OpenBSD Journal

Support for the VIA CPU with AES

Contributed by jose on from the very-cool-crypto-hardware dept.

The next VIA C3 CPU contains 12+Gbit/sec AES instruction for all major modes. OpenBSD 3.4 ships with support included for this, as well. The VIA CPU is a tiny chip on tiny board, great for embedded and small-footprint applications (like VPN gateways). Several developers already have samples working. The changed files which add support are sys/arch/i386/i386/autoconf.c and sys/arch/i386/i386/machdep.c .

VIA is an open-source friendly vendor, they supplied documentation to the developers without requiring an NDA, enabling the effort significantly. A big thanks to them for that. Read the press release from VIA, it's got a good quote from Theo about how neat this is.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    This is pretty cool, because this technology and OBSD are a perfect match. I'm about to revamp my internal network from an old Pentium to one of these boxes with 3.4 on it.

    I'm hoping to go diskless, if I can, at least for the router device. These are so small, I'm probably going to buy a few and split up the work among a few different boxes.

    Comments
    1. By Anonymous Coward () on

      Got any links to nice cases for these boxes? I too would like one or a few for my home web/mail server and a firewall.

      Comments
      1. By JonMartin () on

        www.mini-itx.com is probably a good place to start.

      2. By Simon timbers () on http://www.2ndchance.co.uk

        if you look at the hardback pc on http://www.2ndchancepc.co.uk

        you see a fanless via with 3 eth ports onboard pretty nice router AND they know OpenBSD...

        regards

        simon

        Comments
        1. By Anonymous Coward () on

          Those are the 'lex light barebones' systems, http://www.lex.com.tw/index1.htm - another nice feature of those is the built-in CF adapter. Other uk sources include linitx.com and ultim8pc.co.uk. You get the choice of either 1 or 3 ethernet ports (either godawful - rl I think - or expensive - fxp), and 533 and 800 processors, both are available passively-cooled (passive 800 costs a little more than active 800). There's no PCI slot. Various options like multiple-video-input too, though most vendors don't carry these. linitx are selling 1U systems with 4 of these onboard (fully separate, including PSUs and power cords).

          Big points in Soekris' favour for certain applications are the general-purpose I/O ports,watchdog timer, and the comBIOS - big points in favour of EPIA and the Lex systems are wider distribution, faster CPU, more RAM can be used, and for the EPIA there's a much wider choice of cases.

          All have their place...

          I'd be fairly interested to know how long it would take for them to start paying for themselves in reduced energy costs when replacing a fairly typical home firewall (486/Pentium/PPro)..

          Comments
          1. By Anonymous Coward () on


            You could do the calculations from the components (I read a recent thread on the cost of 24/7 SETI@home, they did the calculations); but also note that the default power supply for the VIA EPIA 5000 (533mhz - and when I look at the CPU graphs on my box, 533mhz is actually good enough for 24/7, despite the the fact it hits the ceiling during development work, but I have a separate 2.4ghz machine for hardcore), is a 65/60W "brick". I read elsewhere that the nominal drain for an idle system is order of 5W, while apparently (from the SETI@home thread) this is the drain for an average P4 desktop box *with the power off!*, and about upwards of 10-20-30W for the same system on but idle.

            I notice that my idle cpu time is often <10% - improved power save in the system would probably cut my power drain even more.

        2. By .jon () on

          This is a LEX thin-client, not really useful, except as a barebone-router. Not for a server. They get quite hot and only accept low-profile (expensive) RAM and an expensive 2.5" hda.

          What *is* nice with these however is the PSU they produce. External, passive, upto 150W,afaik.

    2. By Anthony () on

      It's kinda scary. If you're doing primarily IPSec or SSH or whatever, all the PPC970's and Opterons and Xeons will get their asses handed to them by a chip that's barely ahead of Pentium 3's in other areas.

      Comments
      1. By RC () on

        That's just how it works... If you have custom hardware, it's going to smoke a general-purpose processor.

        You could always just spend a few bucks to get a PCI crypto accelerator for your "Opterons and Xeons" and be better off for it. As far as I'm concerned, this is really just a trick by VIA to make their processor look like it isn't such a dog...

        They've gone to great lengths to say that each chip is not as awful as the last, and offer up benchmarks that show the processor many times better off than it is.

        But hey, that's just my rant.

        Comments
        1. By Anonymous Coward () on

          Their CPU's have been getting better. "make build" runnins in 1:31 (hours), which is not bad, considering the hardware I have. Much better than the last sample I've had from them.

