Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 7 Jun 2008 06:18:55 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Patrick Lamaizi?re <patfbsd@davenulle.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: AMD Geode LX crypto accelerator (glxsb)
Message-ID:  <20080607041855.GA3462@garage.freebsd.pl>
In-Reply-To: <20080606234135.46144207@baby-jane-lamaiziere-net.local>
References:  <20080606234135.46144207@baby-jane-lamaiziere-net.local>

next in thread | previous in thread | raw e-mail | index | archive | help

--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jun 06, 2008 at 11:41:35PM +0200, Patrick Lamaizi?re wrote:
> Dears,
>=20
> I'm trying to port the glxsb driver from OpenBSD to FreeBSD 7-STABLE
> (via the NetBSD port).

Cool.

> " The glxsb driver supports the security block of the Geode LX
> series processors.  The Geode LX is a member of the AMD Geode family
> of integrated x86 system chips.
> =20
> Driven by periodic checks for available data from the generator,
> glxsb supplies entropy to the random(4) driver for common usage.
>=20
> glxsb also supports acceleration of AES-128-CBC operations for
> crypto(4)."
>=20
> I think that most of the work is done, except the random generator.
> Source "in progress" for 7-STABLE:
> http://user.lamaiziere.net/patrick/glxsb.c
> http://user.lamaiziere.net/patrick/glxsb.tar.gz (c+Makefile)
>=20
> Credits to OpenBSD and NetBSD, Thanks!
>=20
> Well, it seems to work but i've got few problems to test the module :
>=20
> - How check the encryption/decryption ?
>=20
> Openssl seems ok, i've got quite the same results as NetBSD on a Soekris
> net5501 box. But i must use -engine cryptodev, why ?

This is ok, as you may not want to use it, right?

> $ openssl speed -evp aes-128-cbc -engine cryptodev -elapsed
> engine "cryptodev" set.
> ...CUT...
> type        16 bytes  64 bytes  256 bytes 1024 bytes 8192 bytes
> aes-128-cbc 1151.08k  4134.25k  11936.49k 22504.83k  25576.36k
>=20
> When i test ssh -c aes128-cbc hostname, ssh does not use the crypto
> device. I receive a crypto_newsession() followed by a
> crypto_freesession(), i mean i don't receive any crypto_process().

Have you tried to put some debug to opencrypto? I believe openssh should
use it automatically, at least this was the case some time ago, AFAIR.

> So how can I be sure that the datas are well encrypted ?

Try comparing result of openssl encryption with and without '-engine
cryptodev'. Remember to use -nosalt (and maybe -raw) prevent openssl
from putting salt in front of the ciphertext.

> Also, I've got some questions to finish the driver:
>=20
> - between arc4rand() and read_random(), witch function shall i use ?

arc4rand() is preferred.

> - Shall I lock the sessions ? The padlock driver uses a mutex to lock
> the sessions
> http://fxr.watson.org/fxr/source/crypto/via/padlock.c?v=3DFREEBSD7#L211=
=20
>=20
> Is it usefull ? Drivers ubsec, safe and hifn don't lock the sessions at
> all.

You should and they should as well.

> - during crypto_process() the driver uses "s =3D splnet();". I'm not sure
> about this ?

Drop this one.

> - The driver does a busy wait to check the completion of the
> encryption. I think it would be beter to use the interrupt. I will
> look later.

I remember looking at that code sometime ago and that bit is really
lame, so lame that I think they would do it in a different way if that
was possible. Maybe it's worth contacting OpenBSD/NetBSD and ask? There
might be a good reason for that.

> - Any comment is welcome, this is my first work on a driver.

Looks good:) I can do a final review and commit once you are done and if
I'll be able to start my Soekris and test it.

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFISgwuForvXbEpPzQRAipxAJ4jazwBTft3mMLQLYZOANWDg1Wn9gCg8BeS
4+Zc/B/9/8h8BcazpHh+ow0=
=+f8m
-----END PGP SIGNATURE-----

--azLHFNyN32YCQGCU--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080607041855.GA3462>