seeking current supported crypto co-processors
Kostik Belousov
kostikbel at gmail.com
Fri Sep 3 21:43:31 UTC 2010
On Fri, Sep 03, 2010 at 02:26:37PM -0700, Ricky Charlet wrote:
> Thanks Ivan,
>
> You have some valid points about performance. I was hoping not to get distracted from the main thrust of my question by performance considerations though.
>
> Are their PCIe attachable crypto co-processors with current vendor support for FreeBSD8.x? If anyone else reading this thread want's to chime in with info about current supported crypto co-processors that plug in via PCIe, please drop a note.
>
>
> However, I think you do deserve a reply on the performance topic...
>
> I am close enough to agreeing with you to not argue much about whether modern CPU parts can saturate a 1 Gb link with crypto data. The CPU part I am currently married to (a touch old but not that bad), seems to be able to through around 200Mb of IP-ESP data around. However, in spite of these observations, I would prefer if my system could handle that throughput load and yet have CPU power left over for other tasks.
>
> I'm very attracted to Andre's mention of "newer x86/amd64
> CPU's see: http://en.wikipedia.org/wiki/AES_instruction_set". Does
> anyone know if FreeBSD supports or will support this through either
> /dev/crypto or through openssl (or any other mechanism I guess)?
I believe recent OpenSSL 1.x supports AESNI in usermode.
For the AES acceleration in the kernel and /dev/crypto support
see the aesni driver in the recent HEAD, working both on i386 and
amd64 architectures. I had a plan to merge the driver into RELENG_8,
but it is stalled due to some issues (not related to the driver
quality).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20100903/1f7cf6ca/attachment.pgp
More information about the freebsd-security
mailing list