Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does 2.0-RC3 support BCM5823 cryptographic accelerator?

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    8
    4.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      macafee
      last edited by

      My Pfsense's version is 2.0-RC3 nanobsd (4g) (i386) built on Tue Jun 21 18:21:10 EDT 2011.
      Today, I get a BCM5823 cryptographic accelerator and install it on the pfsense. I see the "ubsec0 mem 0xe3080000-0xe308ffff irq 7 at device 10.0 on pci0 ubsec0: [ITHREAD] ubsec0: Broadcom 5823" in the dmesg. And the "cryptosoft0: <software crypto="">on motherboard
      padlock0: No ACE support." in the dmesg, too.
      I have tested it according to the "http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported", but the result is same.

      $ openssl speed -evp aes-128-cbc
OpenSSL 0.9.8n 24 Mar 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc   59104416.00k 64965120.00k 66591488.00k 67173376.00k 67313664.00k

      $ openssl speed -evp aes-128-cbc -engine cryptodev
OpenSSL 0.9.8n 24 Mar 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc   58864640.00k 64645248.00k 66419712.00k 66939904.00k 67141632.00k

      Is the BCM5823 cryptographic accelerator working? If not, how to do it?</software>

      1 Reply Last reply Reply Quote 0
      • M
        macafee
        last edited by

        Nobody know this problem?

        1 Reply Last reply Reply Quote 0
        • W
          wallabybob
          last edited by

          I don't know if this explains your problem but old enough crypto accelerators are slower than new enough CPUs.

          I have no idea of the age of your crypto accelerator nor the age of your CPU.

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            you could go to SERVICES - OpenVPN and configure a server. There is a pulldown menu for accelerators. Perhaps it will be shown there. With my Xenon CPU there is only "BSD cryptodev".

            1 Reply Last reply Reply Quote 0
            • M
              macafee
              last edited by

              @wallabybob:

              I don't know if this explains your problem but old enough crypto accelerators are slower than new enough CPUs.

              I have no idea of the age of your crypto accelerator nor the age of your CPU.

              My CPU is celeron 1Ghz.

              1 Reply Last reply Reply Quote 0
              • M
                macafee
                last edited by

                @Nachtfalke:

                you could go to SERVICES - OpenVPN and configure a server. There is a pulldown menu for accelerators. Perhaps it will be shown there. With my Xenon CPU there is only "BSD cryptodev".

                In the OpenVPN config, there are 3 items:
                1.No Hardware Crypto Acceleration
                2.BSD cryptodev engine
                3.VIA Padlock(no-RNG,no-ACE)

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  Hmm,

                  if I tested OpenVPN in the past with a Celeron 1.6GHz CPU I had both engines, too. So I don't think that your accelerator is supported "out of the box".

                  I tried with:

                  openssl speed aes-256-cbc -engine padlock

                  And get some errors not finding libpadlock.so (In the pulldown menu there is not VIA Padlock as it is in your case).

                  
[HEAD][admin@pfsense1.hpa]/root(13): openssl speed aes-256-cbc -engine padlock
invalid engine "padlock"
55998:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:162:filename(/usr/lib/engines/libpadlock.so): Cannot open "/usr/lib/engines/libpadlock.so"
55998:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244:
55998:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450:
55998:error:2606A074:engine routines:ENGINE_by_id:no such engine:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_list.c:415:id=padlock
55998:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:162:filename(libpadlock.so): Shared object "libpadlock.so" not found, required by "openssl"
55998:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244:
55998:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450:

                  openssl is searching for files in this directory:

                  
[HEAD][admin@pfsense]/usr/lib/engines(17): ls -la
total 172
drwxr-xr-x  2 root  wheel    512 Jul  1 03:22 .
drwxr-xr-x  6 root  wheel   7168 Jul  1 04:31 ..
-r--r--r--  1 root  wheel  20480 Jul  1 03:22 lib4758cca.so
-r--r--r--  1 root  wheel  16656 Jul  1 03:22 libaep.so
-r--r--r--  1 root  wheel  16248 Jul  1 03:22 libatalla.so
-r--r--r--  1 root  wheel  25504 Jul  1 03:22 libchil.so
-r--r--r--  1 root  wheel  20784 Jul  1 03:22 libcswift.so
-r--r--r--  1 root  wheel  12192 Jul  1 03:22 libnuron.so
-r--r--r--  1 root  wheel  25144 Jul  1 03:22 libsureware.so
-r--r--r--  1 root  wheel  20688 Jul  1 03:22 libubsec.so

                  Perhaps you have to find out how to get your accelerator work with openssl.

                  1 Reply Last reply Reply Quote 0
                  • M
                    macafee
                    last edited by

                    It is very strange. When I run " openssl speed aes-256-cbc -engine padlock ", it display:

                    $ openssl speed aes-256-cbc -engine padlock
OpenSSL 0.9.8n 24 Mar 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256 cbc   46770864.00k 48338688.00k 48958464.00k 48905216.00k 48988160.00k

                    When I run "openssl speed aes-256-cbc -engine cryptodev", it display:```
                    $ openssl speed aes-256-cbc -engine cryptodev
                    OpenSSL 0.9.8n 24 Mar 2010
                    built on: date not available
                    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
                    compiler: cc
                    available timing options: USE_TOD HZ=128 [sysconf value]
                    timing function used: getrusage
                    The 'numbers' are in 1000s of bytes per second processed.
                    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
                    aes-256 cbc  46375136.00k 48188992.00k 48698624.00k 48657408.00k 48701440.00k

                    
The results are same. It didn't report any errors. But I think the BCM5823 cryptographic accelerator is working. Because I run the "openssl speed aes-256-cbc" on the INTEL D510 ATOM CPU, the resulte is "

> %openssl speed aes-256-cbc
> To get the most accurate results, try to run this
> program when this computer is idle.
> Doing aes-256 cbc for 3s on 16 size blocks: 3360500 aes-256 cbc's in 3.00s
> Doing aes-256 cbc for 3s on 64 size blocks: 870605 aes-256 cbc's in 3.00s
> Doing aes-256 cbc for 3s on 256 size blocks: 219803 aes-256 cbc's in 3.00s
> Doing aes-256 cbc for 3s on 1024 size blocks: 55177 aes-256 cbc's in 3.00s
> Doing aes-256 cbc for 3s on 8192 size blocks: 6817 aes-256 cbc's in 3.00s
> OpenSSL 0.9.8q 2 Dec 2010
> built on: date not available
> options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
> compiler: cc
> available timing options: USE_TOD HZ=128 [sysconf value]
> timing function used: getrusage
> The 'numbers' are in 1000s of bytes per second processed.
> type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
> aes-256 cbc      17913.94k    18567.19k    18767.78k    18826.61k    18606.98k
                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post