          Certainly not a 3.2 GHz Xeon box, but not too shabby either...

        2. By Anonymous Coward () on

          You could always just spend a few bucks to get a PCI crypto accelerator for your "Opterons and Xeons" and be better off for it.

          How well do other dedicated crypto cards stand up in comparison to this via? 1.6gb/s is 10 times faster than my athlon 2ghz and the theoretical max is 78 times faster. The only post i see about openssl aes speed on the soekris reports it doing aes at 8mb/s, or 1/200th the (intial) speed of the via. What are the speed/heat/power/price/size/features comparisons for other options?

        3. By Anonymous Coward () on

          One would think that the "133MB/s" limit of PCI would
          be somewhat in the way in regards of beating the 1.6Gbit/s
          VIA got.

          Comments
          1. By Anonymous Coward () on

            133MB/s is for 32/33mhz pci, and offers maximum throughput around 2/3rds (1064mb/s) what the viacan currently push.
            64/33mhz pci does 264MBytes/sec, so that's 2112mb/s or well over what the via currentlydoes, though still about 1/7th its maximum
            64/66mhz pci does 528MBytes/sec, or 4224mb/s - about 1/3rd the maximum via should be able to do.
            But these are mostly theoretical maximums, anyone know of some good actual benchmarks?

  2. Comments
    1. By zoc () on

      http://www.via.com.tw/en/channel/vcdp.jsp

      btw, this looks sweet http://www.viavpsd.com/product/4/8/EPIA-CL-h.jpg

    2. By .jon () on

      You can't get one, yet. This CPU is being designed for VIAs NanoITX platform.

      The current platform being available in the shops, however, is the Mini-ITX platform, that has soldered on C3 CPUs on an ATX board of the size of 170mm x 170mm, along with full onboard devices and one PCI slot. The CPU they use on these is also avialable stand-alone for So370. (I use it passively cooled for my server, too bad OpenBSD3.3 won't install on that system due to not being able to deal with my 120GB hda).

      NanoITX was said to combine CPU and northbridge on a single chip. However, as I see it, this chip has no norhtbridge embedded, so they must plan more.

      Strangely I did not find any NanoITX being shown on VIAs roadmap for 2004, but it might be, that what I saw was the roadmap covering only MiniITX.

      Hopefully they will release a So370 version of this CPU, since I consider 3 PCI a need for any serious SOHO/Home-server (SCSI (tape) or S-ATA (hotswap, raid), 2nd NIC and eventually one of those embedded firewall NICs) server.

      Comments
      1. By sthen () on

        The current EPIA boards support 2 PCI with a dual-riser in the right case (e.g. Travla C137, but don't use that case with CL10000 until the PSU timing issues are fixed, CL6000 is fine but it doesn't have the newer Nehemiah core). CL range has dual ethernet (both vr) and 4x serial, but I was wondering why the passive-cooled CL6000 had an older core - it would be pretty nice to see this new chip on a passive-cooled CL board..

        Comments
        1. By .jon () on

          So still no better solution from you ;-)

          I know much about the EPIA. One thing I know, is that the Travla case is not an option for any home-server.
          The other one is, that all EPIA cases produce a lot of noise (psu).

          The server I built on a C3M266-L (µATX identic to EPIA-M but with So370, no AGP but 3 PCI), which I have built into a self-made alu-cube is passivly cooled, noiseless, awaits the S-ATA HotSwap option (PCI card), has room for one system hda and two RAID hda, no external drives except for the DDS streamer and a later S-ATA HotSwap option (best backup imo). I still can exchange the 2nd NIC with an embedded firewall on PCI (acts as NIC and has an embedded computer soldered), will add a S-ATA controller and have already added my SCSI controller.

          Currently the EPIA is, like all those solutions industry tries to rub under our nose, not really serious, since it does not all what I need.

  3. By Eric () on

    I wonder if/when OpenBSD will have support for the hardware random number generator on PIII cpus. That would be nice too.

    Comments
    1. By tedu () on

      are you referring to the rng in the chipset? it's already supported by pchb.

  4. By Hyb () on

  5. By Hyb () on

    Do they still use the godawful vr(4) chipset?

    [damned double post]

    Comments
    1. By Anonymous Coward () on

      I've been using one of these the older EPIA boards as my firewall/router and have never had any problems with the vr interface. Now the xl interface on the other hand ... wheew!

      Comments
      1. By Anonymous Coward () on

        I've been using one of these the older EPIA boards as my firewall/router and have never had any problems with the vr interface. Now the xl interface on the other hand ... wheew!

        http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_vr.c I had problems that were resolved with rev 1.31 but still get a bunch of random messages from the card... just like xl.

