Update? SG-1100-crypto-hardware

costanzo

Re: SG-1100 Crypto Hardware

Any updates on this?

"With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year."

bigsy

Looks promising. Check out comments from jim-p in https://www.reddit.com/r/PFSENSE/comments/flwfsp/multi_vpn_connections_on_sg1100/

"In the 2.4.5 release we have coming out very shortly, we've also added an encryption acceration module driver for the hardware built into the SG-1100. It would be worth giving that a try as well once it's out."

costanzo

Upgraded to 2.4.5 on my SG-1100 last night; however, the Crypto hardware is still shown as "inactive". I changed the drop down and rebooted. Still no luck.

Maybe it still hasn't been rolled in yet? I think that would have been a highlight in their release notes?

bigsy

@costanzo Yes I'm surprised this doesn't appear in the release notes.
I've done a fresh install of 2.4.5 onto an SG-1100 I have here as a backup. I don't have time to put it through its paces at the moment. However, selecting 'SafeXcel and BSD Crypto Device', saving and rebooting loads in the safexcel and cryptodev modules as shown below:

[2.4.5-RELEASE][root@..]/root: dmesg | grep crypto
cryptosoft0: <software crypto>
safexcel0: <SAFEXCEL EIP-97 crypto accelerator> mem 0x90000-0xaffff irq 18,19,20,21,22,23 on simplebus1
[2.4.5-RELEASE][root@..]/root: kldstat
Id Refs Address            Size     Name
 1    8 0xffff000000000000 17c01a0  kernel
 2    1 0xffff000040f41000 41000    safexcel.ko
 3    1 0xffff000040f9a000 41000    cryptodev.ko
[2.4.5-RELEASE][root@..]/root: openssl engine -c -t
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[2.4.5-RELEASE][root@..]/root: 

costanzo

@bigsy Interesting. Maybe the drivers are loaded, but the UI isn't up to date?

costanzo

@costanzo In the VPN Server settings, I also changed the drop down to this:

stephenw10

It's because it's still in development. The driver is included in 2.4.5 for those who wish to test it but I would not recommend doing so in production.
Right now it supports only AES-128-CBC and as such provides some improvement for IPSec if you select that cipher.

More to come.

Steve

costanzo

@stephenw10 said in Update? SG-1100-crypto-hardware:

AES-128-CBC

To test/use this in OpenVPN, is this the correct settings:

Also, do we need to reboot the SG-1100 after making the changes, or any other steps?

stephenw10

Disable NCP otherwise it may negotiate aes-128-gcm if the server supports it. The safexcel driver does not support GCM, yet.
But you will not see any improvement in OpenVPN yet. In my testing the current driver only helped IPSec.

Steve

costanzo

@stephenw10

Thanks!

ddbnj

Can pfsense use AES-128-CBC for an ipsec site to site VPN?

Rico

Yes.

-Rico

ddbnj

@Rico

Thank you for the reply.

Sorry for the basic question but...

Under phase 2 proposal

Protocol: ESP
Encryption algorithm:
Selected AES
Selected 256 bits
Unselected all other protocols
Added Hash Algorithm SHA256

By doing the above, will the VPN use the hardware acceleration AES-256-CBC? I am hesitant because CBC isn't mentioned anywhere.

Thank you for your help,

Devan

ddbnj

@ddbnj

Nevermind, I saw in the log:

configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Thank you again.

stephenw10

@stephenw10 said in Update? SG-1100-crypto-hardware:

Right now it supports only AES-128-CBC

This is still true. If you want to test the hardware crypto you can only use that currently.

Steve

ddbnj

@stephenw10

Does the output of:

openssl engine -c -t

Indicate which algorithms are hardware accelerated?

[2.4.5-RELEASE][admin@sg1100]/root: openssl engine -c -t
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(rdrand) Intel RDRAND engine
 [RAND]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[2.4.5-RELEASE][admin@sg1100]/root:

Thank you for clarifying,

Devan

stephenw10

It may register for more ciphers in the BSD cryptoframework but the code in the driver itself only supports AES-128-CBC.

I'm not sure how you appear to have the Intel Random Number device present on the SG-1100 there....

Steve

ddbnj

@stephenw10

My error, wrong box.

SG-1100 properly:

[2.4.5-RELEASE][admin@pfSense.private.com]/root: openssl engine -c -t
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[2.4.5-RELEASE][admin@pfSense.private.com]/root:

stephenw10

Ah, good. That had me questioning everything!

But, yes, the driver can only actually accelerate AES-128-CBC.

Steve