Re: [Soekris] What's the difference between OpenSoekris and flashrd?

2011-04-18 Thread Chris Cappuccio
Ed Flecko [edfle...@gmail.com] wrote:
 
 2.) Am I right so far?
 
 Once you've written the image to your CF, you just plug it back into
 your Soekris (I'm guessing), but how do you actually configure the
 Soekris (i.e., set up NIC interfaces, configure PF, etc.)?
 

Edit config files in /etc

 3.) Do you, somehow, configure your image in advance of writing it to
 the CF or you do that after you've written it to the flash???
 

This can be done after the new system is booted or you can mount the /etc 
partition of the openbsd.vnd file and do it before hand

 I'm confused about this process, so if someone could shed a little
 light on the steps that need to be taken, that would be great!
 

The flashrd faq might help.  What I do is edit openbsd.vnd and then test it in 
an emulator before pushing the image out to systems.

-- 
the preceding comment is my own and in no way reflects the opinion of the Joint 
Chiefs of Staff
___
Soekris-tech mailing list
Soekris-tech@lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech


Re: [Soekris] What's the difference between OpenSoekris and flashrd?

2011-04-18 Thread Ed Flecko
Thank you Chris.

:-)

1.) What's the openbsd.vnd file, and how would you mount it?

2.) If you DO mount it and wanted to edit the /etc files, I can see
how you could configure PF, but you couldn't configure the NICs of the
Soekris (could you?), because their respective re0 (or however their
NIC's are identified) aren't yet created...because you installed the
OS on the CF while it was attached to another PC.

I hope that makes sense?

Ed
___
Soekris-tech mailing list
Soekris-tech@lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech


[Soekris] Hardware crypto acceleration on Debian

2011-04-18 Thread Guillaume Filion
Hi,

I've been looking into using the hardware crypto acceleration on the Geode
chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer
(nginx) running on Debian.

Right now I'm a bit confused on what my options are, so let me write my
understanding of the situation and please correct anything that is
inaccurate:

1. The geode hardware crypto acceleration only works for aes-128-cbc.
vpn1411 works for a lot more ciphers/key sizes.

2. There's no out-of-the-box support for hardware crypto acceleration of the
geode or the vpn1411 under linux.

3. The only way to support it is with ocf-linux, which requires a patch for
the kernel and openssl.

4. There's no debian kernel package available with the ocf-linux patch
already in place.

5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at
2.6.32).

6. I should really consider switching to openbsd...

Please tell my if I'm missing something, otherwise, I think I'll seriously
look into implementing #6...

Thanks a lot and have a great week!
GFK's
-- 
http://guillaume.filion.org/
___
Soekris-tech mailing list
Soekris-tech@lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech


Re: [Soekris] Hardware crypto acceleration on Debian

2011-04-18 Thread Michael Proto
2011/4/18 Guillaume Filion g...@logidac.com:
 Hi,

 I've been looking into using the hardware crypto acceleration on the Geode
 chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer
 (nginx) running on Debian.

 Right now I'm a bit confused on what my options are, so let me write my
 understanding of the situation and please correct anything that is
 inaccurate:

 1. The geode hardware crypto acceleration only works for aes-128-cbc.
 vpn1411 works for a lot more ciphers/key sizes.

 2. There's no out-of-the-box support for hardware crypto acceleration of the
 geode or the vpn1411 under linux.

 3. The only way to support it is with ocf-linux, which requires a patch for
 the kernel and openssl.

 4. There's no debian kernel package available with the ocf-linux patch
 already in place.

 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at
 2.6.32).

 6. I should really consider switching to openbsd...

 Please tell my if I'm missing something, otherwise, I think I'll seriously
 look into implementing #6...

(I'm not running either the Geode or vpn1411 crypto under Linux so
take what's below with a grain of salt, but...)

Looking at the kernel config for my ubuntu 10.04 server, I do see
entries for both of these crypto devices in the mainline default
kernel:

CONFIG_CRYPTO_DEV_GEODE=m
CONFIG_CRYPTO_DEV_HIFN_795X=m
CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y

The Geode should cover the Geode LX CPU's onboard crypto and the HiFn
7956 would be the vpn1411. OpenSSL may still need to be patched, but
in-kernel ops would utilize both crypto accelerators should the
appropriate modules be loaded I would think.