        Comments
        1. By Anonymous Coward () on

          I still have problems with if_vr even with the 1.31 updates - well, I did have the problems but now a hub sits between the VIA and my dell. The hub never powers down so never triggers the issue that causes if_vr to lockup. At least with the 1.31 update, I can serial console to the VIA and manually ifconfig down/up to force a hard reset.

          I don't know whether this is a hardware or driver issue. Unfortunately this can be part of life as an manufacturer unsupported device driver.

          Comments
          1. By Hyb () on

            I've had problems even after the 1.31 fbsd sync, with it [iirc] just bringing the machine to a halt as soon as you put the chipset under stress. I finally just surrendered my PCI slot to another NIC.

            It's a pity really, as it's an otherwise nice board and furthermore doesn't seem to suffer such problems under lunix.

  6. By Magnus () magnus@yonderway.com on http://yonderway.com

    I will definitely be supporting VIA when this comes out. I've been looking at various small boards to use for embedded devices that I'm working on. Soekris has been very OpenBSD friendly but got ruled out because their pricing is too high for what you get. VIA gives you much more bang for the buck, and with the strong crypto support coming I'll definitely be evaluating these boards.

    Comments
    1. By Anonymous Coward () on

      I couldn't agree more. Would be nice though if soekris could drop their prices considerably, but oh well.

    2. By grey () on soekris.com

      Umm, not to be a pain, but what is _cheaper_ than a soekris that still gives you NIC's & RAM already on board in that kind of form factor? I've seen plenty of other pc/104 & embedded boards, and soekris is about as close to the bottom of the price (and performance) scale as you can go while still being rather complete for a network oriented board.

      There have been various other C3 based network appliance devices in the past from various vendors, but they all tend to start around $500 and that's without any onboard memory, in other words - you're paying more for them based on performance. Seeing how this newer C3 iteration is even faster, with more features, I don't see the cost dropping much, even with a die shrink.

      If you're trying to compare a soekris board to a mini-itx Shuttle PC or something, don't they're very different beasts in a number of respects.

      Keep in mind too that Soren has been planning on some lower priced options for people who don't need quite so much (e.g. fewer NIC's or expansion slots for those who are aiming for something more purely for wireless AP's).

      I've heard a lot of people dismiss soekris products for being underpowered, or even complain about their NIC chipset choice; but I think this is the first time I've heard folks allege that they expect something more for the price that they're going for (the few price complaints I have heard were from people who wanted even _less_ than what was offered).

    3. By Alejandro G. Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com

      Have you read the specs of the soekris hardware? The console is on the SERIAL line. Where can you get a computer that run standard X86 OpenBSD, has 3 NICs + 128MB of RAM and has an you can control de BIOS through the _serial_ port for less than $300? This is not a clone. They have some value add (i.e. the BIOS). You have to count that.
      You can connect the serial to your notebook and so you don't actually need to carry a monitor to see why the fsck machine doesn't boot. Or you could actually dialin to the console and see it booting.
      Now, tell me it's soooo expensive. I would love to see a version for $350 with and Eden-N at 600Mhz. Add a $180 1GB CF and have a heck of a VPN firewall for $530. Just compare that to a PIX.

      Comments
      1. By Wim () wim@kd85.com on http://soekris.kd85.com/

        Actually you can get away with a 32 MB CF, which
        is a lot cheaper (EUR 20). A working OpenBSD system with firewalling and some proxies on it
        can be installed on 25 or 30 MB.

        What do you intend to use the rest of the 994 MB for? Keep in mind that CF has a limited write capability (something like 1 Mio times for Kingston CF for example), so putting logfiles or other temp files on it is not advisable. If you want to have tmp storage, you need to get a MFS RAMdisk..

        We want to keep it as cheap as possible, remember? ;-)

    4. By Anonymous Coward () on

      They are the cheapest firewall/router/AP/etc I've ever seen.

    5. By Wim () Wim@kd85.com on http://soekris.kd85.com

      I think you are comparing apples and oranges...

      Soekris offers a true serial console intel based platform that allows you to run your normal binaries on minimalistic hardware (so no cross compiling issue like with for example the StrongARM boards).

      The power consumption is very moderate (only 10 Watts), which is not optimal (Ever seen 1 Watt StrongARM boards? I have ;-). But it's a lot
      better than ATX based power supplies that are either noisy or expensive.

      The soekris crypto boards very nicely integrate with their platform and is supported perfectly in OpenBSD.

