[Soekris] Hardware crypto acceleration on Debian

Michael Proto mike at jellydonut.org
Mon Apr 18 16:50:11 UTC 2011


2011/4/18 Guillaume Filion <gfk at logidac.com>:
> Hi,
>
> I've been looking into using the hardware crypto acceleration on the Geode
> chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer
> (nginx) running on Debian.
>
> Right now I'm a bit confused on what my options are, so let me write my
> understanding of the situation and please correct anything that is
> inaccurate:
>
> 1. The geode hardware crypto acceleration only works for aes-128-cbc.
> vpn1411 works for a lot more ciphers/key sizes.
>
> 2. There's no out-of-the-box support for hardware crypto acceleration of the
> geode or the vpn1411 under linux.
>
> 3. The only way to support it is with ocf-linux, which requires a patch for
> the kernel and openssl.
>
> 4. There's no debian kernel package available with the ocf-linux patch
> already in place.
>
> 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at
> 2.6.32).
>
> 6. I should really consider switching to openbsd...
>
> Please tell my if I'm missing something, otherwise, I think I'll seriously
> look into implementing #6...

(I'm not running either the Geode or vpn1411 crypto under Linux so
take what's below with a grain of salt, but...)

Looking at the kernel config for my ubuntu 10.04 server, I do see
entries for both of these crypto devices in the mainline default
kernel:

CONFIG_CRYPTO_DEV_GEODE=m
CONFIG_CRYPTO_DEV_HIFN_795X=m
CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y

The Geode should cover the Geode LX CPU's onboard crypto and the HiFn
7956 would be the vpn1411. OpenSSL may still need to be patched, but
in-kernel ops would utilize both crypto accelerators should the
appropriate modules be loaded I would think.


-Proto


More information about the Soekris-tech mailing list