Topic: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Hi!

Does anybody know what is the status of hardware acceleration supported by kernel/drivers for the Broadcom BCM47xx/BCM53xx SoCs?

The BCM4702 and BCM5365 used by some of the platforms (Asus WL500GD/X, Netgear WGT634U...) have such hardware accelerated encryption support for IPSec, AES, DES, SHA... calculations.
The specification states the hardware is able to support 75Mbps of encrypted throughput....

Does the acctual brcmXXXX kernel patches and/or additional drivers acctually supports that on OpenWrt? Are there any ported "native crypto libraries" for this chips? Anything known about that?

Are there any performance test (ipsec... crypto in genereal) for these devices (asus 500gd, wgt 634u...)

Thanks for any information.

MCulibrk

2

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

There's opensource driver for Broadcom crypto chips included with older RedHat 2.4 kernel SRPMS. *BSD also has Broadcom driver (ubsec). Neither of these is meant for crypto integrated on BCM47xx/53xx, but they're similar. Binary driver (sec.o) looks just like one from RedHat and headers included with WRTSL54GS source call it BCM582x.

You can find binary modules from various firmware images and source tarballs. However, since those are 2.4.20 based I don't think it'll work with OpenWrt 2.4.3x kernels. Devices with driver included are at least Maxtor Shared Storage, WesternDigital NetCenter NAS, Linksys WRTSL54GS, Asus WL700gE and SimpleShare NAS.

OpenSSL has engine for ubsec so that's probably not that big problem. Also if you look into WDC sources there's patched FreeSwan with ubsec support. Not sure if all needed files are there.

Linksys WRTSL54GS tarball is one with most crypto accelerator related files intact. No source, but has headers that are missing from others.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Thanks jr!

I'll search arround a little using your hints. I hope I'll find all the pieces to "glue" things together and, maybe, "compile" (as compilation wink ) something usefull out of it. Who knows....

Searching the forum I found some performance results of ~ 1.5 Mbps with 3DES which is... well... slow?  sad  giving the broadband connections of up to 4Mbps I planned to use... with asus wl-500gd

Regards

4

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

I uploaded various versions of BCM5820 driver to http://80.81.183.101/openwrt/bcm5820/ so if someone is intrested looking into them they're easier to find.

As I wrote earlied these are NOT for embedded broadcom crypto accelerators present on hardware with OpenWrt support, but should be fairly close.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

mculibrk wrote:

Searching the forum I found some performance results of ~ 1.5 Mbps with 3DES which is... well... slow?  sad  giving the broadband connections of up to 4Mbps I planned to use... with asus wl-500gd

Please stay on this topic. I am also interested, because I have a 16000/1000 DSL connection.
I did some ssh/scp troughput tests on my WL-500gd and the best I could achieve was ~400KB/s with blowfish encryption sad . You may also take a look into the dropbear sources. There are some performance options which are not enabled in favour of binary-size. A faster dropbear would be nice.

juhe

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

jr wrote:

I uploaded various versions of BCM5820 driver to http://80.81.183.101/openwrt/bcm5820/ so if someone is intrested looking into them they're easier to find.

As I wrote earlied these are NOT for embedded broadcom crypto accelerators present on hardware with OpenWrt support, but should be fairly close.

I start looking into them now.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

achim71000 wrote:
jr wrote:

I uploaded various versions of BCM5820 driver to http://80.81.183.101/openwrt/bcm5820/ so if someone is intrested looking into them they're easier to find.

As I wrote earlied these are NOT for embedded broadcom crypto accelerators present on hardware with OpenWrt support, but should be fairly close.

I start looking into them now.

I'm currently trying ton write an module for the crypto chip, to integrate it into the 2.6 cryptoapi, first i tried to get the whole ubsec api running, but i found that too bloated. I took a look on the current netbsd implementation and found that they stripped down the ubsec api from broadcom down to a minimum required for their crypto api implementation opencrypto, i try the same for linux now but it might take a few weeks.

achim~

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Cool (Viel Glück!)

9 (edited by edie 2006-07-06 07:55:48)

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

http://wiki.openwrt.org/HardwareAcceleratedCrypto

I collected some info on this wiki page. Please update, what u know about the topic! smile

10 (edited by durval 2006-07-21 11:35:48)

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Hello folks,

Just googled for BCM5365 (the SoC on the Asus WL-500G and others), and found this article at LinuxDevices: http://linuxdevices.com/news/NS6049226781.html

Excerpt:
                "According to Broadcom, the new chips are supported by a software development kit (SDK) that includes drivers, application programming interface, and Linux board support package (BSP). The BSP is also available integrated with MontaVista Linux. Additionally, an open source Linux application software reference library is available for the processors, which provides routing, firewall, NAT, DMZ hosting, and web-based console management, and which includes a hardware-accelerated FreeSWAN IPsec stack for VPN applications, the company said."