      The developmenttools you to bootstrap your own product (aka "one CF adapter") is rediculously cheap.

      I'm looking forward to see other cheap solutions out there, ready to ship.

  7. By Brad () on

    Whole setup looks pretty small, i'd start getting really excited if they could plug into a pci port, could setup pc's with inbuild totally seperate firewall. Including Windows boxes for dumbasses including a via pci-pc to run vpn, pf, and traffic shapeing. including the ACK priority that my adsl mates are jealous of :)

    The PCI interface could emulate a network card.

    Comments
    1. By Anthony () on

      "The PCI interface could emulate a network card."

      You have a sick mind. :)

    2. By .jon () on

      This already has been implemented:

      "The SnapGear PCI630 is a VPN Firewall PCI card that offloads all firewall and VPN processing from the host computer to the card yielding greater performance, higher security, remote management, and simplified installation. Unlike "co-processing" products on the market, the PCI630 is an advanced self-contained VPN and stateful firewall multi-tasking appliance."
      See here.

  8. By Anonymous Coward () on


    Sure you can get speedy 2Ghz P4, but that's not the point. VIA EPIA's are low power - mine is a 24/7 home gateway / development box / etc. Just what I need to keep the power bills low. What I would like in obsd is improved power save.

  9. By Olivier () om_deadlydotorg-post03a at olden.ch on mailto:om_deadlydotorg-post03a at olden.ch

    Cool, very cool indeed. Nice example of a fruitful collaboration between a hardware vendor and open-source developers. Thanks to all parties involved.

    Back to this new CPU. Fast encryption is Good(tm), but what about authentication?
    VIA's release doesn't mention anything about hashing or similar, whereas to me, in most cases, protecting the integrity of data is as important as its confidentiality.
    (sure, some AES MAC scheme could be used, but for now I'd rather use some standard hash).

    If it is the case, too bad for some applications like IPsec (rather worthless without HMAC), but this remains very interesting for others like swap encryption.

    BTW, precision: according to the release, this applies to VIA's Eden family of CPU, ie lower power (thermal & processing) than the C3 serie.

    Can't wait for a Soekris(-like) box based on this nice little beast... :)

    Comments
    1. By ciph3r () on

      In this link:
      http://www.via.com.tw/en/images/Products/eden/pdf/C5P%20Security_App_Note.pdf
      in point 5.1 "WHAT'S NEXT" they talk about integrating a hardware implementation of SHA-1 in the succesor of Nehemiah.

    2. By ciph3r () on

      In this link:
      http://www.via.com.tw/en/images/Products/eden/pdf/C5P%20Security_App_Note.pdf
      in point 5.1 "WHAT'S NEXT" they talk about integrating a hardware implementation of SHA-1 in the succesor of Nehemiah.

    3. By Anonymous Coward () on

      You can always fallback to software for MAC and Public-key related computations. It is not like you have to do ALL in hardware. Once you do the authentication, the actual data transfer is accelerated if using AES. Nice thing is that the OpenBSD crypto framefork makes it all transparent.

    4. By Anthony () on

      The next generation chip will apparently include support for hardware SHA-1 hashing.

  10. By MotleyFool () mootlydog@dogstar.org on mailto:mootlydog@dogstar.org

    as someone who remotely administers lots of systems, you really want the capapbility of getting to the console via serial, ala Soekris box. Now one of the projects that's working on this is LinuxBios, which had support for booting OpenBSD at one point.

    Why can't these momboard vendors just support serial console if the video is disabled?

    Comments
    1. By sthen () on

      LinuxBios does support some of the EPIA boards (the older EPIA5000/8000 but not the M and newer boards, iirc)...

  11. By Anthony () on

    Most of the PC's with these chips have one PCI slot and an onboard network interface. Two interfaces is enough for a basic firewall, but ideally you have three so you can segregate the wired and wireless networks completely.

    Comments
    1. By tedu () on

      two words: quad port :)

    2. By Anonymous Coward () on

      Various off the shelf Intel-810 based MBs support the Via cpus. My small server runs on a generic 810E based MB with VIA 600 (no AES). Measured at the wall outlet the entire shebang consumes between 22 to 28 watts depending on the HD state.
      Has FreeBSDD 4.8 on a WD-120GB drive.

  12. By .jon () on

    The C3/Epia/CLE266 platform has gotten some strong support recently on Linux. There are several patches to the kernel. Since VIA tries to establish itself as opensource-freindly manufacturer and we can see already non-existing hardware being supported I wonder how activities are with available hardware ?

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]