Update? SG-1100-crypto-hardware
-
Any updates on this?
"With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year."
-
Looks promising. Check out comments from jim-p in https://www.reddit.com/r/PFSENSE/comments/flwfsp/multi_vpn_connections_on_sg1100/
"In the 2.4.5 release we have coming out very shortly, we've also added an encryption acceration module driver for the hardware built into the SG-1100. It would be worth giving that a try as well once it's out."
-
Upgraded to 2.4.5 on my SG-1100 last night; however, the Crypto hardware is still shown as "inactive". I changed the drop down and rebooted. Still no luck.
Maybe it still hasn't been rolled in yet? I think that would have been a highlight in their release notes?
-
@costanzo Yes I'm surprised this doesn't appear in the release notes.
I've done a fresh install of 2.4.5 onto an SG-1100 I have here as a backup. I don't have time to put it through its paces at the moment. However, selecting 'SafeXcel and BSD Crypto Device', saving and rebooting loads in the safexcel and cryptodev modules as shown below:[2.4.5-RELEASE][root@..]/root: dmesg | grep crypto cryptosoft0: <software crypto> safexcel0: <SAFEXCEL EIP-97 crypto accelerator> mem 0x90000-0xaffff irq 18,19,20,21,22,23 on simplebus1 [2.4.5-RELEASE][root@..]/root: kldstat Id Refs Address Size Name 1 8 0xffff000000000000 17c01a0 kernel 2 1 0xffff000040f41000 41000 safexcel.ko 3 1 0xffff000040f9a000 41000 cryptodev.ko [2.4.5-RELEASE][root@..]/root: openssl engine -c -t (cryptodev) BSD cryptodev engine [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] [ available ] (dynamic) Dynamic engine loading support [ unavailable ] [2.4.5-RELEASE][root@..]/root: -
@bigsy Interesting. Maybe the drivers are loaded, but the UI isn't up to date?
-
@costanzo In the VPN Server settings, I also changed the drop down to this:
-
It's because it's still in development. The driver is included in 2.4.5 for those who wish to test it but I would not recommend doing so in production.
Right now it supports only AES-128-CBC and as such provides some improvement for IPSec if you select that cipher.More to come.
Steve
-
@stephenw10 said in Update? SG-1100-crypto-hardware:
AES-128-CBC
To test/use this in OpenVPN, is this the correct settings:
Also, do we need to reboot the SG-1100 after making the changes, or any other steps?
-
Disable NCP otherwise it may negotiate aes-128-gcm if the server supports it. The safexcel driver does not support GCM, yet.
But you will not see any improvement in OpenVPN yet. In my testing the current driver only helped IPSec.Steve
-
Thanks!
-
Can pfsense use AES-128-CBC for an ipsec site to site VPN?
-
Yes.
-Rico
-
Thank you for the reply.
Sorry for the basic question but...
Under phase 2 proposal
Protocol: ESP
Encryption algorithm:
Selected AES
Selected 256 bits
Unselected all other protocols
Added Hash Algorithm SHA256By doing the above, will the VPN use the hardware acceleration AES-256-CBC? I am hesitant because CBC isn't mentioned anywhere.
Thank you for your help,
Devan
-
Nevermind, I saw in the log:
configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Thank you again.
-
@stephenw10 said in Update? SG-1100-crypto-hardware:
Right now it supports only AES-128-CBC
This is still true. If you want to test the hardware crypto you can only use that currently.
Steve
-
Does the output of:
openssl engine -c -tIndicate which algorithms are hardware accelerated?
[2.4.5-RELEASE][admin@sg1100]/root: openssl engine -c -t (cryptodev) BSD cryptodev engine [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] [ available ] (rdrand) Intel RDRAND engine [RAND] [ available ] (dynamic) Dynamic engine loading support [ unavailable ] [2.4.5-RELEASE][admin@sg1100]/root:Thank you for clarifying,
Devan
-
It may register for more ciphers in the BSD cryptoframework but the code in the driver itself only supports AES-128-CBC.
I'm not sure how you appear to have the Intel Random Number device present on the SG-1100 there....
Steve
-
My error, wrong box.
SG-1100 properly:
[2.4.5-RELEASE][admin@pfSense.private.com]/root: openssl engine -c -t (cryptodev) BSD cryptodev engine [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] [ available ] (dynamic) Dynamic engine loading support [ unavailable ] [2.4.5-RELEASE][admin@pfSense.private.com]/root: -
Ah, good. That had me questioning everything!
But, yes, the driver can only actually accelerate AES-128-CBC.
Steve
