On Fri, Jun 06, 2008 at 11:41:35PM +0200, Patrick Lamaizi?re wrote: > Dears, > > I'm trying to port the glxsb driver from OpenBSD to FreeBSD 7-STABLE > (via the NetBSD port).
Cool. > " The glxsb driver supports the security block of the Geode LX > series processors. The Geode LX is a member of the AMD Geode family > of integrated x86 system chips. > > Driven by periodic checks for available data from the generator, > glxsb supplies entropy to the random(4) driver for common usage. > > glxsb also supports acceleration of AES-128-CBC operations for > crypto(4)." > > I think that most of the work is done, except the random generator. > Source "in progress" for 7-STABLE: > http://user.lamaiziere.net/patrick/glxsb.c > http://user.lamaiziere.net/patrick/glxsb.tar.gz (c+Makefile) > > Credits to OpenBSD and NetBSD, Thanks! > > Well, it seems to work but i've got few problems to test the module : > > - How check the encryption/decryption ? > > Openssl seems ok, i've got quite the same results as NetBSD on a Soekris > net5501 box. But i must use -engine cryptodev, why ? This is ok, as you may not want to use it, right? > $ openssl speed -evp aes-128-cbc -engine cryptodev -elapsed > engine "cryptodev" set. > ...CUT... > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 1151.08k 4134.25k 11936.49k 22504.83k 25576.36k > > When i test ssh -c aes128-cbc hostname, ssh does not use the crypto > device. I receive a crypto_newsession() followed by a > crypto_freesession(), i mean i don't receive any crypto_process(). Have you tried to put some debug to opencrypto? I believe openssh should use it automatically, at least this was the case some time ago, AFAIR. > So how can I be sure that the datas are well encrypted ? Try comparing result of openssl encryption with and without '-engine cryptodev'. Remember to use -nosalt (and maybe -raw) prevent openssl from putting salt in front of the ciphertext. > Also, I've got some questions to finish the driver: > > - between arc4rand() and read_random(), witch function shall i use ? arc4rand() is preferred. > - Shall I lock the sessions ? The padlock driver uses a mutex to lock > the sessions > http://fxr.watson.org/fxr/source/crypto/via/padlock.c?v=FREEBSD7#L211 > > Is it usefull ? Drivers ubsec, safe and hifn don't lock the sessions at > all. You should and they should as well. > - during crypto_process() the driver uses "s = splnet();". I'm not sure > about this ? Drop this one. > - The driver does a busy wait to check the completion of the > encryption. I think it would be beter to use the interrupt. I will > look later. I remember looking at that code sometime ago and that bit is really lame, so lame that I think they would do it in a different way if that was possible. Maybe it's worth contacting OpenBSD/NetBSD and ask? There might be a good reason for that. > - Any comment is welcome, this is my first work on a driver. Looks good:) I can do a final review and commit once you are done and if I'll be able to start my Soekris and test it. -- Pawel Jakub Dawidek http://www.wheel.pl [EMAIL PROTECTED] http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am!
pgppAoXvRI1QS.pgp
Description: PGP signature
