ZeroShell support for VIA Eden Padlock Security Engine?

[KLGIT]

The VIA Eden CPU’s found in a lot of the newer embedded platforms, like my new iBASE FWA7304-1G’s that I just bought, include a hardware encryption acceleration engine. VIA supports Linux, in fact some of the features and code they provided are designed for Linux.
It seems like this would be a great combo with Zeroshell.

Does Zeroshell currently take advantage of the VIA encryption acceleration hardware?

Thanks

Ref.
VIA Eden – http://www.via.com.tw/en/products/processors/eden_ulv/
VIA Padlock Software – http://www.via.com.tw/en/initiatives/padlock/software.jsp
iBASE FWA7304 – http://www.ibase.com.tw/2009/fwa7304g.html

[KLGIT]

aseques posted this, I believe in answer to THIS post, but accidentally replied it to another post of mine.
I’ll quote here and then answer here to bring the conversation back here.

Doing a fast search it seems that there’s no problem to have it in Linux (as far as you’ve the right versions).

Kernel newer than 2.6.19 (like zeroshell) should have support build in:
http://www.logix.cz/michal/devel/padlock/

Portable openssh has support too:
https://bugzilla.mindrot.org/show_bug.cgi?id=1437

Openssl 0.9.8e should have it included too (lenny’s version is 0.9.8g)

So have a look to the versions on zeroshell, and please post the results

You are right! Zeroshell 1.0beta12 does seem to have Padlock support built in. At least for OpenSSL. I’ll test more later.

For now, here are my results for OpenSSL.

root@zeroshell root> openssl speed -evp aes-128-ecb

Doing aes-128-ecb for 3s on 16 size blocks: 2514961 aes-128-ecb's in 3.00s

Doing aes-128-ecb for 3s on 64 size blocks: 670904 aes-128-ecb's in 3.00s

Doing aes-128-ecb for 3s on 256 size blocks: 171155 aes-128-ecb's in 3.00s

Doing aes-128-ecb for 3s on 1024 size blocks: 43010 aes-128-ecb's in 3.00s

Doing aes-128-ecb for 3s on 8192 size blocks: 5384 aes-128-ecb's in 3.00s

OpenSSL 0.9.8k 25 Mar 2009

built on: Sat May  9 12:34:22 CEST 2009

options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)

compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM

available timing options: TIMES TIMEB HZ=100 [sysconf value]

timing function used: times

The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-128-ecb      13413.13k    14312.62k    14605.23k    14680.75k    14701.91k

Now with Padlock

root@zeroshell root> openssl speed -evp aes-128-ecb -engine padlock

engine "padlock" set.

Doing aes-128-ecb for 3s on 16 size blocks: 8347197 aes-128-ecb's in 3.00s

Doing aes-128-ecb for 3s on 64 size blocks: 5318052 aes-128-ecb's in 3.00s

Doing aes-128-ecb for 3s on 256 size blocks: 2197573 aes-128-ecb's in 3.00s

Doing aes-128-ecb for 3s on 1024 size blocks: 717930 aes-128-ecb's in 3.00s

Doing aes-128-ecb for 3s on 8192 size blocks: 106649 aes-128-ecb's in 3.00s

OpenSSL 0.9.8k 25 Mar 2009

built on: Sat May  9 12:34:22 CEST 2009

options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)

compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM

available timing options: TIMES TIMEB HZ=100 [sysconf value]

timing function used: times

The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-128-ecb      44518.38k   113451.78k   187526.23k   245053.44k   291222.87k

As you can see, the performance increase with Padlock enabled is HUGE.

Here are the final numbers again for comparison

The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

no padlock aes-128-ecb      13413.13k    14312.62k    14605.23k    14680.75k    14701.91k

w/ padlock aes-128-ecb      44518.38k   113451.78k   187526.23k   245053.44k   291222.87k

In the 8k block size, the performance improvement is 20X !

For reference and to see just how fast Padlock is, here is the same test run on my Dell server with a 3GHz PentiumD-64bit

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-128-ecb      97745.47k   104677.59k   110004.92k   111115.99k   110676.65k

Now I just have to figure out how to get all everything in Zeroshell to use padlock by default.

Also, if I find any other benchmarks or tests, I’ll run and post them.
Meanwhile, this is something to consider if you want to put together a high bang for the buck router.
This one I’m testing on cost under $500 Canadian with a 1GHz CPU and 1GB of RAM.

FYI

root@zeroshell root> cat /proc/cpuinfo

processor       : 0

vendor_id       : CentaurHauls

cpu family      : 6

model           : 10

model name      : VIA Esther processor 1000MHz

stepping        : 9

cpu MHz         : 997.611

cache size      : 128 KB

fdiv_bug        : no

hlt_bug         : no

f00f_bug        : no

coma_bug        : no

fpu             : yes

fpu_exception   : yes

cpuid level     : 1

wp              : yes

flags           : fpu vme de pse tsc msr pae mce apic sep mtrr pge cmov pat clflush acpi mmx fxsr sse sse2 tm nx up pni est tm2 rng rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en

bogomips        : 1997.89

clflush size    : 64

[tamws]

From the “openvpn –help”:

–engine [name] : Enable OpenSSL hardware crypto engine functionality.

And this reference:
http://openvpn.net/archive/openvpn-users/2005-04/msg00093.html

I think you can add this openvpn optional parameter: –engine padlock
in zeroshell to enable the padlock function.

Do tell us the result, thanks! 🙂

Vincent

[KLGIT]

tamws: That’s a good tip. I’ve just gone and added it to the OpenVPN command line options.

In the bigger picture though, it would be nice to have the option to check one box and have all padlock supported functions be accelerated on supported hardware. This way you don’t have to add options or edit configs for every function individually. Given the number of VIA embedded platform options out there, this would be a good way for less technical users to take advantage of the encryption acceleration. It would even help more technical sysadmins as it would be much quicker than digging through the system to enable all accelerated functions plus it would make it less likely that one would be missed or that a typo in one would break something. Basically the KISS rule applied to the user interface.

Thanks for the reply and the excellent tip.

[Author]

Posts