Extend support for VIA Padlock engine

[hardfalcon]

PolarSSL already has code to use the Padlock engine for AES on VIA CPUs, but those CPUs also feature HW accelerated SHA1, SHA256, 2 HW RNGs and an HW accelerated Montgomery multiplier which can be used to accelerate RSA and DSA.

The OpenSSL folks have quite optimized code for all of this (except the RNG):
http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=engines/asm/e_padlock-x86.pl
http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=engines/asm/e_padlock-x86_64.pl
http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/bn/asm/via-mont.pl

[pjbakker]

Thanks for the pointer. Do you know a nice small (preferrably cased (or caseable) board with this padlock engine for our development and buildfarm?

[hardfalcon]

I do own a Zotac ZBOX Nano VD01. You can buy it as a barebone or readily prefitted with RAM and a HDD:
http://www.zotac.com/en/products/mini-pcs/zbox-nano-series/zbox-nano/product/zbox-nano/detail/zbox-nano-vd01/sort/product_name/order/DESC/amount/10/section/specifications.html

I've posted /proc/cpuinfo in here (only 1067MHz is because I use the ondemand cpufreq governor and the CPU was idle):
http://pastebin.com/wpwQWkY2

The box itself is very small (almost exactly the size of 5 stacked oldschool standard CD-ROM jewelcases), and comes with an external "notebook style" power supply (barrel connector, 3.42A @ 19V) and an IR remote control.

According to the ZOTAC support, the eSATA port doesn't support any port multipliers.

The biggest problem is the crappy support for the VX900 GPU. The ZBOX does only have an HDMI port and a DP port, and to get them working at high resolutions (beyong VESA stuff) you have 3 options:

• an open source driver from VIA (compiles only for kernels up to version 3.6 or so and only with older Xorg versions) without 3D acceleration
• a closed source driver from VIA (same limitations as the opensource driver, but offers some 3D accelerations)
• the openchrome driver, which is mostly developped by James Simmons and a few others, and which is supposed to be integrated into drm-next and then into the mainline kernel over the next months. No 3D acceleration for the moment, but the main dev James Simmons has announced that this could change over the next 1-2 years:

http://lists.freedesktop.org/archives/openchrome-devel/2013-May/001159.html

With the openchrome driver, you'll need to compile their very own kernel from git (some fork of Dave Airlie's drm-next tree) to be able to use the HDMI port (I haven't tested the DP port yet but AFIAK it doesn't work at all for now), and the HDMI port will only work when you use KMS. Moreover, you might need to patch it to get the HDMI port working because there's been a regression introduced a few weeks ago:

https://bugs.freedesktop.org/show_bug.cgi?id=65591#c0

For the moment, I'm using this box with Archlinux as my everyday computer. I'm able to use my 1080p display with its native resolution, and I'm able to play at least 720p videos without stuttering. HW accelerated AES encryption works for both cryptsetup/dmcrypt and openssl, however with OpenSSL 1.0.1e, you'll need a patch to get HW accelerated SHA1 and SHA256 working as well (I'm currently working on a patch backporting those features from the files in their git tree I've posted in my feature request above). The HW RNG is supported at least by the linux kernel and can easily be fed into the kernel's entropy pool using the rng-tools package (/dev/hwrng delivers consisently 87.47kbyte/s of "pure entropy" according to pipemeter).

If you want, I can sell you my ZBOX (with 4GB of RAM and the fastest 1TB HDD from Hitachi that I could find) in 1-2 months as I'm currently considering building a machine with more computational power and even less power consumption in idle mode. It'll probably be a machine with a Haswell CPU, apparently you can build a machine with ~10W idle power consumption with one of those (and an efficient motherboard). Just drop me a mail if you're interested (pjbakker@hardfalcon.net). I've bought the ZBOX, the HDD and the RAM all in July 2012 so they still have almost a year of warranty (original invoices included).

[pjbakker]

Thanks for the info.

There is a big chance we will already order one (or something similar) beforehand. But drop a note when you intend to sell.

[gilles-peskine-arm]

It's been almost a decade and the ecosystem has changed quite a bit. Do you still care about VIA Padlock support? We currently intend to remove it in the next version of Mbed TLS.

[hardfalcon]

It's been almost a decade and the ecosystem has changed quite a bit. Do you still care about VIA Padlock support? We currently intend to remove it in the next version of Mbed TLS.

No hard feelings about this from me, I don't really use that hardware anymore. Kudos for asking first, though! :)

[daverodgman]

Closing, we won't extend support and will remove existing support in the future.