ZeroShell support for VIA Eden Padlock Security Engine?

Home Page Forums Network Management Embedded Devices ZeroShell support for VIA Eden Padlock Security Engine?

This topic contains 2 replies, has 0 voices, and was last updated by  KLGIT 9 years, 10 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #41788

    KLGIT
    Member

    The VIA Eden CPU’s found in a lot of the newer embedded platforms, like my new iBASE FWA7304-1G’s that I just bought, include a hardware encryption acceleration engine. VIA supports Linux, in fact some of the features and code they provided are designed for Linux.
    It seems like this would be a great combo with Zeroshell.

    Does Zeroshell currently take advantage of the VIA encryption acceleration hardware?

    Thanks

    Ref.
    VIA Eden – http://www.via.com.tw/en/products/processors/eden_ulv/
    VIA Padlock Software – http://www.via.com.tw/en/initiatives/padlock/software.jsp
    iBASE FWA7304 – http://www.ibase.com.tw/2009/fwa7304g.html

    #48446

    KLGIT
    Member

    aseques posted this, I believe in answer to THIS post, but accidentally replied it to another post of mine.
    I’ll quote here and then answer here to bring the conversation back here.

    Doing a fast search it seems that there’s no problem to have it in Linux (as far as you’ve the right versions).

    Kernel newer than 2.6.19 (like zeroshell) should have support build in:
    http://www.logix.cz/michal/devel/padlock/

    Portable openssh has support too:
    https://bugzilla.mindrot.org/show_bug.cgi?id=1437

    Openssl 0.9.8e should have it included too (lenny’s version is 0.9.8g)

    So have a look to the versions on zeroshell, and please post the results

    You are right! Zeroshell 1.0beta12 does seem to have Padlock support built in. At least for OpenSSL. I’ll test more later.

    For now, here are my results for OpenSSL.


    root@zeroshell root> openssl speed -evp aes-128-ecb
    Doing aes-128-ecb for 3s on 16 size blocks: 2514961 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 64 size blocks: 670904 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 256 size blocks: 171155 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 1024 size blocks: 43010 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 8192 size blocks: 5384 aes-128-ecb's in 3.00s
    OpenSSL 0.9.8k 25 Mar 2009
    built on: Sat May 9 12:34:22 CEST 2009
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
    compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
    available timing options: TIMES TIMEB HZ=100 [sysconf value]
    timing function used: times
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    aes-128-ecb 13413.13k 14312.62k 14605.23k 14680.75k 14701.91k

    Now with Padlock


    root@zeroshell root> openssl speed -evp aes-128-ecb -engine padlock
    engine "padlock" set.
    Doing aes-128-ecb for 3s on 16 size blocks: 8347197 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 64 size blocks: 5318052 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 256 size blocks: 2197573 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 1024 size blocks: 717930 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 8192 size blocks: 106649 aes-128-ecb's in 3.00s
    OpenSSL 0.9.8k 25 Mar 2009
    built on: Sat May 9 12:34:22 CEST 2009
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
    compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
    available timing options: TIMES TIMEB HZ=100 [sysconf value]
    timing function used: times
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    aes-128-ecb 44518.38k 113451.78k 187526.23k 245053.44k 291222.87k

    As you can see, the performance increase with Padlock enabled is HUGE.

    Here are the final numbers again for comparison


    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    no padlock aes-128-ecb 13413.13k 14312.62k 14605.23k 14680.75k 14701.91k
    w/ padlock aes-128-ecb 44518.38k 113451.78k 187526.23k 245053.44k 291222.87k

    In the 8k block size, the performance improvement is 20X !

    For reference and to see just how fast Padlock is, here is the same test run on my Dell server with a 3GHz PentiumD-64bit


    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    aes-128-ecb 97745.47k 104677.59k 110004.92k 111115.99k 110676.65k

    Now I just have to figure out how to get all everything in Zeroshell to use padlock by default.

    Also, if I find any other benchmarks or tests, I’ll run and post them.
    Meanwhile, this is something to consider if you want to put together a high bang for the buck router.
    This one I’m testing on cost under $500 Canadian with a 1GHz CPU and 1GB of RAM.

    FYI


    root@zeroshell root> cat /proc/cpuinfo
    processor : 0
    vendor_id : CentaurHauls
    cpu family : 6
    model : 10
    model name : VIA Esther processor 1000MHz
    stepping : 9
    cpu MHz : 997.611
    cache size : 128 KB
    fdiv_bug : no
    hlt_bug : no
    f00f_bug : no
    coma_bug : no
    fpu : yes
    fpu_exception : yes
    cpuid level : 1
    wp : yes
    flags : fpu vme de pse tsc msr pae mce apic sep mtrr pge cmov pat clflush acpi mmx fxsr sse sse2 tm nx up pni est tm2 rng rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en
    bogomips : 1997.89
    clflush size : 64
    
    
    		
    	
    #48447

    tamws
    Member

    From the “openvpn –help”:

    –engine [name] : Enable OpenSSL hardware crypto engine functionality.

    And this reference:
    http://openvpn.net/archive/openvpn-users/2005-04/msg00093.html

    I think you can add this openvpn optional parameter: –engine padlock
    in zeroshell to enable the padlock function.

    Do tell us the result, thanks! 🙂

    Vincent

    #48448

    KLGIT
    Member

    tamws: That’s a good tip. I’ve just gone and added it to the OpenVPN command line options.

    In the bigger picture though, it would be nice to have the option to check one box and have all padlock supported functions be accelerated on supported hardware. This way you don’t have to add options or edit configs for every function individually. Given the number of VIA embedded platform options out there, this would be a good way for less technical users to take advantage of the encryption acceleration. It would even help more technical sysadmins as it would be much quicker than digging through the system to enable all accelerated functions plus it would make it less likely that one would be missed or that a typo in one would break something. Basically the KISS rule applied to the user interface.

    Thanks for the reply and the excellent tip.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.