Hardware based AES-NI is only available in 64 bit builds for the Raspberry Pi, right? Does anyone know whether we will see 64 bit OpenWRT builds in the future for the Raspberry Pi?
According to the RPi developers, Broadcom and the RPi foundation did not license the h/w crypto extensions (as necessary for hardware accelerated AES support). Basically every other ARMv8 hardware vendor did, the RPi4 does not (given that the RPi foundation is still pushing 32 bit ARMv6 images, they probably didn't care).
1 Like
Does that mean it is impossible to use, even with software support? Or does that only mean that Raspberry Pi's "official" images lack this functionality? ie, would it be possible for OpenWRT to support this if it is build for the correct architecture?
It means the silicon doesn't contain the necessary IP blocks to support hardware accelerated crypto functions, regardless of the software you're going to run on it. While using it in ARMv8 mode will still provide better performance, you won't get hardware AES.
2 Likes
Got it, that makes sense. Thanks for clearing that up 
Will OpenWRT support the ARMv8 instruction set in the future? Would that be as simple as compiling the same image for a different target, or will that require additional work?
Does anyone know if the openwrt image for rpi provides any mechanism for overclocking? We've gotten a decent speed boost using raspbian and 1.75Ghz and plan on using active cooling on all our devices.
Overclock the rpi on OpenWrt is similar to raspbian, simply editing the config.txt in the /boot directory of the microSD card.I did a test on 2 Ghz using a regular heat sink and temperature hit 80 °C during the test.
Raspberry Pi 4 b 2 GHz openssl benchmark:
root@OpenWrt:~# cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_max_freq
2000000
2000000
2000000
2000000
root@OpenWrt:~# openssl speed
OpenSSL 1.1.1c 28 May 2019
built on: Mon Jul 29 08:13:45 2019 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr)
compiler: arm-openwrt-linux-muslgnueabi-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=hard -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -DOPENSSL_PREFER_CHACHA_OVER_GCM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
md2 0.00 0.00 0.00 0.00 0.00 0.00
mdc2 0.00 0.00 0.00 0.00 0.00 0.00
md4 22312.03k 80464.00k 234455.76k 459831.64k 629639.85k 648265.73k
md5 53301.98k 138269.33k 269234.09k 352757.42k 385796.78k 388606.63k
hmac(md5) 20363.18k 68089.73k 177498.62k 301418.50k 377217.02k 383920.81k
sha1 52477.95k 135640.83k 263416.15k 344583.51k 377525.59k 380005.03k
rmd160 16872.04k 51353.64k 117572.52k 173532.84k 200695.81k 202970.45k
rc4 195071.66k 214663.47k 218969.34k 221346.13k 221978.62k 222063.27k
des cbc 40740.36k 42102.25k 42472.87k 42569.73k 42562.90k 42620.25k
des ede3 15302.76k 15547.93k 15655.64k 15616.68k 15619.41k 15613.95k
idea cbc 0.00 0.00 0.00 0.00 0.00 0.00
seed cbc 0.00 0.00 0.00 0.00 0.00 0.00
rc2 cbc 28013.22k 28677.53k 28929.37k 29000.36k 29010.60k 29016.06k
rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00 0.00
blowfish cbc 70143.71k 74719.57k 76050.49k 76336.13k 76393.13k 76322.13k
cast cbc 67323.52k 71499.41k 72465.58k 72884.22k 72441.86k 72641.19k
aes-128 cbc 108758.92k 121282.67k 124734.24k 125689.17k 125796.35k 125561.51k
aes-192 cbc 94570.01k 101598.83k 106043.82k 107162.97k 107186.86k 107063.98k
aes-256 cbc 83705.85k 89150.74k 92619.61k 93500.76k 93720.32k 93443.41k
camellia-128 cbc 0.00 0.00 0.00 0.00 0.00 0.00
camellia-192 cbc 0.00 0.00 0.00 0.00 0.00 0.00
camellia-256 cbc 0.00 0.00 0.00 0.00 0.00 0.00
