Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VIA Padlock (C3/C7) Crypto engine question

    Scheduled Pinned Locked Moved Hardware
    6 Posts 5 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      strafelife
      last edited by

      I googled around, and searched the forums for an answer…Perhaps I'm missing the clue on how to answer this.  I've deployed several pfSense boxes on some VIA C3 / C7 boxes, and I configured IPsec to use aes-128, at least knowing that the Padlock engine accelerates AES.

      Saw this little bit:  http://www.docunext.com/wiki/PfSense_test_results_of_the_padlock_kernel_driver_on_a_VIA_C7

      How do I verify that pfSense makes optimal use of padlock?  With Hifn the cards are recognized and displayed in the System overview.  I ran the openssl benchmarks, and validated that padlock works (confirming at least that FBSD can make use of it) without loading kldload padlock...

      Is there a "top" equivalent for crypto? Is kldload padlock required anymore (doesn't work with 1.2.3RC2: pfSense-Full-Update-1.2.3-20090722-0348 )

      I apologize ahead of time if I missed a previous discussion on this, but I wasn't able to find answers here.  thank you!

      1 Reply Last reply Reply Quote 0
      • J
        joebarnhart
        last edited by

        I would also like to know about padlock and pfSense.  This could be a killer feature for users of VPNs.

        I'd like to know if pfSense currently supports the Via padlock feature, and if so how to enable it on ipsec and openvpn.

        Pretty please!

        1 Reply Last reply Reply Quote 0
        • dotdashD
          dotdash
          last edited by

          My build of 1.2.3 shows:
          kldstat -v | grep padlock
          (nothing)
          safe, ubsec, and hifn show as compiled in.
          You could try copying the module from stock 7.2 and kldloading it. You could look for the thread on glxsb, there are some notes and the procedure would be essentially the same with the padlock module.
          My advice would be to manually load it, test, then submit a feature request to have it included in future builds.

          1 Reply Last reply Reply Quote 0
          • J
            joebarnhart
            last edited by

            Ah.  Thanks for the answer.  Maybe someone with more FreeBSD chops will take a look at it.  The Via is a pretty popular platform so someone will add it eventually…

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Have you looked at this?

              http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

              I'm using cryptodev just fine on ALIX hardware in a few places.

              Not sure if anything benefits from padlock though, I don't know that I have any hardware running pfSense that has real padlock support.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • F
                fastcon68
                last edited by

                I saw the eval command and thought I run it against my virtual machine(quad phemon 2.5 GHZ processor).  I have 2 processors dedicated to my firewall.

                $ openssl speed -evp aes-128-cbc
                OpenSSL 0.9.8e 23 Feb 2007
                built on: Fri May 15 13:50:54 EDT 2009
                options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
                compiler: cc
                available timing options: USE_TOD HZ=128 [sysconf value]
                timing function used: getrusage
                The 'numbers' are in 1000s of bytes per second processed.
                type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
                aes-128-cbc      68862.24k    74318.49k    76634.68k    77303.50k    77649.46k

                $ openssl speed -evp aes-128-cbc -engine cryptodev
                OpenSSL 0.9.8e 23 Feb 2007
                built on: Fri May 15 13:50:54 EDT 2009
                options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
                compiler: cc
                available timing options: USE_TOD HZ=128 [sysconf value]
                timing function used: getrusage
                The 'numbers' are in 1000s of bytes per second processed.
                type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
                aes-128-cbc      68590.93k    74215.00k    76918.08k    77146.59k    77406.33k

                I don't have any encryption hardware.  That is supported at this time.  How do my numbers compare to other people's systems.  I thinking about moving some hardware around and debating about replacing a server.  I don't what to take to big of a performance hit.
                RC

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.