[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Sharing experience with Via Nano 1.6ghz with Padlock hw accel



Hi,

(Batching a bunch of replies together.)

For some historical context:

 * https://trac.torproject.org/projects/tor/ticket/15503

 * https://trac.torproject.org/projects/tor/ticket/15918 (Still
   a low priority, padlock's hash accel isn't exposed in any way from
   OpenSSL at all.)

On Sun, 5 Jun 2016 17:11:19 +0200
"Fabio Pietrosanti (naif) - lists" <lists@xxxxxxxxxxxxxxx> wrote:
> On 6/5/16 5:01 PM, Fabio Pietrosanti (naif) - lists wrote:
> >> Do you get messages about successfully using 'padlock'
> >> in /var/log/tor/log?  
> 
> > Yes
> > root@dedi-fr-23644:~# zgrep -i padlock /var/log/tor/log*
> > /var/log/tor/log:Jun 05 16:58:27.000 [notice] Default OpenSSL
> > engine for AES-128-ECB is VIA PadLock (no-RNG, ACE) [padlock]  

The important one is AES-128-CTR.  Since you're using OpenSSL master,
it should be accelerated.  Versions prior to the 1.1 series do not.

Quickly skimming engines/e_padlock.c, it appears that GCM accel isn't
supported, but I don't feel like looking at if that means "just a slow
GHASH" or "slow everything".

> I noticed just now that we could *also* enable the hw RNG of the
> Padlock, to further offload the Via Nano main CPU processing:

The tor process tries really hard to intentionally and explicitly
disable support for hardware RNGs, for "we don't trust it" reasons.
Eventually this code will change to force the use of a RNG that is
shipped with tor.

See: src/common/crypto.c:crypto_force_rand_ssleay()

The best way to use it would be to ensure that your kernel uses entropy
from it as part of the system entropy pool.

On Sun, 5 Jun 2016 18:53:50 +0200
Toralf FÃrster <toralf.foerster@xxxxxx> wrote:
> On 06/05/2016 01:28 PM, Fabio Pietrosanti (naif) - lists wrote:
> > In /etc/tor/torrc:
> > HardwareAccel 1  
> Reading
> https://lists.torproject.org/pipermail/tor-relays/2012-March/001260.html
> I do wonder if setting that option is helpful ?

Padlock support, unlike AES-NI is provided as an engine, so afaik it
still matters.

On Sun, 5 Jun 2016 18:20:56 +0200
fatal <fatal@xxxxxxxxxxx> wrote:
> Hello,
> 
> openssl with enabled padlock and tor stable crashes on my via nano
> servers running linux and freebsd.

How's it crashing, what are the versions of the relevant components?  My
gut feeling would be an OpenSSL bug of some sort, but please file a
ticket on trac.

NB: I don't have anything with Padlock support.

-- 
Yawning Angel

ps: If I were going for "run a tor relay on an embedded SOC", I'd
probably use something like a MinnowBoard since some (all?) use AES-NI
capable Atom....

Attachment: pgpNdhpOQ11zA.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays