Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Update? SG-1100-crypto-hardware

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    19 Posts 5 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      costanzo
      last edited by

      Re: SG-1100 Crypto Hardware

      Any updates on this?

      "With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year."

      1 Reply Last reply Reply Quote 0
      • B
        bigsy
        last edited by

        Looks promising. Check out comments from jim-p in https://www.reddit.com/r/PFSENSE/comments/flwfsp/multi_vpn_connections_on_sg1100/

        "In the 2.4.5 release we have coming out very shortly, we've also added an encryption acceration module driver for the hardware built into the SG-1100. It would be worth giving that a try as well once it's out."

        1 Reply Last reply Reply Quote 0
        • C
          costanzo
          last edited by

          Upgraded to 2.4.5 on my SG-1100 last night; however, the Crypto hardware is still shown as "inactive". I changed the drop down and rebooted. Still no luck.

          Maybe it still hasn't been rolled in yet? I think that would have been a highlight in their release notes?

          551ac233-e97d-48e8-9c99-0f44fc47f936-image.png

          bdd5e45e-f943-4429-a571-028b48fb75f8-image.png

          B C 2 Replies Last reply Reply Quote 0
          • B
            bigsy @costanzo
            last edited by

            @costanzo Yes I'm surprised this doesn't appear in the release notes.
            I've done a fresh install of 2.4.5 onto an SG-1100 I have here as a backup. I don't have time to put it through its paces at the moment. However, selecting 'SafeXcel and BSD Crypto Device', saving and rebooting loads in the safexcel and cryptodev modules as shown below:

            [2.4.5-RELEASE][root@..]/root: dmesg | grep crypto
            cryptosoft0: <software crypto>
            safexcel0: <SAFEXCEL EIP-97 crypto accelerator> mem 0x90000-0xaffff irq 18,19,20,21,22,23 on simplebus1
            [2.4.5-RELEASE][root@..]/root: kldstat
            Id Refs Address            Size     Name
             1    8 0xffff000000000000 17c01a0  kernel
             2    1 0xffff000040f41000 41000    safexcel.ko
             3    1 0xffff000040f9a000 41000    cryptodev.ko
            [2.4.5-RELEASE][root@..]/root: openssl engine -c -t
            (cryptodev) BSD cryptodev engine
             [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
                 [ available ]
            (dynamic) Dynamic engine loading support
                 [ unavailable ]
            [2.4.5-RELEASE][root@..]/root: 
            
            C 1 Reply Last reply Reply Quote 0
            • C
              costanzo @bigsy
              last edited by

              @bigsy Interesting. Maybe the drivers are loaded, but the UI isn't up to date?

              1 Reply Last reply Reply Quote 0
              • C
                costanzo @costanzo
                last edited by

                @costanzo In the VPN Server settings, I also changed the drop down to this:

                14cbdf3a-e321-4b72-8901-a0479d670563-image.png

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  It's because it's still in development. The driver is included in 2.4.5 for those who wish to test it but I would not recommend doing so in production.
                  Right now it supports only AES-128-CBC and as such provides some improvement for IPSec if you select that cipher.

                  More to come.

                  Steve

                  C stephenw10S 2 Replies Last reply Reply Quote 1
                  • C
                    costanzo @stephenw10
                    last edited by

                    @stephenw10 said in Update? SG-1100-crypto-hardware:

                    AES-128-CBC

                    To test/use this in OpenVPN, is this the correct settings:

                    7a1e44ea-b4c0-48aa-8b8c-5c8a63658a43-image.png

                    Also, do we need to reboot the SG-1100 after making the changes, or any other steps?

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Disable NCP otherwise it may negotiate aes-128-gcm if the server supports it. The safexcel driver does not support GCM, yet.
                      But you will not see any improvement in OpenVPN yet. In my testing the current driver only helped IPSec.

                      Steve

                      C 1 Reply Last reply Reply Quote 1
                      • C
                        costanzo @stephenw10
                        last edited by

                        @stephenw10

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • D
                          ddbnj
                          last edited by

                          Can pfsense use AES-128-CBC for an ipsec site to site VPN?

                          1 Reply Last reply Reply Quote 0
                          • RicoR
                            Rico LAYER 8 Rebel Alliance
                            last edited by

                            Yes.

                            -Rico

                            D 1 Reply Last reply Reply Quote 0
                            • D
                              ddbnj @Rico
                              last edited by

                              @Rico

                              Thank you for the reply.

                              Sorry for the basic question but...

                              Under phase 2 proposal

                              Protocol: ESP
                              Encryption algorithm:
                              Selected AES
                              Selected 256 bits
                              Unselected all other protocols
                              Added Hash Algorithm SHA256

                              By doing the above, will the VPN use the hardware acceleration AES-256-CBC? I am hesitant because CBC isn't mentioned anywhere.

                              Thank you for your help,

                              Devan

                              D 1 Reply Last reply Reply Quote 0
                              • D
                                ddbnj @ddbnj
                                last edited by

                                @ddbnj

                                Nevermind, I saw in the log:

                                configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

                                Thank you again.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator @stephenw10
                                  last edited by

                                  @stephenw10 said in Update? SG-1100-crypto-hardware:

                                  Right now it supports only AES-128-CBC

                                  This is still true. If you want to test the hardware crypto you can only use that currently.

                                  Steve

                                  D 1 Reply Last reply Reply Quote 0
                                  • D
                                    ddbnj @stephenw10
                                    last edited by

                                    @stephenw10

                                    Does the output of:

                                    openssl engine -c -t
                                    

                                    Indicate which algorithms are hardware accelerated?

                                    [2.4.5-RELEASE][admin@sg1100]/root: openssl engine -c -t
                                    (cryptodev) BSD cryptodev engine
                                     [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
                                         [ available ]
                                    (rdrand) Intel RDRAND engine
                                     [RAND]
                                         [ available ]
                                    (dynamic) Dynamic engine loading support
                                         [ unavailable ]
                                    [2.4.5-RELEASE][admin@sg1100]/root:
                                    

                                    Thank you for clarifying,

                                    Devan

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      It may register for more ciphers in the BSD cryptoframework but the code in the driver itself only supports AES-128-CBC.

                                      I'm not sure how you appear to have the Intel Random Number device present on the SG-1100 there....

                                      Steve

                                      D 1 Reply Last reply Reply Quote 0
                                      • D
                                        ddbnj @stephenw10
                                        last edited by ddbnj

                                        @stephenw10

                                        My error, wrong box.

                                        SG-1100 properly:

                                        [2.4.5-RELEASE][admin@pfSense.private.com]/root: openssl engine -c -t
                                        (cryptodev) BSD cryptodev engine
                                         [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
                                             [ available ]
                                        (dynamic) Dynamic engine loading support
                                             [ unavailable ]
                                        [2.4.5-RELEASE][admin@pfSense.private.com]/root:
                                        
                                        
                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Ah, good. That had me questioning everything!

                                          But, yes, the driver can only actually accelerate AES-128-CBC.

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.