Cavium Nitrox support?
-
Hi there,
I was wondering if pfSense (or FreeBSD) ever got proper support for the Cavium Nitrox CN505?
I has seen in a few posts regarding the Watchguard boxes that there were issues with the chip not being supported correctly in pfSense.
From what I found about the chip in some sales stuff from Cavium the chip has drivers for BSD.
Here is one of the things I found that mentions the chip;
http://www.cavium.com/pdfFiles/N-Lite505-IPsec-1.2v2.pdf?x=1 -
They will only provide the drivers via some closed method, binary blob or NDA, and usually only after you've purchased their SDK. It will never make it into FreeBSD under those conditions. You would need some sort of fimeware upload style implementation or something like NDISgen. That said if you find anything I'm sure there are many people here who would take advantage of it. ;)
That chip is getting quite old now, who knows perhaps Cavium could suddenly see the light and release some source. Trying to get support for one of Safenets chips we found a guy who seemed happy to release the SDK for it which included BSD code. However it was not at all straight forward, more like a set of instructions for writing your own driver which is beyond me. I'm sure there would have had to be some licensing change if we had actually wanted to use it anyway.Steve
-
I am not expecting them to really give me a lot of information but I sent an email requesting for more information to Cavium. If what you are saying is the case they will probably just send me some canned letter pretty much saying NO!
I am not too familiar with driver distribution methods but wouldnt a binary blob work? Sounds like it would be pre compiled. Could it possibly make in to pfSense as a package if a pre-compiled binary was used?
Well I had told them in the email I am only looking for the driver, I don't care about their testing boards and stuff.
I myself do not possess any skill to write a driver, I just thought by contacting them that might be able to get the ball rolling and possibly the code and have someone else assist in compiling it (or something like that).
-
Ideally (other than providing source code!) we would want a pre compiled kernel module for FreeBSD 8.3. That could then be very easily loaded into pfSense 2.1. It would have to tie into the FreeBSD crypto framework though in order to be used by the various functions like IPSec VPN.
The problem with that is that when pfSense moves to a FreeBSD 9 base that will require a new kernel module from whoever produced it.Steve
-
Oh joy! Well that would complicate things. I am still waiting to hear back from Cavium.
-
We tried doing that for a customer and hit the same roadblock. We could get the driver to attach to the card, but it wasn't hooked into FreeBSD's crypto framework at all, so it was essentially useless for what the customer wanted.
-
I am not very knowledgeable to the workings of FreeBSD. What you mean the crypto framework? Is it some kind of API?
Based on what I was reading about OpenSSL to use hardware crypto you need to edit the openssl.cnf file. Is this not the same on FreeBSD?
-
The device has to hook into the OS in a way that the crypto(9) API understands, or very few (if any) services will know what to do with it.
I don't recall 100% but I think even OpenSSL failed to see the card in any usable way when we tried it. I think it required that whatever wanted to use the card had to be custom coded to talk to the card, but it's been a while since that all happened.
-
Well I contacted Cavium by phone today, the lady I talked to was not someone who could help me. She said she will put me in touch with someone from the Nitrox dept about my request. Hopefully this actually goes somewhere it would be awesome to make full use of the Watchguard devices even if my a separate package or something no built in to FreeBSD.
-
I don't hold out much hope but I'll wish you luck anyway. ;)
Give me shout if you need any testing done.Steve
-
Any update on this? ;D