Just finished up some more tests of the Geode security block using OCF-linux, cryptodev, and OpenSSL. The results are awesome. Check ‘em out on the Docunext Wiki:
Geode AES + OCF + Cryptodev + OpenSSL = Wicked fast encryption
Related Posts
Latest Comments
RSS- Albert on the post Memory tips for Debian on t5135
- Ben on the post Memory tips for Debian on t5135
- Albert on the post Perl CPAN on Debian
- mistermartin75 on the post Perl CPAN on Debian
- Albert on the post Losetup - Working with Raw Disk Images
- Varghese Mathew on the post Losetup - Working with Raw Disk Images
- Albert on the post W: GPG error: http://security.debian.org etch/updates Release: Unknown error executing gpgv
- DomeDan on the post W: GPG error: http://security.debian.org etch/updates Release: Unknown error executing gpgv
- Albert on the post Titanium iBook hinge broke
- park on the post Debian on a Via C7
Latest Posts
RSS- Linux Hardware Compatibility
- BIG SURPRISE - Adobe Flash for linux x86_64
- Strip Punctuation with Javascript
- zip a Window’s file
- After Lenny Goes Stable
- bayes: cannot open bayes databases …bayes_* R/W: lock failed: File exists
- KeyError: ‘data_format_revision’
- Static NAT over IPSec
- svn_ra_get_log: Assertion `*path != ‘/” failed.
- How to override the internet’s domain name system on a Mac
Links
Monthly Archive
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- January 2006
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- January 2005
- December 2004
- November 2004
- October 2004
- May 2004
- February 2004
- December 2003
- November 2003
- October 2003
- September 2003
- February 2003
Hi i followed your instruction on ubuntu gutsy and created patched deb for:
libssl0.9.8_0.9.8e-5ubuntu3.1_i386.deb
linux-image-2.6.22-14-generic_2.6.22-14.46_i386.deb
openssh-client_4.6p1-5build1_i386.deb
openssh-server_4.6p1-5build1_i386.deb
with openssl all was fine but with ssh under heavy traffic i got “CORRUPTED MAC”, too. (all was fine, but slow, if i removed geode_aes module)
Googling around i found another person with the same problem (on different crypto hardware), and the problem was driver of crypto device not waiting when busy.
So i searched on crypto list and found many submitted patch to geode_aes module, one in particular was interesting:
http://www.mail-archive.com/linux-crypto@vger.kernel.org/msg01214.html
So i downloaded last source from git (be careful that you need the new aes.h under include/crypto/) and recompiled geode_aes (and geode_rng too).
Now ALL WORKS!!!!
Thanks for that mello - awesome! I’m very interested in getting ssh to work without that corrupted mac issue. I wrote into the list about it but the maintainer was about to go on vacation… glad to hear its been resolved.
I’m not sure if I got the same problem with the buggy geode_aes while crypting the harddrive. Using geode_aes the filesystem gets crippled. I’m using Ubuntu 7.10. server on an alix1c board. May be I will give the patches a chance …
Hi Ulrich - which method are you using to crypt the file system? Luks? dm-crypt? I just setup an encrypted home for the first time with a Via C7, so I’ll try out my ALIXC1 board and see if I have the same results as you.
I have all of this working which is great, but how do you get OpenVPN to utilize cryptodev?
Hi Ben - I believe OpenVPN uses OpenSSL - so if you can set that up to use cryptodev, openvpn should do the same. Are you using a C7?
Recompiling OpenVPN with the new OpenSSL libs was all it required to get it to show up in OpenVPN’s supported engines - however i’m seeing “cryptosoft: setkey failed -22 (crt_flags=0×200000)” when testing OpenVPN (when using aes-128), and i noticed the message also appears when doing the openssl test despite the noticeable speed increase during the test. the difference is that OpenVPN temporarily locks the machine when that string appears in dmesg.
* rmmod aes-i586
* modprobe geode-aes
* cryptsetup -c aes -s 128 -h sha256 luksFormat /dev/hda6
* cryptsetup luksOpen /dev/hda6 cryptohome — I’m using luks
* mkfs.ext3 /dev/mapper/cryptohome
* mount /dev/mapper/cryptohome /home
Sometimes problemes already started here! Superblocks werde damaged right after the fs was created.
* If I could mount, copying some larger files definitivly killed the fs.
I’m using Ubuntu 7.10
# rmmod aes-i586
# modprobe geode-aes
# cryptsetup -c aes -s 128 -h sha256 luksFormat /dev/hda6
# cryptsetup luksOpen /dev/hda6 cryptohome
# mkfs.ext3 /dev/mapper/cryptohome
# mount /dev/mapper/cryptohome /home
Sometimes even mounting right after the mkfs didn’t work because of a corrupted superblock. Copying several larger files kill the fs anyway.
This is a real problem - it appears that every use of the geode-aes module results in problems. Its very hard to say where the problem lies, but my gut is pointing me towards OpenBSD so that I can try out their driver. I just pasted the man page here:
http://www.docunext.com/wiki/Geode_LX_AES_Security_Block
Looks like some folks are having problems with that too:
http://kerneltrap.org/mailarchive/openbsd-misc/2007/11/10/402146
Has anybody ported the ocf-linux patch to 2.6.24?
It seems that there has been some recent refactoring work
done in the scratchlist area (sg_page)
I just checked the ocf-linux page and it says the patch set will work with most 2.4 and 2.6 kernels up to and include 2.4.34 and 2.6.23. Unless the website needs to be updated, looks like it hasn’t happened yet.
…there is an interim patch available which allows you to use ocf-linux on more recent kernels. Check the ocf-linux mailing list.