sha256 36885.09k 88275.39k 160978.43k 202307.93k 218912.09k 220326.57k
sha512 13510.17k 54115.88k 80571.93k 109762.49k 124431.02k 126682.84k
whirlpool 0.00 0.00 0.00 0.00 0.00 0.00
aes-128 ige 101712.02k 115867.46k 119690.33k 120927.57k 119496.70k 119788.89k
aes-192 ige 89230.10k 98496.30k 102757.80k 103681.71k 102656.68k 102525.61k
aes-256 ige 79506.68k 86857.56k 90023.08k 90713.09k 89879.89k 90424.34k
ghash 226646.46k 250854.27k 255623.42k 256037.89k 256871.08k 257037.65k
rand 2495.63k 9143.29k 27525.33k 54480.59k 76128.26k 78725.39k
sign verify sign/s verify/s
rsa 512 bits 0.000224s 0.000015s 4467.6 66594.4
rsa 1024 bits 0.000942s 0.000037s 1061.7 26887.2
rsa 2048 bits 0.005163s 0.000116s 193.7 8650.2
rsa 3072 bits 0.014300s 0.000235s 69.9 4250.3
rsa 4096 bits 0.030242s 0.000402s 33.1 2487.9
rsa 7680 bits 0.166066s 0.001315s 6.0 760.2
rsa 15360 bits 1.180000s 0.005058s 0.8 197.7
sign verify sign/s verify/s
dsa 512 bits 0.000283s 0.000185s 3533.9 5404.1
dsa 1024 bits 0.000574s 0.000451s 1741.7 2217.2
dsa 2048 bits 0.001545s 0.001351s 647.4 740.0
sign verify sign/s verify/s
160 bits ecdsa (secp160r1) 0.0008s 0.0006s 1265.3 1605.1
192 bits ecdsa (nistp192) 0.0011s 0.0009s 881.1 1146.9
224 bits ecdsa (nistp224) 0.0017s 0.0012s 603.5 807.9
256 bits ecdsa (nistp256) 0.0002s 0.0005s 5626.7 2151.9
384 bits ecdsa (nistp384) 0.0060s 0.0042s 166.4 239.8
521 bits ecdsa (nistp521) 0.0151s 0.0100s 66.4 99.8
163 bits ecdsa (nistk163) 0.0009s 0.0017s 1114.4 573.7
233 bits ecdsa (nistk233) 0.0014s 0.0028s 692.6 358.4
283 bits ecdsa (nistk283) 0.0026s 0.0050s 388.1 198.6
409 bits ecdsa (nistk409) 0.0054s 0.0105s 185.8 95.0
571 bits ecdsa (nistk571) 0.0125s 0.0245s 79.7 40.9
163 bits ecdsa (nistb163) 0.0009s 0.0018s 1060.5 542.8
233 bits ecdsa (nistb233) 0.0015s 0.0030s 651.7 333.8
283 bits ecdsa (nistb283) 0.0028s 0.0055s 354.2 180.6
409 bits ecdsa (nistb409) 0.0060s 0.0118s 166.6 85.0
571 bits ecdsa (nistb571) 0.0141s 0.0275s 70.8 36.4
256 bits ecdsa (brainpoolP256r1) 0.0021s 0.0017s 477.5 605.2
256 bits ecdsa (brainpoolP256t1) 0.0021s 0.0016s 477.5 641.6
384 bits ecdsa (brainpoolP384r1) 0.0060s 0.0045s 166.6 222.2
384 bits ecdsa (brainpoolP384t1) 0.0060s 0.0042s 166.8 240.9
512 bits ecdsa (brainpoolP512r1) 0.0085s 0.0063s 117.4 159.5
512 bits ecdsa (brainpoolP512t1) 0.0084s 0.0058s 118.5 173.5
op op/s
160 bits ecdh (secp160r1) 0.0007s 1343.1
192 bits ecdh (nistp192) 0.0011s 922.9
224 bits ecdh (nistp224) 0.0016s 635.4
256 bits ecdh (nistp256) 0.0003s 3127.8
384 bits ecdh (nistp384) 0.0057s 174.3
521 bits ecdh (nistp521) 0.0143s 69.8
163 bits ecdh (nistk163) 0.0008s 1193.1
233 bits ecdh (nistk233) 0.0013s 742.6
283 bits ecdh (nistk283) 0.0024s 410.0
409 bits ecdh (nistk409) 0.0050s 198.4
571 bits ecdh (nistk571) 0.0118s 84.9
163 bits ecdh (nistb163) 0.0009s 1119.8
233 bits ecdh (nistb233) 0.0014s 690.3
283 bits ecdh (nistb283) 0.0027s 372.1
409 bits ecdh (nistb409) 0.0057s 176.3
571 bits ecdh (nistb571) 0.0133s 75.2
256 bits ecdh (brainpoolP256r1) 0.0020s 499.8
256 bits ecdh (brainpoolP256t1) 0.0020s 499.8
384 bits ecdh (brainpoolP384r1) 0.0057s 174.4
384 bits ecdh (brainpoolP384t1) 0.0057s 175.1
512 bits ecdh (brainpoolP512r1) 0.0081s 122.9
512 bits ecdh (brainpoolP512t1) 0.0081s 123.8
253 bits ecdh (X25519) 0.0004s 2719.5
448 bits ecdh (X448) 0.0015s 672.8
sign verify sign/s verify/s
253 bits EdDSA (Ed25519) 0.0001s 0.0004s 7299.6 2409.9
456 bits EdDSA (Ed448) 0.0005s 0.0016s 2192.8 613.8
1 Like
Only bcm2709 kernel is compatible with bcm2710 and bcm2711, since there’s no point in adding optimized subtargets with 32 bits kernels for those platforms.
