Subject: Re: VIA ACE patch
To: Miles Nordin <carton@Ivy.NET>
From: Pawel Jakub Dawidek <>
List: tech-crypto
Date: 01/12/2007 21:29:14
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 12, 2007 at 03:16:22PM -0500, Miles Nordin wrote:
> >>>>> "ddk" =3D=3D Daniel de Kok <> writes:
>    ddk> Just for clarity: these VIA CPUs just have additional
>    ddk> instructions, so the kernel opencrypto "driver" and the
>    ddk> OpenSSL padlock engine are not mutually exclusive.
> right.  so, in Linux there are posts in the forums that even after
> they added padlock support to OpenSSL, OpenSSL does not choose the
> right ``engine'' by default.  They had to go through and modify each
> individual program, ssh, apache, u.s.w., to get it to use the
> padlock-based openssl-engine.
> Will OpenSSL in NetBSD 4.0/-current use the additional instructions by
> default?  Or will it use /dev/crypto, or regular i386 algorithms, by
> default?  sounds like you almost have to do some careful performance
> testing just to be reasonably sure the whole stack is glued together
> and actually working.

Not sure about NetBSD, but in FreeBSD you can doing by simply not having
/dev/crypto. You IPsec will still be accelerated, but userland will use
padlock directly. The all you need is not to load cryptodev.ko module
and not compile-in 'device cryptodev'.

Pawel Jakub Dawidek                              
FreeBSD committer                         Am I Evil? Yes, I Am!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.6 (FreeBSD)