NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RE: Re: RNG, AES support in VIA C3


And is this CPU feature only doing AES or does it also do DES, RC4, LZS, RSA... 
In other words, is it equivalent to a vpn1401 card 
( or does it only do basic operations ?


-----Message initial-----
De: Chuck Swiger <>
Envoyé: mer. 24-02-2010 20:38
À: Joel Carnat <>; 
Sujet: Re: RNG, AES support in VIA C3

> Hi--
> On Feb 24, 2010, at 10:50 AM, Joel Carnat wrote:
> > The cpuctl command outputed:
> > cpu0: VIA C3 Nehemiah (686-class), 1002.33 MHz, id 0x698
> > cpu0: features 0x381b83f<FPU,VME,DE,PSE,TSC,MSR,SEP,MTRR>
> > cpu0: features 0x381b83f<PGE,CMOV,PAT,MMX>
> > cpu0: features 0x381b83f<FXSR,SSE>
> > cpu0: padlock features 0xdd<RNG,AES>
> > 
> > Does this mean than random number generation and encryption operations are 
> done via the hardware ?
> It means the hardware supports those capabilities, yes.
> > Would encryption for (Open)VPN and HTTPS be done by the hardware too ?  
> > Does 
> using the hardware only relies on the OpenSSL implementation or is the 
> software 
> involved too ? Like Apache would be OK but lighttpd would not ?
> RNG should work without much effort, crypto is regrettably a bit more 
> complicated.
> It's likely that NetBSD will attach to the C3 RNG and use it as an entropy 
> source for /dev/random; OpenSSL normally defaults to using /dev/random for 
> (presumably) secure random number stream, so you don't have to do anything 
> special.
> You should also be able to use it explicitly via something like "openssl rand 
> -engine padlock -hex 10", if you like.
> For the basic idea with the crypto side, see engine(3) and -engine flag to 
> "openssl rsa", "openssl speed", and similar.  If NetBSD recognizes the C3 as 
> providing these capabilities and OpenSSL is compiled with dynamic engine 
> support and can find a padlock module, or you roll your own OpenSSL with VIA 
> padlock compiled in and setup as the default engine to use, then you should 
> be 
> good to go.
> Otherwise, you can try to have Apache's mod_ssl load a particular engine at 
> runtime via SSLCryptoDevice:
> Regards,
> -- 
> -Chuck

Home | Main Index | Thread Index | Old Index