Re: [Ocf-linux-users] Current status
Brought to you by:
david-m
Menu
▾
▴
Re: [Ocf-linux-users] Current status
|
From: David M. <uc...@gm...> - 2014-01-09 13:40:32
|
J.W...@mi... wrote the following: > Hi all, > > I'm able to get hold of some hifn boards, and I wonder whether I still need to apply specific patches. > On the suse mailing list, they claim that the patch is already included in main stream kernel, but only works on 32-bit machines. That would be the linux-crypto driver, not the OCF drivers. OCF is not part of the kernel, it is a seperately maintained HW crypto project. The OCF hifn drivers work fine on 64bit systems, but for some uses you will need to patch your kernel. > Besides loading a kernelmodule, any other tweaks todo? > > One board I would like to use on an openvpn box. Can that be done without altering distro-supplied openvpn/openssl ? I don't believe so, you would need to recompile openssl with cryptodev enabled under linux. Depending on the version of openssl you are using you may need to patch that as well. > Another board I intend to use for bulk generating keys/certificates with ejbca. > When hinting this to their developpers, I was asked if there was an pkcs11 driver for the accelerator board. > But shouldn't it be enough if openssl is capable in talking to the board? To accelerate pkcs using HIFN under ocf-linux you will need to: * patch your kernel * possibly patch openssl (depending on the version) I am not aware of any other solutions that provide this though. The only thing I will point out is that pkcs acceleration is not a magic solution. From my experience it will not let you generate more keys per second. What I have seen is that the rate stays about the same (there is a lot of surrounding algs that are not accelerated). What it does gain you is CPU cycles. While the HIFN is crunching numbers you can be doing other things (providing your application can take advantage of this). Hope that helps :-) Cheers, Davidm -- David McCullough, uc...@gm..., Ph: 0410 560 763 |
