The board of my HTPC has a VIA C7 CPU (Centaur VIA Eden Processor) including VIA's Padlock engine.
To use is you need some kernel modules: padlock_aes padlock_sha rng_core via_rng.
Check your syslog or dmesg. You should see something like this:
VIA RNG detected
padlock: Using VIA PadLock ACE for AES algorithm.
padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms.
Well, first step done. But a test produces errors:
onky:~$ openssl speed -evp aes-128-cbc -engine padlock
invalid engine "padlock"
14881:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(/usr/lib/ssl/engines/libpadlock.so): /usr/lib/ssl/engines/libpadlock.so: cannot open shared object file: No such file or directory
14881:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
14881:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
14881:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:415:id=padlock
14881:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libpadlock.so): libpadlock.so: cannot open shared object file: No such file or directory
14881:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
14881:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
Doing aes-128-cbc for 3s on 16 size blocks: 941121 aes-128-cbc's in 1.46s
Doing aes-128-cbc for 3s on 64 size blocks: 308878 aes-128-cbc's in 1.51s
Doing aes-128-cbc for 3s on 256 size blocks: 85045 aes-128-cbc's in 1.48s
Doing aes-128-cbc for 3s on 1024 size blocks: 22056 aes-128-cbc's in 1.53s
Doing aes-128-cbc for 3s on 8192 size blocks: 2793 aes-128-cbc's in 1.53s
OpenSSL 0.9.8c 05 Sep 2006
built on: Fri Sep 28 20:42:52 UTC 2007
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -march=i686 -Wa,--noexecstack -g -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 10313.65k 13091.52k 14710.49k 14761.66k 14954.42k
Debian etch openssl package (OpenSSL 0.9.8c 05 Sep 2006) seems to have problems with the padlock engine. Searching the web outcropped I'm not alone with this problems. The Solution was found on Michal Ludvig's site VIA PadLock support for Linux. THANKS! So we have to patch openssl. Here is what I have done:
mkdir openssl
cd openssl
apt-get source openssl
cd openssl-0.9.8c/crypto/engine/
wget http://www.logix.cz/michal/devel/padlock/kernel-sha/padlock-sha-complete.diff
patch < openssl-0.9.8b-sha.diff
wget http://www.logix.cz/michal/devel/padlock/openssl-0.9.8-padlock-static.diff
patch < openssl-0.9.8-padlock-static.diff
cd ../..
dpkg-buildpackage -rfakeroot -uc -us
Don't be confused by versions of openssl. Debian has 0.9.8c and the patches are for 0.9.8b. But seems to work out. Next, as root (still in direcory openssl-0.9.8c/)
dpkg -i ../libssl0.9.8_0.9.8c-4etch1_i386.deb
dpkg -i ../openssl_0.9.8c-4etch1_i386.deb
Testing looks good:
onky:~/sources/openssl$ openssl engine padlock
(padlock) VIA PadLock: RNG ACE2 PHE(8192) PMM
Trying again a benchmark test
onky:~$ openssl speed -evp aes-128-cbc -engine padlock
engine "padlock" set.
[..]
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 49970.16k 166385.21k 388856.27k 587665.01k 688369.10k
Amazing speedup! In some cases it's 50 times faster! And SHA-256 seems to work too:
onky:~/sources/openssl$ openssl speed -evp sha256 -engine padlock
engine "padlock" set.
[..]
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha256 2137.68k 8227.87k 29262.33k 81797.12k 170224.01k
Still open:
Apt suggest security updates for both replaced packages - how to fix this?
We need some serious work for this. Maybe I'll encrypt some partitions?
OpenSSL uses the padlock engine only if explicit asked for (-engine padlock). On VIA PadLock support for Linux you find a patch that sould solve this problem. But it's for openssl-0.9.8e, mayby we can adopt it for debian's openssl-0.9.8c?
Webseite von Thomas Verchow.