AMD Geode LX crypto accelerator (glxsb)
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sat Jun 7 04:19:02 UTC 2008
On Fri, Jun 06, 2008 at 11:41:35PM +0200, Patrick Lamaizi?re wrote:
> I'm trying to port the glxsb driver from OpenBSD to FreeBSD 7-STABLE
> (via the NetBSD port).
> " The glxsb driver supports the security block of the Geode LX
> series processors. The Geode LX is a member of the AMD Geode family
> of integrated x86 system chips.
> Driven by periodic checks for available data from the generator,
> glxsb supplies entropy to the random(4) driver for common usage.
> glxsb also supports acceleration of AES-128-CBC operations for
> I think that most of the work is done, except the random generator.
> Source "in progress" for 7-STABLE:
> http://user.lamaiziere.net/patrick/glxsb.tar.gz (c+Makefile)
> Credits to OpenBSD and NetBSD, Thanks!
> Well, it seems to work but i've got few problems to test the module :
> - How check the encryption/decryption ?
> Openssl seems ok, i've got quite the same results as NetBSD on a Soekris
> net5501 box. But i must use -engine cryptodev, why ?
This is ok, as you may not want to use it, right?
> $ openssl speed -evp aes-128-cbc -engine cryptodev -elapsed
> engine "cryptodev" set.
> type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
> aes-128-cbc 1151.08k 4134.25k 11936.49k 22504.83k 25576.36k
> When i test ssh -c aes128-cbc hostname, ssh does not use the crypto
> device. I receive a crypto_newsession() followed by a
> crypto_freesession(), i mean i don't receive any crypto_process().
Have you tried to put some debug to opencrypto? I believe openssh should
use it automatically, at least this was the case some time ago, AFAIR.
> So how can I be sure that the datas are well encrypted ?
Try comparing result of openssl encryption with and without '-engine
cryptodev'. Remember to use -nosalt (and maybe -raw) prevent openssl
from putting salt in front of the ciphertext.
> Also, I've got some questions to finish the driver:
> - between arc4rand() and read_random(), witch function shall i use ?
arc4rand() is preferred.
> - Shall I lock the sessions ? The padlock driver uses a mutex to lock
> the sessions
> Is it usefull ? Drivers ubsec, safe and hifn don't lock the sessions at
You should and they should as well.
> - during crypto_process() the driver uses "s = splnet();". I'm not sure
> about this ?
Drop this one.
> - The driver does a busy wait to check the completion of the
> encryption. I think it would be beter to use the interrupt. I will
> look later.
I remember looking at that code sometime ago and that bit is really
lame, so lame that I think they would do it in a different way if that
was possible. Maybe it's worth contacting OpenBSD/NetBSD and ask? There
might be a good reason for that.
> - Any comment is welcome, this is my first work on a driver.
Looks good:) I can do a final review and commit once you are done and if
I'll be able to start my Soekris and test it.
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20080607/a8e8bee8/attachment.pgp
More information about the freebsd-hackers