Re: [Soekris] What's the difference between OpenSoekris and flashrd?
Ed Flecko [edfle...@gmail.com] wrote: 2.) Am I right so far? Once you've written the image to your CF, you just plug it back into your Soekris (I'm guessing), but how do you actually configure the Soekris (i.e., set up NIC interfaces, configure PF, etc.)? Edit config files in /etc 3.) Do you, somehow, configure your image in advance of writing it to the CF or you do that after you've written it to the flash??? This can be done after the new system is booted or you can mount the /etc partition of the openbsd.vnd file and do it before hand I'm confused about this process, so if someone could shed a little light on the steps that need to be taken, that would be great! The flashrd faq might help. What I do is edit openbsd.vnd and then test it in an emulator before pushing the image out to systems. -- the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] What's the difference between OpenSoekris and flashrd?
Thank you Chris. :-) 1.) What's the openbsd.vnd file, and how would you mount it? 2.) If you DO mount it and wanted to edit the /etc files, I can see how you could configure PF, but you couldn't configure the NICs of the Soekris (could you?), because their respective re0 (or however their NIC's are identified) aren't yet created...because you installed the OS on the CF while it was attached to another PC. I hope that makes sense? Ed ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
[Soekris] Hardware crypto acceleration on Debian
Hi, I've been looking into using the hardware crypto acceleration on the Geode chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer (nginx) running on Debian. Right now I'm a bit confused on what my options are, so let me write my understanding of the situation and please correct anything that is inaccurate: 1. The geode hardware crypto acceleration only works for aes-128-cbc. vpn1411 works for a lot more ciphers/key sizes. 2. There's no out-of-the-box support for hardware crypto acceleration of the geode or the vpn1411 under linux. 3. The only way to support it is with ocf-linux, which requires a patch for the kernel and openssl. 4. There's no debian kernel package available with the ocf-linux patch already in place. 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at 2.6.32). 6. I should really consider switching to openbsd... Please tell my if I'm missing something, otherwise, I think I'll seriously look into implementing #6... Thanks a lot and have a great week! GFK's -- http://guillaume.filion.org/ ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
2011/4/18 Guillaume Filion g...@logidac.com: Hi, I've been looking into using the hardware crypto acceleration on the Geode chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer (nginx) running on Debian. Right now I'm a bit confused on what my options are, so let me write my understanding of the situation and please correct anything that is inaccurate: 1. The geode hardware crypto acceleration only works for aes-128-cbc. vpn1411 works for a lot more ciphers/key sizes. 2. There's no out-of-the-box support for hardware crypto acceleration of the geode or the vpn1411 under linux. 3. The only way to support it is with ocf-linux, which requires a patch for the kernel and openssl. 4. There's no debian kernel package available with the ocf-linux patch already in place. 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at 2.6.32). 6. I should really consider switching to openbsd... Please tell my if I'm missing something, otherwise, I think I'll seriously look into implementing #6... (I'm not running either the Geode or vpn1411 crypto under Linux so take what's below with a grain of salt, but...) Looking at the kernel config for my ubuntu 10.04 server, I do see entries for both of these crypto devices in the mainline default kernel: CONFIG_CRYPTO_DEV_GEODE=m CONFIG_CRYPTO_DEV_HIFN_795X=m CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y The Geode should cover the Geode LX CPU's onboard crypto and the HiFn 7956 would be the vpn1411. OpenSSL may still need to be patched, but in-kernel ops would utilize both crypto accelerators should the appropriate modules be loaded I would think. -Proto ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] What's the difference between OpenSoekris and flashrd?
On 2011-04-16, Ed Flecko edfle...@gmail.com wrote: Thank you Chris. :-) 1.) What's the openbsd.vnd file, and how would you mount it? See the FAQ, Modify new /etc to include necessary configuration. 2.) If you DO mount it and wanted to edit the /etc files, I can see how you could configure PF, but you couldn't configure the NICs of the Soekris (could you?), because their respective re0 (or however their NIC's are identified) aren't yet created...because you installed the OS on the CF while it was attached to another PC. Just create the hostname.vr0/whatever files in the /etc. ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
You're right, CRYPTO_DEV_GEODE creates module geode-aes, but from what I understand it's only used by the kernel. OpenSSL doesn't support it and I couldn't find a patch. 2011/4/18 Michael Proto m...@jellydonut.org: 2011/4/18 Guillaume Filion g...@logidac.com: Hi, I've been looking into using the hardware crypto acceleration on the Geode chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer (nginx) running on Debian. Right now I'm a bit confused on what my options are, so let me write my understanding of the situation and please correct anything that is inaccurate: 1. The geode hardware crypto acceleration only works for aes-128-cbc. vpn1411 works for a lot more ciphers/key sizes. 2. There's no out-of-the-box support for hardware crypto acceleration of the geode or the vpn1411 under linux. 3. The only way to support it is with ocf-linux, which requires a patch for the kernel and openssl. 4. There's no debian kernel package available with the ocf-linux patch already in place. 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at 2.6.32). 6. I should really consider switching to openbsd... Please tell my if I'm missing something, otherwise, I think I'll seriously look into implementing #6... (I'm not running either the Geode or vpn1411 crypto under Linux so take what's below with a grain of salt, but...) Looking at the kernel config for my ubuntu 10.04 server, I do see entries for both of these crypto devices in the mainline default kernel: CONFIG_CRYPTO_DEV_GEODE=m CONFIG_CRYPTO_DEV_HIFN_795X=m CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y The Geode should cover the Geode LX CPU's onboard crypto and the HiFn 7956 would be the vpn1411. OpenSSL may still need to be patched, but in-kernel ops would utilize both crypto accelerators should the appropriate modules be loaded I would think. -Proto -- http://guillaume.filion.org/ ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
On Mon, Apr 18, 2011 at 5:01 PM, Guillaume Filion g...@logidac.com wrote: You're right, CRYPTO_DEV_GEODE creates module geode-aes, but from what I understand it's only used by the kernel. OpenSSL doesn't support it and I couldn't find a patch. With the speed of the Geode CPU in a 5501, you'd likely not see a significant (if any) improvement in speed when using userland programs like OpenSSL with onboard crypto accelerators. The context-switch from userland to kernel for the crypto processing will be much more expensive than the crypto itself. I ran some old benchmarks of the crypto processor in the Geode LX (can't seem to find them now), but with a patched OpenSSL I didn't see any real improvement versus letting software do the whole thing. In short, crypto accelerators in SBCs like the Soekris are more for in-kernel crypto processing (like aes-encrypted disks and IPSec), and less for userland processing. Obviously I don't know what you're trying to do with OpenSSL, but in my own experience having crypto accelerator support in userland gave me no measurable benefit. -Proto ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
