Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cavium Nitrox support?

    Hardware
    4
    11
    8.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      solignis
      last edited by

      Hi there,

      I was wondering if pfSense (or FreeBSD) ever got proper support for the Cavium Nitrox CN505?

      I has seen in a few posts regarding the Watchguard boxes that there were issues with the chip not being supported correctly in pfSense.

      From what I found about the chip in some sales stuff from Cavium the chip has drivers for BSD.

      Here is one of the things I found that mentions the chip;
      http://www.cavium.com/pdfFiles/N-Lite505-IPsec-1.2v2.pdf?x=1

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        They will only provide the drivers via some closed method, binary blob or NDA, and usually only after you've purchased their SDK. It will never make it into FreeBSD under those conditions. You would need some sort of fimeware upload style implementation or something like NDISgen. That said if you find anything I'm sure there are many people here who would take advantage of it.  ;)
        That chip is getting quite old now, who knows perhaps Cavium could suddenly see the light and release some source. Trying to get support for one of Safenets chips we found a guy who seemed happy to release the SDK for it which included BSD code. However it was not at all straight forward, more like a set of instructions for writing your own driver which is beyond me. I'm sure there would have had to be some licensing change if we had actually wanted to use it anyway.

        Steve

        1 Reply Last reply Reply Quote 0
        • S
          solignis
          last edited by

          I am not expecting them to really give me a lot of information but I sent an email requesting for more information to Cavium. If what you are saying is the case they will probably just send me some canned letter pretty much saying NO!

          I am not too familiar with driver distribution methods but wouldnt a binary blob work? Sounds like it would be pre compiled. Could it possibly make in to pfSense as a package if a pre-compiled binary was used?

          Well I had told them in the email I am only looking for the driver, I don't care about their testing boards and stuff.

          I myself do not possess any skill to write a driver, I just thought by contacting them that might be able to get the ball rolling and possibly the code and have someone else assist in compiling it (or something like that).

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Ideally (other than providing source code!) we would want a pre compiled kernel module for FreeBSD 8.3. That could then be very easily loaded into pfSense 2.1. It would have to tie into the FreeBSD crypto framework though in order to be used by the various functions like IPSec VPN.
            The problem with that is that when pfSense moves to a FreeBSD 9 base that will require a new kernel module from whoever produced it.

            Steve

            1 Reply Last reply Reply Quote 0
            • S
              solignis
              last edited by

              Oh joy! Well that would complicate things. I am still waiting to hear back from Cavium.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                We tried doing that for a customer and hit the same roadblock. We could get the driver to attach to the card, but it wasn't hooked into FreeBSD's crypto framework at all, so it was essentially useless for what the customer wanted.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • S
                  solignis
                  last edited by

                  I am not very knowledgeable to the workings of FreeBSD. What you mean the crypto framework? Is it some kind of API?

                  Based on what I was reading about OpenSSL to use hardware crypto you need to edit the openssl.cnf file. Is this not the same on FreeBSD?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    The device has to hook into the OS in a way that the crypto(9) API understands, or very few (if any) services will know what to do with it.

                    I don't recall 100% but I think even OpenSSL failed to see the card in any usable way when we tried it. I think it required that whatever wanted to use the card had to be custom coded to talk to the card, but it's been a while since that all happened.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • S
                      solignis
                      last edited by

                      Well I contacted Cavium by phone today, the lady I talked to was not someone who could help me. She said she will put me in touch with someone from the Nitrox dept about my request. Hopefully this actually goes somewhere it would be awesome to make full use of the Watchguard devices even if my a separate package or something no built in to FreeBSD.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        I don't hold out much hope but I'll wish you luck anyway.  ;)
                        Give me shout if you need any testing done.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • C
                          cyruspy
                          last edited by

                          Any update on this?  ;D

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.