I am using OpenVPN for a site-to-site solution. I noticed that there was a Mediatek AES driver using hardware and offloading the CPU. I would like to use this on my MT7628 soc, but it's not available.
Is there any reason why this is left out? Or why it was never ported up from the Linux 3 kernel to version 4?
Thanks. I will have a look how far I can get with this. A little surprised that you only got 10-15% performance increase. Would expec more. Either way, it should off load the CPU to do other tasks in the meantime.
So I managed to get the driver to compile and load
Doing preliminary test with "insmod tcrypt mode=200" it seem like it's working properly.
Now I can't seem to find where to flip the switch for the cryptodev. This I build and load, but using "OpenSSL engine cryptodev" it's missing the libopenssl.so
It seems it's not looking linked cause I need to define somewhere crypto hardware. Of course this MediaTek Engine is nowhere to be found in any crypt/engine confit I could find.
Since you build it for OpenWRT in the past, maybe you can point me in the right direction which file(s) to patch.
And...I found other references that OpenVPN uses very small blocks... in which case your 10-15% might be right. Still I came this far..now let's see how OpenSSL really performs.
I noticed. Thanks. Later today I should be able to try. But maybe it's like you said, little point to use it for the application I am thinking of (VPN), cause for small blocks the speed difference seems low and the additional (system) calls will probably make it even less useful.
At least I learned how to port/patch to Lede. Looking into a bigger project: the "official" RA-ETH to enable hardware NAT. Again the idea is to offload the CPU, not because software NAT is not able to keep up with my 200Mbps internet line. It should also increase speeds between let's say a NAS and a desktop.
Looks like my way to add this driver is not working cause the OpenSSL gets build before my driver. So my driver compiles perfectly but OpenSSL is missing the flags to include the hardware cryptodev. So I guess putting all files into one big patch file is the way to do it.
Patches are applied in the order of their sorted file names. That's why the prefixes contain numbers to force certain patches to be applied before others. Maybe you can play around with that to get them to apply in the correct order? @drbrains
Initially I tried making it like a new kernel module: putting all my files in a new folder under Packages/Kernel/my kmod
The openSSL (libs) never see my additional config settings to build with hardware.
For some reason, I have extra config using GnuTLS library, but the libOpenSSL doesn't have in the standard "make menuconfig"
AARGH!! I found it: There is a patch in the OpenSSL lib to disable the HW-Engine. I found references to this patch from a long time ago. Are the reasons to patch this still valid, cause then it makes no sense to have a hardware-eninge??
OR
should I change to a different library, use OCF instead of cryptodev, or something??
Next problem with this driver. It's very old which means it still uses IRQF_DISABLED. Since kernel 3 depreciated, since 4.1 removed. We are on 4.4 now (looking into 4.9)
This part I can replace, but I run into problems when I want to use interrupts. This should help to get CPU usage down, but when I enable interrupts it generates a lot of errors.
@maurer, I noticed you were doing this for the MT7621 on the mqmaker forum. It seemed like there the interrupt problem was solved, but I couldn't find how. It just said the "board" was now fully supported. Does that mean I need to look into the DTS(I) files for full interrupt support?
unfortunately the guy on mqmaker forum - stas2z didn't released his source code - only releases binaries and builder files. But there is a hope
the guy that made the first backports releases his code:
that's about the best chance to have mt7621_hw_ipsec enabled in lede
I'm looking at the Padavan code a lot, but even he didn't activate interrupts. The IRQF reference is still "allowed" in his kernel 3.x versions. Looking (comparing) with the Wive-NG project as well.
His way (he has to) is to modify some kernel code to intercept the IPSec packages. This was never "allowed" by the OpenWRT community. Considered a security issue. The same most likely the the engine disable patch: rumors had it, that the NSA had some backdoor in the hardware engines.
Me, I'm not that concerned about this part...don't think I qualify to spend resources on so Im just trying t get the most out of the hardware. Using IPSec and/or OpenVPN-OpenSSL to bypass Geo location problems or pass some other government firewall so I can access my favorite website.
Didn't find a good real life benchmark yet. The OpenSSL speed is not a realistic indication (looks good though)