-Proto
___
Soekris-tech mailing list
Soekris-tech@lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech


Re: [Soekris] What's the difference between OpenSoekris and flashrd?

2011-04-18 Thread Stuart Henderson
On 2011-04-16, Ed Flecko edfle...@gmail.com wrote:
 Thank you Chris.

:-)

 1.) What's the openbsd.vnd file, and how would you mount it?

See the FAQ,
Modify new /etc to include necessary configuration.

 2.) If you DO mount it and wanted to edit the /etc files, I can see
 how you could configure PF, but you couldn't configure the NICs of the
 Soekris (could you?), because their respective re0 (or however their
 NIC's are identified) aren't yet created...because you installed the
 OS on the CF while it was attached to another PC.

Just create the hostname.vr0/whatever files in the /etc.


___
Soekris-tech mailing list
Soekris-tech@lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech


Re: [Soekris] Hardware crypto acceleration on Debian

2011-04-18 Thread Guillaume Filion
You're right, CRYPTO_DEV_GEODE creates module geode-aes, but from what
I understand it's only used by the kernel. OpenSSL doesn't support it
and I couldn't find a patch.

2011/4/18 Michael Proto m...@jellydonut.org:
 2011/4/18 Guillaume Filion g...@logidac.com:
 Hi,

 I've been looking into using the hardware crypto acceleration on the Geode
 chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer
 (nginx) running on Debian.

 Right now I'm a bit confused on what my options are, so let me write my
 understanding of the situation and please correct anything that is
 inaccurate:

 1. The geode hardware crypto acceleration only works for aes-128-cbc.
 vpn1411 works for a lot more ciphers/key sizes.

 2. There's no out-of-the-box support for hardware crypto acceleration of the
 geode or the vpn1411 under linux.

 3. The only way to support it is with ocf-linux, which requires a patch for
 the kernel and openssl.

 4. There's no debian kernel package available with the ocf-linux patch
 already in place.

 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at
 2.6.32).

 6. I should really consider switching to openbsd...

 Please tell my if I'm missing something, otherwise, I think I'll seriously
 look into implementing #6...

 (I'm not running either the Geode or vpn1411 crypto under Linux so
 take what's below with a grain of salt, but...)

 Looking at the kernel config for my ubuntu 10.04 server, I do see
 entries for both of these crypto devices in the mainline default
 kernel:

 CONFIG_CRYPTO_DEV_GEODE=m
 CONFIG_CRYPTO_DEV_HIFN_795X=m
 CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y

 The Geode should cover the Geode LX CPU's onboard crypto and the HiFn
 7956 would be the vpn1411. OpenSSL may still need to be patched, but
 in-kernel ops would utilize both crypto accelerators should the
 appropriate modules be loaded I would think.


 -Proto




-- 
http://guillaume.filion.org/
___
Soekris-tech mailing list
Soekris-tech@lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech


Re: [Soekris] Hardware crypto acceleration on Debian

2011-04-18 Thread Michael Proto
On Mon, Apr 18, 2011 at 5:01 PM, Guillaume Filion g...@logidac.com wrote:
 You're right, CRYPTO_DEV_GEODE creates module geode-aes, but from what
 I understand it's only used by the kernel. OpenSSL doesn't support it
 and I couldn't find a patch.


With the speed of the Geode CPU in a 5501, you'd likely not see a
significant (if any) improvement in speed when using userland programs
like OpenSSL with onboard crypto accelerators. The context-switch from
userland to kernel for the crypto processing will be much more
expensive than the crypto itself. I ran some old benchmarks of the
crypto processor in the Geode LX (can't seem to find them now), but
with a patched OpenSSL I didn't see any real improvement versus
letting software do the whole thing.

In short, crypto accelerators in SBCs like the Soekris are more for
in-kernel crypto processing (like aes-encrypted disks and IPSec), and
less for userland processing. Obviously I don't know what you're
trying to do with OpenSSL, but in my own experience having crypto
accelerator support in userland gave me no measurable benefit.


-Proto
___
Soekris-tech mailing list
Soekris-tech@lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech