# VIA padlock isn't working.



## Orum (Sep 11, 2011)

I have the two necessary options in my kernel config.  It also shows up on dmesg:

```
CPU: VIA Esther processor 1500MHz (1496.26-MHz 686-class CPU)
  Origin = "CentaurHauls"  Id = 0x6a9  Family = 6  Model = a  Stepping = 9
Features=0xa7c9bbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CLFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,PBE>
  Features2=0x181<SSE3,EST,TM2>
  VIA Padlock Features=0x3fcc<RNG,AES,AES-CTR,SHA1,SHA256,RSA>
...
padlock0: <AES-CBC,SHA1,SHA256> on motherboard
```
It shows up when I check [CMD="openssl"]engine[/CMD]

```
(padlock) VIA PadLock (no-RNG, ACE)
(dynamic) Dynamic engine loading support
```
But when I run benchmarks to make sure it's working:

```
[I]With padlock:[/I]
openssl speed -engine padlock aes-128-cbc
[B]engine "padlock" set.[/B]
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128 cbc for 3s on 16 size blocks: 2629077 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 64 size blocks: 679466 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 256 size blocks: 171106 aes-128 cbc's in 2.97s
Doing aes-128 cbc for 3s on 1024 size blocks: 43083 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 8192 size blocks: 5386 aes-128 cbc's in 2.98s
OpenSSL 0.9.8q 2 Dec 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
[B]aes-128 cbc      14130.37k    14604.70k    14766.23k    14811.74k    14819.24k[/B]
 
[I]Without padlock:[/I]
openssl speed aes-128-cbc
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128 cbc for 3s on 16 size blocks: 2629105 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 64 size blocks: 679305 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 256 size blocks: 171849 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 1024 size blocks: 43087 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 8192 size blocks: 5388 aes-128 cbc's in 2.98s
OpenSSL 0.9.8q 2 Dec 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
[B]aes-128 cbc      14107.15k    14604.34k    14770.01k    14810.18k    14820.70k[/B]
```
The speed doesn't change when the engine is enabled?  Any idea what's going on here, and how to fix it?  Ultimately I want to use it with OpenVPN.  OpenVPN was not running during these tests, to ensure nothing else was using the padlock engine.

Additional information:

```
[CMD="uname"]-mrs[/CMD]
FreeBSD 8.2-RELEASE-p2 i386
[CMD="which"]openssl[/CMD]
/usr/bin/openssl
[CMD="openssl"]version[/CMD]
OpenSSL 0.9.8q 2 Dec 2010
```

Edit: I also tested with SHA1 and SHA256, and again, there was no difference in speed with or without the -engine padlock.

Edit2: If no one has any ideas, I think this may be a bug.  There has been, I believe, one commit that is padlock related to 8-STABLE, but I'm not sure if it has any bearing on what I'm experiencing.  Unfortunately the two machines I have that have VIA processors and are padlock capable are in production, so I can't do much testing on this issue.


----------



## stadtkind (Jun 30, 2012)

Just for the record, you need to test with -evp, otherwise OpenSSL won't make any use of hardware crypto support:

[CMD=]$ openssl speed aes-128-cbc -engine padlock *[*]*[/cmd]

```
engine "padlock" set.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc      26391.86k    27697.64k    27935.08k    63593.14k    63810.22k
```

vs.

[CMD=]$ openssl speed -evp aes-128-cbc -engine padlock[/cmd]

```
engine "padlock" set.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      91887.65k   276861.77k   505983.32k   637541.03k   690204.77k
```

Also, you don't need to load the padlock kernel module to use OpenSSL's padlock engine (but must load the kernel module for things like GELI).

Base OpenSSL also does not support sha1/sha256 hardware crypto. You need to compile the OpenSSL port with the padlock option set.


----------

