Re: Enabling Talitos kills all IPsec traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 29 Oct 2008 10:33:39 -0700
"Barry G" <mr.scada@xxxxxxxxx> wrote:

> >> Also, is it correct that Talitos only accelerates AEAD connections, not ESP/AH
> >> protocols so there will be no performance increase for me until Strongswan
> >> adds rfc5282 support?
> >
> > I'm not sure what you mean here; talitos supports aes-cbc but doesn't
> > support aes-ccm nor aes-gcm.
> The reason I ask is:
> # cat /proc/crypto | grep -i talitos
> driver       : authenc-hmac-md5-cbc-3des-talitos
> driver       : authenc-hmac-md5-cbc-aes-talitos
> driver       : authenc-hmac-sha256-cbc-3des-talitos
> driver       : authenc-hmac-sha256-cbc-aes-talitos
> driver       : authenc-hmac-sha1-cbc-3des-talitos
> driver       : authenc-hmac-sha1-cbc-aes-talitos
> 
> All talitos drivers have the authenc prefix.  The aes-cbc entry in my
> crypto is:
> name         : cbc(aes)
> driver       : cbc(aes-generic)
> module       : kernel
> priority     : 100
> refcnt       : 1
> type         : blkcipher
> blocksize    : 16
> min keysize  : 16
> max keysize  : 32
> ivsize       : 16
> geniv        : <default>
> 
> Since its priority isn't 3000 and its driver isn't a talitos driver, I figure
> it is software.   Disabling the software AES driver in the kernel
> results in an error
> from strongswan when it tries to add the SA to the kernel.

Selecting talitos also selects CRYPTO_AUTHENC.  Can you try sending
traffic with CRYPTO_DEV_TALITOS unset and CRYPTO_AUTHENC set if you
haven't already?

If Strongswan works with authenc and s/w crypto (talitos unset), and
the SEC is firing interrupts (grep talitos /proc/interrupts), can you
try with the latest cryptodev-2.6 git tree?  There's an error reporting
fix for talitos there that may manifest any h/w the error may be
reporting, depending on the level of traffic.

Otherwise, if you still want to use Strongswan, you can keep talitos
entropy support by commenting out the crypto algorithm registration
section of talitos_probe().

hth,

Kim
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux