NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: RNG, AES support in VIA C3
Hi--
On Feb 24, 2010, at 10:50 AM, Joel Carnat wrote:
> The cpuctl command outputed:
> cpu0: VIA C3 Nehemiah (686-class), 1002.33 MHz, id 0x698
> cpu0: features 0x381b83f<FPU,VME,DE,PSE,TSC,MSR,SEP,MTRR>
> cpu0: features 0x381b83f<PGE,CMOV,PAT,MMX>
> cpu0: features 0x381b83f<FXSR,SSE>
> cpu0: padlock features 0xdd<RNG,AES>
>
> Does this mean than random number generation and encryption operations are
> done via the hardware ?
It means the hardware supports those capabilities, yes.
> Would encryption for (Open)VPN and HTTPS be done by the hardware too ? Does
> using the hardware only relies on the OpenSSL implementation or is the
> software involved too ? Like Apache would be OK but lighttpd would not ?
RNG should work without much effort, crypto is regrettably a bit more
complicated.
It's likely that NetBSD will attach to the C3 RNG and use it as an entropy
source for /dev/random; OpenSSL normally defaults to using /dev/random for
(presumably) secure random number stream, so you don't have to do anything
special.
You should also be able to use it explicitly via something like "openssl rand
-engine padlock -hex 10", if you like.
For the basic idea with the crypto side, see engine(3) and -engine flag to
"openssl rsa", "openssl speed", and similar. If NetBSD recognizes the C3 as
providing these capabilities and OpenSSL is compiled with dynamic engine
support and can find a padlock module, or you roll your own OpenSSL with VIA
padlock compiled in and setup as the default engine to use, then you should be
good to go.
Otherwise, you can try to have Apache's mod_ssl load a particular engine at
runtime via SSLCryptoDevice:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcryptodevice
Regards,
--
-Chuck
Home |
Main Index |
Thread Index |
Old Index