However, I’ve now added a bcm2711 subtarget, which features a 64 bit kernel for the RPi 4B. The only limitation is that USBs aren’t working for more than 3GB of RAM, so it has been limited via config.txt.
3 Likes
Have you tried enabling the default AP using the 2711 build? Maybe something's wrong with how I'm building it, but there might be some kind of firmware issue. I'll have to try again and post some logreads. It seems bcm2711 isn't available in snapshots, otherwise I'd start with that one.
Yes it's there now, I swear it just showed up since my last message! I've been refreshing that page every day. I'll give it another go, and the premade imagebuilder should make things a lot easier (for some reason building completely from scratch was taking 5hrs+ so I had a friend compile it for me).
The default wlan0 has to be set to "11a, Channel 36, Bandwidth 20Mhz" to work as AP (Never use auto channel and auto bandwidth). Otherwise it won't work
1 Like
Here are known issue:
-
The default onboard wireless chip can be used in AP mode. Do NOT set channel and bandwidth to "AUTO'. The Tx signal strength under AP mode is quite weak as there is no antenna.
-
There is no working usb wifi adapter (5GHz , >= AC1200, not AC600) so far. Since the Pi4b has far more better ethernet and usb3.0, the second faster usb wifi adapter will meet someone's requirement. I have tested RTL8812au, the kernel driver rtl8812au-ct won't work. Got a RTL8812bu then, and still frustrated in compiling driver.
1 Like
Update:
The RTL8812BU Usb WiFi Adapter (AC 1200, external antenna) is working on Raspbian. Using the driver from https://github.com/cilynx/rtl88x2BU_WiFi_linux_v5.3.1_27678.20180430_COEX20180427-5959
Compiled it on Raspbian with DKMS.
Tried to compile it under openWRT, but failed.
If some one could try this?
You “can’t” compile on OpenWrt, it needs to be cross-compiled on a build host, typically as a package.
FWIW, I've tested the RPI4 (2GB) for network speeds. I connected the RPi to a Compex WPQ865 with 4x4 11ac radio. Then I've connected a laptop to one of the Compex's Ethernet ports. I ran iperf on the RPi as a client and iperf as a server on the laptop. Here's what I'm seeing with iperf and RPI4:
On-board wifi -- about 100 MBit/s. looks like it only supports up to VHT40. So...yes, it's 11ac, but it's not fantastic 11ac.
USB3.0 with Wifi Realtexk 8822bu adapter (with 5dBi antenna) -- I can get in the 230 MBit/s range consistently. I tried the same test on another laptop and got about 300 MBit/s. Difference due to driver or antenna placement?
Ethernet (for this test, RPI4 connected to the Compex Ethernet) -- the low to mid 900 MBit/s
USB3.0 with Ethernet dongle (again, connected to the Compex Ethernet) -- mid 900 MBit/s
It seems the RPi shows a lot of promise -- what I'm seeing is consistent with their benchmarks.
3 Likes
BTW, I was using Raspbian Buster.
I think the key point to use RPi 4 as Router is to find out if both 2.4 and 5 Ghz radios can support a certain number of connected devices. As it was designed to be used as a client it's necessary to make some tests to find out how many associated devices it is able to support.
Another limiting factor are the antennas which are normally present on most traditional routers.
Perhaps it may be used at cabled Wifi Extenders for example. It would be a easy and cheap usage.
What a pity RPI Foundation didn't license the AES Acceleration. Not sure if it would be possible to purchase it separately somehow if you wish to use it for a different use like VPN Concentrator or other.
1 Like
Hello, does any one know that Pi4 can support enable both Wifi AP and client at the same time ? I try to enable AP on channel 36 (success) and then use client to scan for another Wifi AP and try to connect , then seems both AP and client down on PI4.
Anyone have any tests of the pi 4 wired SQM performance? The fact that this is a widely available device with plenty of cores and gigE capable interfaces would seem to point towards using it for wired routing for those fortunate enough to have a 300Mbps or better FTTH or DOCSIS connection. I'd consider it myself if it could handle gigabit FTTH with SQM as my j1900 box sucks much more power. I suspect it's not quite there though. Still for anything less than probably 500Mbps i would expect it to work. Tests anyone?