093.html
    

    I think you can add this openvpn optional parameter: –engine padlock
    
in zeroshell to enable the padlock function.
    

    Do tell us the result, thanks! 🙂
    

    Vincent
    

		
	
    

    

			
				

    
	
    
		July 22, 2009 at 2:11 pm

		
		#48448

		
		
		
	
    

    


    
	
    

		
		KLGIT
    Member
    
		
		
	
    

	
    

		
		
    tamws: That’s a good tip. I’ve just gone and added it to the OpenVPN command line options.
    

    In the bigger picture though, it would be nice to have the option to check one box and have all padlock supported functions be accelerated on supported hardware. This way you don’t have to add options or edit configs for every function individually. Given the number of VIA embedded platform options out there, this would be a good way for less technical users to take advantage of the encryption acceleration. It would even help more technical sysadmins as it would be much quicker than digging through the system to enable all accelerated functions plus it would make it less likely that one would be missed or that a typo in one would break something. Basically the KISS rule applied to the user interface.
    

    Thanks for the reply and the excellent tip.
    

		
	
    

    

			
		
	
    • 

	
  • 
		
    Author
    
		
    Posts
    
	
    • 




			


	
Viewing 4 posts - 1 through 4 (of 4 total)

	





		
		

	

		

			
    
				
  • You must be logged in to reply to this topic.
    •