RE: Re: RNG, AES support in VIA C3

To: Chuck Swiger <cswiger%mac.com@localhost>
Subject: RE: Re: RNG, AES support in VIA C3
From: Joel Carnat <joel%carnat.net@localhost>
Date: Wed, 24 Feb 2010 20:48:53 +0100

OK.

And is this CPU feature only doing AES or does it also do DES, RC4, LZS, RSA... 
?
In other words, is it equivalent to a vpn1401 card 
(http://www.soekris.com/vpn1401.htm) or does it only do basic operations ?

TIA.

-----Message initial-----
De: Chuck Swiger <cswiger%mac.com@localhost>
Envoyé: mer. 24-02-2010 20:38
À: Joel Carnat <joel%carnat.net@localhost>; 
Cc: netbsd-users%netbsd.org@localhost; 
Sujet: Re: RNG, AES support in VIA C3

> Hi--
> 
> On Feb 24, 2010, at 10:50 AM, Joel Carnat wrote:
> > The cpuctl command outputed:
> > cpu0: VIA C3 Nehemiah (686-class), 1002.33 MHz, id 0x698
> > cpu0: features 0x381b83f<FPU,VME,DE,PSE,TSC,MSR,SEP,MTRR>
> > cpu0: features 0x381b83f<PGE,CMOV,PAT,MMX>
> > cpu0: features 0x381b83f<FXSR,SSE>
> > cpu0: padlock features 0xdd<RNG,AES>
> > 
> > Does this mean than random number generation and encryption operations are 
> done via the hardware ?
> 
> It means the hardware supports those capabilities, yes.
> 
> > Would encryption for (Open)VPN and HTTPS be done by the hardware too ?  
> > Does 
> using the hardware only relies on the OpenSSL implementation or is the 
> software 
> involved too ? Like Apache would be OK but lighttpd would not ?
> 
> RNG should work without much effort, crypto is regrettably a bit more 
> complicated.
> 
> It's likely that NetBSD will attach to the C3 RNG and use it as an entropy 
> source for /dev/random; OpenSSL normally defaults to using /dev/random for 
> (presumably) secure random number stream, so you don't have to do anything 
> special.
> 
> You should also be able to use it explicitly via something like "openssl rand 
> -engine padlock -hex 10", if you like.
> 
> For the basic idea with the crypto side, see engine(3) and -engine flag to 
> "openssl rsa", "openssl speed", and similar.  If NetBSD recognizes the C3 as 
> providing these capabilities and OpenSSL is compiled with dynamic engine 
> support and can find a padlock module, or you roll your own OpenSSL with VIA 
> padlock compiled in and setup as the default engine to use, then you should 
> be 
> good to go.
> 
> Otherwise, you can try to have Apache's mod_ssl load a particular engine at 
> runtime via SSLCryptoDevice:
> 
>   http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcryptodevice
> 
> Regards,
> -- 
> -Chuck
> 
>

References:
- Re: RNG, AES support in VIA C3
  - From: Chuck Swiger

Prev by Date: Re: RNG, AES support in VIA C3
Next by Date: Re: Broadcom 5716 nic
Previous by Thread: Re: RNG, AES support in VIA C3
Next by Thread: Re: RNG, AES support in VIA C3
Indexes:

Home | Main Index | Thread Index | Old Index