VIA Padlock (C3/C7) Crypto engine question
-
I googled around, and searched the forums for an answer…Perhaps I'm missing the clue on how to answer this. I've deployed several pfSense boxes on some VIA C3 / C7 boxes, and I configured IPsec to use aes-128, at least knowing that the Padlock engine accelerates AES.
Saw this little bit: http://www.docunext.com/wiki/PfSense_test_results_of_the_padlock_kernel_driver_on_a_VIA_C7
How do I verify that pfSense makes optimal use of padlock? With Hifn the cards are recognized and displayed in the System overview. I ran the openssl benchmarks, and validated that padlock works (confirming at least that FBSD can make use of it) without loading kldload padlock...
Is there a "top" equivalent for crypto? Is kldload padlock required anymore (doesn't work with 1.2.3RC2: pfSense-Full-Update-1.2.3-20090722-0348 )
I apologize ahead of time if I missed a previous discussion on this, but I wasn't able to find answers here. thank you!
-
I would also like to know about padlock and pfSense. This could be a killer feature for users of VPNs.
I'd like to know if pfSense currently supports the Via padlock feature, and if so how to enable it on ipsec and openvpn.
Pretty please!
-
My build of 1.2.3 shows:
kldstat -v | grep padlock
(nothing)
safe, ubsec, and hifn show as compiled in.
You could try copying the module from stock 7.2 and kldloading it. You could look for the thread on glxsb, there are some notes and the procedure would be essentially the same with the padlock module.
My advice would be to manually load it, test, then submit a feature request to have it included in future builds. -
Ah. Thanks for the answer. Maybe someone with more FreeBSD chops will take a look at it. The Via is a pretty popular platform so someone will add it eventually…
-
Have you looked at this?
http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported
I'm using cryptodev just fine on ALIX hardware in a few places.
Not sure if anything benefits from padlock though, I don't know that I have any hardware running pfSense that has real padlock support.
-
I saw the eval command and thought I run it against my virtual machine(quad phemon 2.5 GHZ processor). I have 2 processors dedicated to my firewall.
$ openssl speed -evp aes-128-cbc
OpenSSL 0.9.8e 23 Feb 2007
built on: Fri May 15 13:50:54 EDT 2009
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 68862.24k 74318.49k 76634.68k 77303.50k 77649.46k$ openssl speed -evp aes-128-cbc -engine cryptodev
OpenSSL 0.9.8e 23 Feb 2007
built on: Fri May 15 13:50:54 EDT 2009
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 68590.93k 74215.00k 76918.08k 77146.59k 77406.33kI don't have any encryption hardware. That is supported at this time. How do my numbers compare to other people's systems. I thinking about moving some hardware around and debating about replacing a server. I don't what to take to big of a performance hit.
RC