[Soekris] Hardware crypto acceleration on Debian

Michael Proto mike at jellydonut.org
Mon Apr 18 16:50:11 UTC 2011

2011/4/18 Guillaume Filion <gfk at logidac.com>:
> Hi,
> I've been looking into using the hardware crypto acceleration on the Geode
> chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer
> (nginx) running on Debian.
> Right now I'm a bit confused on what my options are, so let me write my
> understanding of the situation and please correct anything that is
> inaccurate:
> 1. The geode hardware crypto acceleration only works for aes-128-cbc.
> vpn1411 works for a lot more ciphers/key sizes.
> 2. There's no out-of-the-box support for hardware crypto acceleration of the
> geode or the vpn1411 under linux.
> 3. The only way to support it is with ocf-linux, which requires a patch for
> the kernel and openssl.
> 4. There's no debian kernel package available with the ocf-linux patch
> already in place.
> 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at
> 2.6.32).
> 6. I should really consider switching to openbsd...
> Please tell my if I'm missing something, otherwise, I think I'll seriously
> look into implementing #6...

(I'm not running either the Geode or vpn1411 crypto under Linux so
take what's below with a grain of salt, but...)

Looking at the kernel config for my ubuntu 10.04 server, I do see
entries for both of these crypto devices in the mainline default


The Geode should cover the Geode LX CPU's onboard crypto and the HiFn
7956 would be the vpn1411. OpenSSL may still need to be patched, but
in-kernel ops would utilize both crypto accelerators should the
appropriate modules be loaded I would think.


More information about the Soekris-tech mailing list