Agreed! The driver doesn't seem to be getting executed through OpenSSH/OpenSSL for ssh session setup either (it used to work that way on FreeBSD 6.2, I don't know if this feature has been left up to the user to enable in FreeBSD 7.x??).
thanks for the tools, I'll give them a go. The driver is being accessed properly from 'cryptotest', so I guess that's something. 2009/5/19 Brian Seklecki <sekle...@noc.cfi.pgh.pa.us>: > The openssl speed sub-command is a real PITA: > > Try: > > $ openssl speed -elapsed -evp aes-128-cbc (or des-ede3) > > Also goto /usr/src/tools/tools/crypto/ && make > > Run those utils to extract useful statistics out of the driver's kernel > data structures. > > ~BAS > > On Mon, 2009-05-18 at 11:21 +0100, Brendan Kennedy wrote: >> Hi Brian, Patrick, >> >> Thanks for your responses. I agree that it looks like a bug! I'm a bit >> of a newb to FreeBSD. Where should I go to log this? >> >> I ran (as root ;) ) >> >> > openssl engine >> (padlock) VIA PadLock (no-RNG, no-ACE) >> (dynamic) Dynamic engine loading support >> (cryptodev) BSD cryptodev engine >> [RSA, DSA, DH] >> >> It can be seen only PKE functions are being shown as accelerated. >> 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto' >> compiled as part of the kernel. >> >> I have found another issue here also - although 'openssl engine -c' >> shows correct accelerated functionality of the hardware driver, >> running a speed test (e.g. openssl speed des-ede3 -engine cryptodev) >> does not result in any messages being sent to the driver apart from >> the initial check for available algorithms. It seems only accelerated >> PKE functions are run through the driver. It may be that the symmetric >> functions are being run through the software device driver >> (cryptosoft)... >> >> Could it be down to cryptodev engine being loaded twice in OpenSSL? Or >> would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not >> set? >> >> Regards, >> Brendan >> >> >> 2009/5/15 Brian A. Seklecki <sekle...@noc.cfi.pgh.pa.us>: >> > On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote: >> >> Hi All, >> >> >> >> I'm trying to test a hardware crypto driver, but want to run my tests >> >> through the software driver first (and possibly use the software >> >> driver to validate results). >> >> I have set the following in my GENERIC conf file: >> >> >> > >> > What does kldstat(8) / openssl(1) return? >> > >> > % sudo openssl engine >> > (dynamic) Dynamic engine loading support >> > >> > $ openssl engine >> > (cryptodev) BSD cryptodev engine >> > (padlock) VIA PadLock (no-RNG, no-ACE) >> > (dynamic) Dynamic engine loading support >> > >> > $ kldstat |egrep -i 'cry|ub' >> > 3 3 0xc0e06000 25b78 crypto.ko >> > 7 1 0xc64c9000 4000 cryptodev.ko >> > 8 1 0xc6546000 a000 ubsec.ko >> > >> > >> > Return? >> > >> > ~BAS >> > >> > >> >> device crypto >> >> device enc >> >> options IPSEC >> >> >> >> I have rebuilt the kernel, rebooted and set the >> >> kern.cryptodevallowsoft kernel variable to 1: >> >> >> >> FreeBSD_26# sysctl -a | grep crypto >> >> kern.cryptodevallowsoft: 1 >> >> >> >> However, when I try a test, I get the following: >> >> >> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des >> >> cipher 3des keylen 24 >> >> CIOCGSESSION: Invalid argument >> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des >> >> cipher des keylen 8 >> >> CIOCGSESSION: Invalid argument >> >> >> >> It seems the software crypto device is not available. Do I need to do >> >> any other steps to enable it? Is there another config option that >> >> makes sure it is build as part of Opencrypto framework? Do I need to >> >> build some other software driver instead? >> >> >> >> Best Regards, >> >> Brendan >> >> _______________________________________________ >> >> freebsd-questions@freebsd.org mailing list >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> >> To unsubscribe, send any mail to >> >> "freebsd-questions-unsubscr...@freebsd.org" >> > >> > >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > > > > > This mail was sent via Mail-SeCure System. > > > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
