AMD Geode LX crypto accelerator (glxsb)

Mike Tancsa mike at sentex.net
Wed Jul 9 19:31:38 UTC 2008 

At 11:05 AM 6/22/2008, Patrick Lamaizière wrote:
>Le Fri, 6 Jun 2008 23:41:35 +0200,
>Patrick Lamaizière <patfbsd at davenulle.org> a écrit :
>
>Hello,
>
> > I'm trying to port the glxsb driver from OpenBSD to FreeBSD 7-STABLE
> > (via the NetBSD port).
> > " The glxsb driver supports the security block of the Geode LX
> > series processors.  The Geode LX is a member of the AMD Geode family
> > of integrated x86 system chips.

Hi,
         Thanks for porting this over!  I am just 
trying it now with ipsec on a soekris 5501

Without the module loaded, I can do something simple like


# sh s
# cat s
MEOUTSIDE=64.x.x.x
MEINSIDE=192.168.5.0/24
REMOTEOUTSIDE=64.y.y.y
REMOTEINSIDE=192.168.1.0/24
IPSECKEY=zxzpprlNH61N11SGfrCa8dxZ


setkey -c <<EOF
         add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 
-m any -E rijndael-cbc  "$IPSECKEY";
         add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 
-m any -E rijndael-cbc  "$IPSECKEY";
         spdadd $MEINSIDE $REMOTEINSIDE any -P 
out ipsec esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
         spdadd $REMOTEINSIDE $MEINSIDE any -P 
in  ipsec esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
EOF


But if I load the glxsb modules, setkey fails on the same policy.

# setkey -F
# setkey -FP
# setkey -DP
No SPD entries.
# kldload glxsb
# dmesg | tail
vr0: link state changed to DOWN
vr0: link state changed to UP
vr0: promiscuous mode enabled
vr0: promiscuous mode disabled
vr1: promiscuous mode enabled
vr1: promiscuous mode disabled
vr1: promiscuous mode enabled
vr1: promiscuous mode disabled
glxsb0: detached
glxsb0: <AMD Geode LX Security Block 
(AES-128-CBC,RNG)> mem 0xa0000000-0xa0003fff irq 10 at device 1.2 on pci0
# sh s
The result of line 1: Invalid argument.
The result of line 2: Invalid argument.
#

What is the proper AES encryption to use for 
IPSEC ? Why is there a difference in syntax 
?  This is RELENG_7 from a few days ago. If I 
change the crypto to 3des-cbc, it works, but its 
not making use of the crypto offload of course.

         ---Mike

More information about the freebsd-stable mailing list