Hello Alpine Team,

I write this message for a little problem I encounter.

I'm running Alpine since many versions on PC Engine hardware. 
(http://www.pcengines.ch/alix2d13.htm)
It runs OpenVPN and other services like a charm.
I recently looked at my openvpn config, and wanted to use the Crypto 
hardware card included in the hardware , a geode-aes.
The module is present in the Alpine kernel :

lsmod | grep geode_aes :
geode_aes               4116  0

The openvpn complies with this :

OpenSSL error: cannot load engine 'geode-aes'

As the module is loaded, the problem target is more in the openssl :

OpenSSL> engine
(dynamic) Dynamic engine loading support
(padlock) VIA PadLock: not supported

Here we haven't any geode stuff.

I'm wondering if openssl shouldn't have an addon like cryptodev-linux : 
http://cryptodev-linux.org/

As Alpine Linux is nice for routers/firewalls , a lot of embedded 
hardware have such crypto accelarators.

For information the Alpine is the latest 2.7.7

Does anyone an idea or advice ?

Thanks to all for your great work.

Regards,

Nicolas.









---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Hi Nicolas,

I'm successfully using Voyage Linux {1} on my Alix boards, which has
been specially fitted to support all PcEngines boards including the AES
modules in AMD Geode CPUs. Maybe you can find hints in a test set-up of
Voyage on your Alix board.

By the way, in my experience the Geode AES module didn't significantly
enhance the performance of OpenVPN  or reduce CPU load. AFAIR, enabling
the AES module came with some limitations regarding the AES encryption,
but I can't remember what exact limitations there occurred (possibly the
bit size of the encryption or frame length). Anyway, I found the AES
module not to be very helpful in my case.

Sorry, I can't offer any real advice, Tiger

{1} http://linux.voyage.hk/



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

On Wed, 07 May 2014 14:58:58 +0200
nicolas@the-tropics.fr wrote:

> I'm wondering if openssl shouldn't have an addon like
> cryptodev-linux : http://cryptodev-linux.org/
> 
> As Alpine Linux is nice for routers/firewalls , a lot of embedded 
> hardware have such crypto accelarators.

Generally that will not help on "slow" boxes. The problem is that the
system call overhead will outweight any acceleration you might get. It
only helps if the crypto accel chip is asynchronous and you use it for
really large block sizes.

You really need userland openssl module using geode-aes to gain
anything.

Alternatively you can use IPsec. The kernel's geode-aes module will
automatically accelerate ipsec esp traffic.

- Timo


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Thanks Timo for your answer.
Indeed the box isnt full loaded, I asked this question to maybe have a 
gain in CPU load, and by the way to improve the Alpine list of features 
:)

Regards,

Nicolas

Le 2014-05-07 17:20, Timo Teras a écrit :
> On Wed, 07 May 2014 14:58:58 +0200
> nicolas@the-tropics.fr wrote:
> 
>> I'm wondering if openssl shouldn't have an addon like
>> cryptodev-linux : http://cryptodev-linux.org/
>> 
>> As Alpine Linux is nice for routers/firewalls , a lot of embedded
>> hardware have such crypto accelarators.
> 
> Generally that will not help on "slow" boxes. The problem is that the
> system call overhead will outweight any acceleration you might get. It
> only helps if the crypto accel chip is asynchronous and you use it for
> really large block sizes.
> 
> You really need userland openssl module using geode-aes to gain
> anything.
> 
> Alternatively you can use IPsec. The kernel's geode-aes module will
> automatically accelerate ipsec esp traffic.
> 
> - Timo
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Hi Tiger,

Thanks having taken the time to answer.

It's true the geode-aes only provides encryption till AES-128.
Doesn't matter anyway if it doesnt provide less CPU usage.

Regards

Nicolas.



Le 2014-05-07 17:14, Der Tiger a écrit :
> Hi Nicolas,
> 
> I'm successfully using Voyage Linux {1} on my Alix boards, which has
> been specially fitted to support all PcEngines boards including the AES
> modules in AMD Geode CPUs. Maybe you can find hints in a test set-up of
> Voyage on your Alix board.
> 
> By the way, in my experience the Geode AES module didn't significantly
> enhance the performance of OpenVPN  or reduce CPU load. AFAIR, enabling
> the AES module came with some limitations regarding the AES encryption,
> but I can't remember what exact limitations there occurred (possibly 
> the
> bit size of the encryption or frame length). Anyway, I found the AES
> module not to be very helpful in my case.
> 
> Sorry, I can't offer any real advice, Tiger
> 
> {1} http://linux.voyage.hk/


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---