In the past few years, there's been some exciting news in the world of cryptography. As mentioned in our post about the VIA padlock, the use of the padlock as an engine for OpenSSL yields some very impressive results.
Then last night I realized that the AMD Geode LX800 (the same chip used in the new PC Engines ALIX boards which I've been blogging about) also has a hardware random number generator (RNG) as well as a built in AES Security Block engine. That is really cool!
Riding on the excitement that the AMD Geode LX800 has these great new features, I did some serious diggin' in the net and found some even more cool stuff! :-)
Among the finds:
59 Say 'Y' here to use the AMD Geode LX processor on-board AES 60 engine for the CryptoAPI AES algorithm. 61 62 To compile this driver as a module, choose M here: the module 63 will be called geode-aes.
So that got me wanting to test it out, but the linux CryptoAPI is low-level, and doesn't have many userland tools, like OpenSSL, and OpenSSL doesn't have an engine driver for it, nor am I aware of a way to get OpenSSL to use the CryptoAPI instead of its internal algorithms.
So I did some more research, and found information on how to get OpenSSL to use the linux CryptoAPI as its engine.
Here's information on how to get your linux kernel patched with the ocf crypto device, especially good for use with AMD Geode lx800 processors.
At this point in time, to design some heavy duty infrastructure, I would use the following chips in the following ways:
Because the AMD Geode and Via C7 chips are so low power and security centric, they are my choice for high-availability failover perimeter systems. Behind them, the intel celeron and at least one corresponding motherboard can handle sleep states very well in linux, and could potentially be used to setup an energy efficient, scalable load-balance farm. When demand is high, they wake, bake, and serve, and when demand is low, they nap. Sounds good, right?
PfSense test results of the padlock kernel driver on a VIA C7