SG-1000 Hardware Crypto Acceleration - Not clear how to enable
-
If I understand correctly, the SG-1000 has a hardware crypto accelerator on the board. I've recently received my unit and have been setting up a Site to Site OpenVPN connection to another pfSense box.
Under System -> Advanced - Miscellaneous the only option under Cryptographic Acceleration is AES-NI (which isn't an option for this hardware).
Under the Cryptographic Settings - Hardware Crypto section in the OpenVPN Server/Client settings the only option is No Hardware Crypto Acceleration.
Is the SG-1000 Hardware Accelerator enabled out of the box without having to do anything further or is this a bug/feature still to be implemented?
-
OpenVPN would not be able to utilize crypto hardware.
-
OpenVPN would not be able to utilize crypto hardware.
Why? It certainly does on x86.
-
https://forum.pfsense.org/index.php?topic=107329.0 It looks like it was discussed here.
-
Beyond that, there's no driver for the accelerator.
-
https://forum.pfsense.org/index.php?topic=107329.0 It looks like it was discussed here.
That is a very meandering and internally contradictory thread. Bottom line: crypto acceleration does work with openvpn. In most cases on modern x86 hardware it uses AES-NI and works best with no cryptodev module loaded. But for other accelerators it will use whatever cryptodev module is loaded or another engine if compiled into openssl. In most cases on modern x86 hardware the AES-NI is faster than whatever crypto card was cool 5 years ago, so there's no point in doing this.
None of this makes any assertion of whether crypto acceleration is working on the SG-1000, only that there's no reason it wouldn't work in openvpn if built for the platform.
-
Informational:
http://processors.wiki.ti.com/index.php/AM335x_Crypto_Performance -
There's no FreeBSD driver for the crypto hardware yet so it's not used in the current 2.4 snaps.
That does mean there is scope for significant improvement in a future update. ;)Steve
-
There's no FreeBSD driver for the crypto hardware yet so it's not used in the current 2.4 snaps.
That does mean there is scope for significant improvement in a future update. ;)Steve
Raised a feature request in redmine: https://redmine.pfsense.org/issues/7212
-
OpenVPN would not be able to utilize crypto hardware.
Actually, for the transforms that the crypto supports, it could, via the cryptdev driver.
Of course, now you're making 3-4 round trips to the kernel, per packet.
Two for OpenVPN, because tun/tap.
One or two more for AES and, if you have it enabled, SHA or MD5 as authentication.