Re: RNG, AES support in VIA C3

[Chuck Swiger <cswiger%mac.com@localhost>]

Hi--

On Feb 24, 2010, at 10:50 AM, Joel Carnat wrote:
> The cpuctl command outputed:
> cpu0: VIA C3 Nehemiah (686-class), 1002.33 MHz, id 0x698
> cpu0: features 0x381b83f<FPU,VME,DE,PSE,TSC,MSR,SEP,MTRR>
> cpu0: features 0x381b83f<PGE,CMOV,PAT,MMX>
> cpu0: features 0x381b83f<FXSR,SSE>
> cpu0: padlock features 0xdd<RNG,AES>
> 
> Does this mean than random number generation and encryption operations are 
> done via the hardware ?

It means the hardware supports those capabilities, yes.

> Would encryption for (Open)VPN and HTTPS be done by the hardware too ?  Does 
> using the hardware only relies on the OpenSSL implementation or is the 
> software involved too ? Like Apache would be OK but lighttpd would not ?

RNG should work without much effort, crypto is regrettably a bit more 
complicated.

It's likely that NetBSD will attach to the C3 RNG and use it as an entropy 
source for /dev/random; OpenSSL normally defaults to using /dev/random for 
(presumably) secure random number stream, so you don't have to do anything 
special.

You should also be able to use it explicitly via something like "openssl rand 
-engine padlock -hex 10", if you like.

For the basic idea with the crypto side, see engine(3) and -engine flag to 
"openssl rsa", "openssl speed", and similar.  If NetBSD recognizes the C3 as 
providing these capabilities and OpenSSL is compiled with dynamic engine 
support and can find a padlock module, or you roll your own OpenSSL with VIA 
padlock compiled in and setup as the default engine to use, then you should be 
good to go.

Otherwise, you can try to have Apache's mod_ssl load a particular engine at 
runtime via SSLCryptoDevice:

  http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcryptodevice

Regards,
-- 
-Chuck