Does 2.0-RC3 support BCM5823 cryptographic accelerator?



  • My Pfsense's version is 2.0-RC3 nanobsd (4g) (i386) built on Tue Jun 21 18:21:10 EDT 2011.
    Today, I get a BCM5823 cryptographic accelerator and install it on the pfsense. I see the "ubsec0 mem 0xe3080000-0xe308ffff irq 7 at device 10.0 on pci0 ubsec0: [ITHREAD] ubsec0: Broadcom 5823" in the dmesg. And the "cryptosoft0: <software crypto="">on motherboard
    padlock0: No ACE support." in the dmesg, too.
    I have tested it according to the "http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported", but the result is same.

    $ openssl speed -evp aes-128-cbc
    OpenSSL 0.9.8n 24 Mar 2010
    built on: date not available
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
    compiler: cc
    available timing options: USE_TOD HZ=128 [sysconf value]
    timing function used: getrusage
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc   59104416.00k 64965120.00k 66591488.00k 67173376.00k 67313664.00k
    
    $ openssl speed -evp aes-128-cbc -engine cryptodev
    OpenSSL 0.9.8n 24 Mar 2010
    built on: date not available
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
    compiler: cc
    available timing options: USE_TOD HZ=128 [sysconf value]
    timing function used: getrusage
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc   58864640.00k 64645248.00k 66419712.00k 66939904.00k 67141632.00k
    

    Is the BCM5823 cryptographic accelerator working? If not, how to do it?</software>



  • Nobody know this problem?



  • I don't know if this explains your problem but old enough crypto accelerators are slower than new enough CPUs.

    I have no idea of the age of your crypto accelerator nor the age of your CPU.



  • you could go to SERVICES - OpenVPN and configure a server. There is a pulldown menu for accelerators. Perhaps it will be shown there. With my Xenon CPU there is only "BSD cryptodev".



  • @wallabybob:

    I don't know if this explains your problem but old enough crypto accelerators are slower than new enough CPUs.

    I have no idea of the age of your crypto accelerator nor the age of your CPU.

    My CPU is celeron 1Ghz.



  • @Nachtfalke:

    you could go to SERVICES - OpenVPN and configure a server. There is a pulldown menu for accelerators. Perhaps it will be shown there. With my Xenon CPU there is only "BSD cryptodev".

    In the OpenVPN config, there are 3 items:
    1.No Hardware Crypto Acceleration
    2.BSD cryptodev engine
    3.VIA Padlock(no-RNG,no-ACE)



  • Hmm,

    if I tested OpenVPN in the past with a Celeron 1.6GHz CPU I had both engines, too. So I don't think that your accelerator is supported "out of the box".

    I tried with:

    openssl speed aes-256-cbc -engine padlock
    
    

    And get some errors not finding libpadlock.so (In the pulldown menu there is not VIA Padlock as it is in your case).

    
    [HEAD][admin@pfsense1.hpa]/root(13): openssl speed aes-256-cbc -engine padlock
    invalid engine "padlock"
    55998:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:162:filename(/usr/lib/engines/libpadlock.so): Cannot open "/usr/lib/engines/libpadlock.so"
    55998:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244:
    55998:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450:
    55998:error:2606A074:engine routines:ENGINE_by_id:no such engine:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_list.c:415:id=padlock
    55998:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:162:filename(libpadlock.so): Shared object "libpadlock.so" not found, required by "openssl"
    55998:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244:
    55998:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450:
    
    

    openssl is searching for files in this directory:

    
    [HEAD][admin@pfsense]/usr/lib/engines(17): ls -la
    total 172
    drwxr-xr-x  2 root  wheel    512 Jul  1 03:22 .
    drwxr-xr-x  6 root  wheel   7168 Jul  1 04:31 ..
    -r--r--r--  1 root  wheel  20480 Jul  1 03:22 lib4758cca.so
    -r--r--r--  1 root  wheel  16656 Jul  1 03:22 libaep.so
    -r--r--r--  1 root  wheel  16248 Jul  1 03:22 libatalla.so
    -r--r--r--  1 root  wheel  25504 Jul  1 03:22 libchil.so
    -r--r--r--  1 root  wheel  20784 Jul  1 03:22 libcswift.so
    -r--r--r--  1 root  wheel  12192 Jul  1 03:22 libnuron.so
    -r--r--r--  1 root  wheel  25144 Jul  1 03:22 libsureware.so
    -r--r--r--  1 root  wheel  20688 Jul  1 03:22 libubsec.so
    
    

    Perhaps you have to find out how to get your accelerator work with openssl.



  • It is very strange. When I run " openssl speed aes-256-cbc -engine padlock ", it display:

    $ openssl speed aes-256-cbc -engine padlock
    OpenSSL 0.9.8n 24 Mar 2010
    built on: date not available
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
    compiler: cc
    available timing options: USE_TOD HZ=128 [sysconf value]
    timing function used: getrusage
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256 cbc   46770864.00k 48338688.00k 48958464.00k 48905216.00k 48988160.00k
    

    When I run "openssl speed aes-256-cbc -engine cryptodev", it display:```
    $ openssl speed aes-256-cbc -engine cryptodev
    OpenSSL 0.9.8n 24 Mar 2010
    built on: date not available
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
    compiler: cc
    available timing options: USE_TOD HZ=128 [sysconf value]
    timing function used: getrusage
    The 'numbers' are in 1000s of bytes per second processed.
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    aes-256 cbc  46375136.00k 48188992.00k 48698624.00k 48657408.00k 48701440.00k

    
    The results are same. It didn't report any errors. But I think the BCM5823 cryptographic accelerator is working. Because I run the "openssl speed aes-256-cbc" on the INTEL D510 ATOM CPU, the resulte is "
    
    > %openssl speed aes-256-cbc
    > To get the most accurate results, try to run this
    > program when this computer is idle.
    > Doing aes-256 cbc for 3s on 16 size blocks: 3360500 aes-256 cbc's in 3.00s
    > Doing aes-256 cbc for 3s on 64 size blocks: 870605 aes-256 cbc's in 3.00s
    > Doing aes-256 cbc for 3s on 256 size blocks: 219803 aes-256 cbc's in 3.00s
    > Doing aes-256 cbc for 3s on 1024 size blocks: 55177 aes-256 cbc's in 3.00s
    > Doing aes-256 cbc for 3s on 8192 size blocks: 6817 aes-256 cbc's in 3.00s
    > OpenSSL 0.9.8q 2 Dec 2010
    > built on: date not available
    > options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
    > compiler: cc
    > available timing options: USE_TOD HZ=128 [sysconf value]
    > timing function used: getrusage
    > The 'numbers' are in 1000s of bytes per second processed.
    > type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    > aes-256 cbc      17913.94k    18567.19k    18767.78k    18826.61k    18606.98k

Locked