Update? SG-1100-crypto-hardware

  • Re: SG-1100 Crypto Hardware

    Any updates on this?

    "With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year."

  • Looks promising. Check out comments from jim-p in https://www.reddit.com/r/PFSENSE/comments/flwfsp/multi_vpn_connections_on_sg1100/

    "In the 2.4.5 release we have coming out very shortly, we've also added an encryption acceration module driver for the hardware built into the SG-1100. It would be worth giving that a try as well once it's out."

  • Upgraded to 2.4.5 on my SG-1100 last night; however, the Crypto hardware is still shown as "inactive". I changed the drop down and rebooted. Still no luck.

    Maybe it still hasn't been rolled in yet? I think that would have been a highlight in their release notes?



  • @costanzo Yes I'm surprised this doesn't appear in the release notes.
    I've done a fresh install of 2.4.5 onto an SG-1100 I have here as a backup. I don't have time to put it through its paces at the moment. However, selecting 'SafeXcel and BSD Crypto Device', saving and rebooting loads in the safexcel and cryptodev modules as shown below:

    [2.4.5-RELEASE][root@..]/root: dmesg | grep crypto
    cryptosoft0: <software crypto>
    safexcel0: <SAFEXCEL EIP-97 crypto accelerator> mem 0x90000-0xaffff irq 18,19,20,21,22,23 on simplebus1
    [2.4.5-RELEASE][root@..]/root: kldstat
    Id Refs Address            Size     Name
     1    8 0xffff000000000000 17c01a0  kernel
     2    1 0xffff000040f41000 41000    safexcel.ko
     3    1 0xffff000040f9a000 41000    cryptodev.ko
    [2.4.5-RELEASE][root@..]/root: openssl engine -c -t
    (cryptodev) BSD cryptodev engine
     [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
         [ available ]
    (dynamic) Dynamic engine loading support
         [ unavailable ]

  • @bigsy Interesting. Maybe the drivers are loaded, but the UI isn't up to date?

  • @costanzo In the VPN Server settings, I also changed the drop down to this:


  • Netgate Administrator

    It's because it's still in development. The driver is included in 2.4.5 for those who wish to test it but I would not recommend doing so in production.
    Right now it supports only AES-128-CBC and as such provides some improvement for IPSec if you select that cipher.

    More to come.


Log in to reply