AMD Geode LX crypto accelerator (glxsb)

Pawel Jakub Dawidek pjd at
Sat Jun 7 04:19:02 UTC 2008

On Fri, Jun 06, 2008 at 11:41:35PM +0200, Patrick Lamaizi?re wrote:
> Dears,
> I'm trying to port the glxsb driver from OpenBSD to FreeBSD 7-STABLE
> (via the NetBSD port).


> " The glxsb driver supports the security block of the Geode LX
> series processors.  The Geode LX is a member of the AMD Geode family
> of integrated x86 system chips.
> Driven by periodic checks for available data from the generator,
> glxsb supplies entropy to the random(4) driver for common usage.
> glxsb also supports acceleration of AES-128-CBC operations for
> crypto(4)."
> I think that most of the work is done, except the random generator.
> Source "in progress" for 7-STABLE:
> (c+Makefile)
> Credits to OpenBSD and NetBSD, Thanks!
> Well, it seems to work but i've got few problems to test the module :
> - How check the encryption/decryption ?
> Openssl seems ok, i've got quite the same results as NetBSD on a Soekris
> net5501 box. But i must use -engine cryptodev, why ?

This is ok, as you may not want to use it, right?

> $ openssl speed -evp aes-128-cbc -engine cryptodev -elapsed
> engine "cryptodev" set.
> ...CUT...
> type        16 bytes  64 bytes  256 bytes 1024 bytes 8192 bytes
> aes-128-cbc 1151.08k  4134.25k  11936.49k 22504.83k  25576.36k
> When i test ssh -c aes128-cbc hostname, ssh does not use the crypto
> device. I receive a crypto_newsession() followed by a
> crypto_freesession(), i mean i don't receive any crypto_process().

Have you tried to put some debug to opencrypto? I believe openssh should
use it automatically, at least this was the case some time ago, AFAIR.

> So how can I be sure that the datas are well encrypted ?

Try comparing result of openssl encryption with and without '-engine
cryptodev'. Remember to use -nosalt (and maybe -raw) prevent openssl
from putting salt in front of the ciphertext.

> Also, I've got some questions to finish the driver:
> - between arc4rand() and read_random(), witch function shall i use ?

arc4rand() is preferred.

> - Shall I lock the sessions ? The padlock driver uses a mutex to lock
> the sessions
> Is it usefull ? Drivers ubsec, safe and hifn don't lock the sessions at
> all.

You should and they should as well.

> - during crypto_process() the driver uses "s = splnet();". I'm not sure
> about this ?

Drop this one.

> - The driver does a busy wait to check the completion of the
> encryption. I think it would be beter to use the interrupt. I will
> look later.

I remember looking at that code sometime ago and that bit is really
lame, so lame that I think they would do it in a different way if that
was possible. Maybe it's worth contacting OpenBSD/NetBSD and ask? There
might be a good reason for that.

> - Any comment is welcome, this is my first work on a driver.

Looks good:) I can do a final review and commit once you are done and if
I'll be able to start my Soekris and test it.

Pawel Jakub Dawidek             
pjd at                 
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-hackers mailing list