VIA Padlock (C3/C7) Crypto engine question



  • I googled around, and searched the forums for an answer…Perhaps I'm missing the clue on how to answer this.  I've deployed several pfSense boxes on some VIA C3 / C7 boxes, and I configured IPsec to use aes-128, at least knowing that the Padlock engine accelerates AES.

    Saw this little bit:  http://www.docunext.com/wiki/PfSense_test_results_of_the_padlock_kernel_driver_on_a_VIA_C7

    How do I verify that pfSense makes optimal use of padlock?  With Hifn the cards are recognized and displayed in the System overview.  I ran the openssl benchmarks, and validated that padlock works (confirming at least that FBSD can make use of it) without loading kldload padlock...

    Is there a "top" equivalent for crypto? Is kldload padlock required anymore (doesn't work with 1.2.3RC2: pfSense-Full-Update-1.2.3-20090722-0348 )

    I apologize ahead of time if I missed a previous discussion on this, but I wasn't able to find answers here.  thank you!



  • I would also like to know about padlock and pfSense.  This could be a killer feature for users of VPNs.

    I'd like to know if pfSense currently supports the Via padlock feature, and if so how to enable it on ipsec and openvpn.

    Pretty please!



  • My build of 1.2.3 shows:
    kldstat -v | grep padlock
    (nothing)
    safe, ubsec, and hifn show as compiled in.
    You could try copying the module from stock 7.2 and kldloading it. You could look for the thread on glxsb, there are some notes and the procedure would be essentially the same with the padlock module.
    My advice would be to manually load it, test, then submit a feature request to have it included in future builds.



  • Ah.  Thanks for the answer.  Maybe someone with more FreeBSD chops will take a look at it.  The Via is a pretty popular platform so someone will add it eventually…


  • Rebel Alliance Developer Netgate

    Have you looked at this?

    http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

    I'm using cryptodev just fine on ALIX hardware in a few places.

    Not sure if anything benefits from padlock though, I don't know that I have any hardware running pfSense that has real padlock support.



  • I saw the eval command and thought I run it against my virtual machine(quad phemon 2.5 GHZ processor).  I have 2 processors dedicated to my firewall.

    $ openssl speed -evp aes-128-cbc
    OpenSSL 0.9.8e 23 Feb 2007
    built on: Fri May 15 13:50:54 EDT 2009
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
    compiler: cc
    available timing options: USE_TOD HZ=128 [sysconf value]
    timing function used: getrusage
    The 'numbers' are in 1000s of bytes per second processed.
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    aes-128-cbc      68862.24k    74318.49k    76634.68k    77303.50k    77649.46k

    $ openssl speed -evp aes-128-cbc -engine cryptodev
    OpenSSL 0.9.8e 23 Feb 2007
    built on: Fri May 15 13:50:54 EDT 2009
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
    compiler: cc
    available timing options: USE_TOD HZ=128 [sysconf value]
    timing function used: getrusage
    The 'numbers' are in 1000s of bytes per second processed.
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    aes-128-cbc      68590.93k    74215.00k    76918.08k    77146.59k    77406.33k

    I don't have any encryption hardware.  That is supported at this time.  How do my numbers compare to other people's systems.  I thinking about moving some hardware around and debating about replacing a server.  I don't what to take to big of a performance hit.
    RC


Log in to reply