[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
RE: Re: RNG, AES support in VIA C3
And is this CPU feature only doing AES or does it also do DES, RC4, LZS, RSA...
In other words, is it equivalent to a vpn1401 card
(http://www.soekris.com/vpn1401.htm) or does it only do basic operations ?
De: Chuck Swiger <cswiger%mac.com@localhost>
Envoyé: mer. 24-02-2010 20:38
À: Joel Carnat <joel%carnat.net@localhost>;
Sujet: Re: RNG, AES support in VIA C3
> On Feb 24, 2010, at 10:50 AM, Joel Carnat wrote:
> > The cpuctl command outputed:
> > cpu0: VIA C3 Nehemiah (686-class), 1002.33 MHz, id 0x698
> > cpu0: features 0x381b83f<FPU,VME,DE,PSE,TSC,MSR,SEP,MTRR>
> > cpu0: features 0x381b83f<PGE,CMOV,PAT,MMX>
> > cpu0: features 0x381b83f<FXSR,SSE>
> > cpu0: padlock features 0xdd<RNG,AES>
> > Does this mean than random number generation and encryption operations are
> done via the hardware ?
> It means the hardware supports those capabilities, yes.
> > Would encryption for (Open)VPN and HTTPS be done by the hardware too ?
> > Does
> using the hardware only relies on the OpenSSL implementation or is the
> involved too ? Like Apache would be OK but lighttpd would not ?
> RNG should work without much effort, crypto is regrettably a bit more
> It's likely that NetBSD will attach to the C3 RNG and use it as an entropy
> source for /dev/random; OpenSSL normally defaults to using /dev/random for
> (presumably) secure random number stream, so you don't have to do anything
> You should also be able to use it explicitly via something like "openssl rand
> -engine padlock -hex 10", if you like.
> For the basic idea with the crypto side, see engine(3) and -engine flag to
> "openssl rsa", "openssl speed", and similar. If NetBSD recognizes the C3 as
> providing these capabilities and OpenSSL is compiled with dynamic engine
> support and can find a padlock module, or you roll your own OpenSSL with VIA
> padlock compiled in and setup as the default engine to use, then you should
> good to go.
> Otherwise, you can try to have Apache's mod_ssl load a particular engine at
> runtime via SSLCryptoDevice:
Main Index |
Thread Index |