Cryptographic Hardware Acceleration options inconsistent v2.1 RELEASE



  • Guys, I found two inconsistencies in the web interface:

    In System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration, VIA Padlock is missing from the dropdown list.
    In VPN > OpenVPN > Server configuration > Hardware Crypto, AMD Geode and AES-NI are missing from the dropdown list.

    On my system, which runs on a VIA C7 CPU, VIA Padlock Hardware Acceleration is present and works with OpenVPN, drastically reducing CPU workload.

    I suggest to make these options visible in both lists, to be selectable in all the places.


  • Banned

    There's certainly no AMD Geode missing in OpenVPN (engine cryptopdev). Actually, only available and usable ones are shown in the dropdown list there. Works just fine with Alix/AMD Geode. No idea about VIA padlock, cannot test in any way.



  • I am fairly certain the reason for this, at least for  System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration, is that VIA Padlock is not a kernel module that can be loaded/unloaded. Similarly, you will notice HiFn is not reported in that list, for the same reason, even though the hardware is utilized if present.

    I don't use OpenVPN, so I can't comment on that part.


  • Rebel Alliance Developer Netgate

    @Sn3ak:

    I am fairly certain the reason for this, at least for  System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration, is that VIA Padlock is not a kernel module that can be loaded/unloaded. Similarly, you will notice HiFn is not reported in that list, for the same reason, even though the hardware is utilized if present.

    I don't use OpenVPN, so I can't comment on that part.

    You are correct. VIA padlock, Hifn, and others not listed there are in the kernel, not modules.

    AES-NI and glxsb are modules because certain use cases warrant not having nor wanting them loaded.

    Also selecting the cryptodev engine in OpenVPN isn't entirely necessary, we have found. OpenSSL will use a chip that claims support for a specific cipher if that cipher is the one in use. So if glxsb is on, says it does AES-128, and OpenVPN is set for AES-128, then it would use the accelerator chip no matter what the OpenVPN GUI was set for. Same for VIA padlock and so on.


Log in to reply