GLXSB Driver - Where did it go?



  • I'm currently using the 1.2.3-RC2 built on Wed Jun 24 10:43:55 snapshot and it looks like the GLXSB Driver isnt used anymore for my ALIX 2c2.

    Dmesg gives the following:

    cryptosoft0: <software crypto="">on motherboard
    pcib0: <host to="" pci="" bridge="">pcibus 0 on motherboard
    pci0: <pci bus="">on pcib0
    Geode LX: PC Engines ALIX.2 v0.99 tinyBIOS V1.4a (C)1997-2007
    pci0: <encrypt decrypt,="" entertainment="" crypto="">at device 1.2 (no driver attached)

    It was there a couple of weeks ago and I assume at some point the newer snapshots removed it.</encrypt></pci></host></software>




  • Rebel Alliance Developer Netgate

    It was moved to a loadable module.

    It seems that if glxsb is loaded, a Hifn card won't work properly.

    From a command prompt, type "kldload glxsb". If that works:

    /etc/rc.conf_mount_rw
    echo glxsb_load="YES" >> /boot/loader.conf
    /etc/rc.conf_mount_ro
    

    And then it should take effect on reboot.



  • I do have a Hifn 7955 installed in my Alix but I'm not using IPSEC.  I am using OpenVPN for site to site and Road Warrior using AES 128 encryption.  From what I understand, OpenVPN doesnt take advantage of the Hifn card.  Is this true?

    In either case, should I enable the GXLSB Driver and remove the HIfn card, or would I be better served leaving the GXLSB driver unloaded and continue working with the Hifn card?


  • Rebel Alliance Developer Netgate

    @onhel:

    I do have a Hifn 7955 installed in my Alix but I'm not using IPSEC.  I am using OpenVPN for site to site and Road Warrior using AES 128 encryption.  From what I understand, OpenVPN doesnt take advantage of the Hifn card.  Is this true?

    In either case, should I enable the GXLSB Driver and remove the HIfn card, or would I be better served leaving the GXLSB driver unloaded and continue working with the Hifn card?

    I'm not that familiar with the Hifn card so I can't really say for certain. Do you know what ciphers it is supposed to accelerate? I know it should help with 3DES but I don't know what others.

    The glxsb module will only accelerate AES-128-CBC with OpenVPN if you have "engine cryptodev" in the custom options of OpenVPN, I think the same thing would activate the Hifn card for whatever ciphers it supports.

    The only real way to know is to run performance benchmarks with and without the module loaded, and with/without "engine cryptodev".



  • I haven't tested with OpenVPN, but the hifn card helps significantly with AES-128 using IPsec.
    I would assume if OpenVPN was using hardware crypto, the hifn would give you better performance than the glxsb. Glxsb however, is part of the Alix/Soekris chipset, so it's 'free' and doesn't occupy a slot. I'm happy that now we can use glxsb and still have the option to use a hifn if the extra speed is needed.


  • Rebel Alliance Developer Netgate

    In 2.0 I've made a checkbox in advanced options that will enable/disable the glxsb module (defaults to off). So you can check it, and then the module will be loaded on boot. I'm gonna try to see if I can bring those changes into 1.2.x, but having to put an line in loader.conf isn't too difficult if required.

    The glxsb module is pretty good for being included as part of the chipset.

    http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

    In my tests which I used to make that graph, it's clear that the accelerated options are better, though IPsec was helped out a lot more than OpenVPN, both did benefit.

    It would also help reduce CPU usage even on slower links that wouldn't max it out. ALIX boxes don't really handle the extreme load of pushing that much encrypted traffic very gracefully, acceleration or no.



  • Starting with snapshots built past right now, glxsb is loaded by default unless you disable it with a new checkbox under System -> Advanced. If you have a Hifn card you should disable it, hifn is MUCH faster. OpenVPN will also take advantage of both glxsb and hifn by adding custom option 'engine cryptodev'.



  • @cmb:

    Starting with snapshots built past right now, glxsb is loaded by default unless you disable it with a new checkbox under System -> Advanced. If you have a Hifn card you should disable it, hifn is MUCH faster. OpenVPN will also take advantage of both glxsb and hifn by adding custom option 'engine cryptodev'.

    I just updated to pfSense-Full-Update-1.2.3-20090718-1920,  I have a hifn card - so obviously "by default" it is no longer used.  I don't see the option to enable/disable glxsb.  Is it hidden somehow?



  • @strafelife:

    I just updated to pfSense-Full-Update-1.2.3-20090718-1920

    As yesterday was the nineteenth, I think we need to wait for a newer snapshot to appear.



  • My bad - as the snapshots just came back up, I assumed they were recent.  Thanks for noticing.



  • I just upgraded to pfSense-Full-Update-1.2.3-20090721-2144 - the GUI option to disable GLXSB is there now!

    I do have a question, I hope someone could answer.  I am using a VIA C3 cpu, which has native crypto acceleration for AES (padlock) - without running any benchmarks, should I disable glxsb or leave it enabled?  Does it make a difference for the VIA cpu at all either way?



  • In addition to strafelife's question,

    I also upgraded to the same snap.  I see the option to disable GLXSB and by default it's unchecked, but when I run dmesg it shows no driver attached even with GLXSB enabled by default.  Was the driver omitted in this snap?



  • @strafelife:

    I do have a question, I hope someone could answer.  I am using a VIA C3 cpu, which has native crypto acceleration for AES (padlock) - without running any benchmarks, should I disable glxsb or leave it enabled?  Does it make a difference for the VIA cpu at all either way?

    AFAIK, The glxsb hardware is only present in the AMD Geode chipset, so this only applies to PC Engines Alix, Soekris boards, and similar units based on that chipset. The VIA and other chipsets should just fail to load the driver and not cause any problems. You would want to check if the padlock driver is getting loaded for your hardware, but that should be another thread.
    @onhel:

    I also upgraded to the same snap.  I see the option to disable GLXSB and by default it's unchecked, but when I run dmesg it shows no driver attached even with GLXSB enabled by default.  Was the driver omitted in this snap?

    It's a module, not in the kernel. You can verify it's loaded with kldstat.


Log in to reply