Searched a little more and found the original press release from Broadcom, stating basically the same things, at
http://www.broadcom.com/press/release.php?id=422211

Has anyone tried contacting Broadcom and simply asking for the above SDK and BSP?

Best Regards,
--
     Durval Menezes

In the 30+ years I've been messing with them, I have never met a computer that didn't like me.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Yes, I did. No reply. Typical.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

PolarWolf wrote:

Yes, I did. No reply. Typical.

Well, at least we tried :-)

In the 30+ years I've been messing with them, I have never met a computer that didn't like me.

13 (edited by durval 2006-07-21 15:14:18)

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Hi,

achim71000 wrote:

I'm currently trying ton write an module for the crypto chip, to integrate it into the 2.6 cryptoapi, first i tried to get the whole ubsec api running, but i found that too bloated. I took a look on the current netbsd implementation and found that they stripped down the ubsec api from broadcom down to a minimum required for their crypto api implementation opencrypto, i try the same for linux now but it might take a few weeks.
achim~

I have a brand-new Asus WL-500GD [1] (with the crypto-capable BCM5365) and I also have experience with Linux/C/crypto
programming, if you need help just let me know.

Best Regards,
--
   Durval Menezes.

[1] Still running WhiteRussian RC5, but this might just be the excuse I needed to install Kamikaze on it  :-)

In the 30+ years I've been messing with them, I have never met a computer that didn't like me.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Hi durval,

Didn't had much time in the last month had to invest all my free time into studiying the nurbs book for a project im involved atm.
I have already written a kernel module skelleton which detects the chip an does some basic pci initialisation. But if i try to write to the pci registers the module segfaults. It's my first kernel module project and i guess i must investigate some time in pci-bus specifications.

achim~

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

achim71000 wrote:

I have already written a kernel module skelleton which detects the chip an does some basic pci initialisation. But if i try to write to the pci registers the module segfaults. It's my first kernel module project and i guess i must investigate some time in pci-bus specifications.

achim~

Perhaps you can put the code you have up somewhere, then others can build on the skeleton code you've got.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Hello Achim, Rifleman,

rifleman wrote:
achim71000 wrote:

I have already written a kernel module skelleton which detects the chip an does some basic pci initialisation. But if i try to write to the pci registers the module segfaults. It's my first kernel module project and i guess i must investigate some time in pci-bus specifications.

achim~

Perhaps you can put the code you have up somewhere, then others can build on the skeleton code you've got.

Ah! Time... a most scarce commodity... something I usually have a lack of, too. Aichim: In first place, I would like to thank you for all the time you have already invested in that.

Second, I would like to second Rifleman's request. If you put it somewhere, we can all work on it... it should make more efficient use of that scarce commodity of us all. If you don't have the time or a place to put it, just give me a hoot and I will take care of it.

Kernel support for the crypto engine on these hardware would be a major win for OpenWRT in particular and for Linux and Open Source in general, and it's something I would really like to see.

Best Regards,
Durval.

In the 30+ years I've been messing with them, I have never met a computer that didn't like me.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Is there any news about the crypto kernel module?

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

http://www.atomicrocketturtle.com/kernels/2.4/linux-2.4.7-bcm5820-17.patch

(just found that - appears to be a port of the ubsec crypto driver for 2.4.7)

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

The ASUS WL500gP official firmware source has headers with precompiled object files for different encryptions. libbcmcrypto is created from theese files. I downloaded the source from an ASUS FTP site.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

k3sp2wn:  Has anyone had any success with that ubsec port?

TGabor: I don't think that libbcmcrypto does hardware encryption.

------------------------------
From another thread:
http://forum.openwrt.org/viewtopic.php?pid=26232

libbcmcrypto has no hardware acceleration. It's just a proprietary implementation of a few crypto algorithms that doesn't offer any huge advantages

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

A breakthrough in documentation of the specifics of dealing with the crypto api. Read http://wiki.openwrt.org/HardwareAcceleratedCrypto for more info.

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Great, finally a proof that there actually /exist/ Broadcom datasheets - I wonder if there is more, where this one comes from ;-)

SE505V2 (CFE, 64MB, integrated USB hub, integrated 1GB USB MSD, reset mod), SE505V2 (CFE 32MB, USB, reset mod), SE505V2 (plain 8MB, client mode), WRT54GL (DD-WRT)

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Hi all,

Is there any update on this topic?

I am also interested if there any attempts to port hw crypto drivers to Kamikaze?

Any info highly appreciated. Thanks.

8.09 - Netgrear WGT634U + Creative Xmod USB Audio, USB Drive, USB Hub, Dallas 1-wire sensors

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

Hi,

i'm also very interested in using hardware accelerated crypto, but
actually i want to thank you all for spending so much time on this _great_ project!

Cheers,
uchi_mata

Re: BCM47xx and 53xx crypto hardware (IPSec,AES,SHA...) support

See the ticket for hardware crypto support. There was some work done, but there seems to be something missing in linux for correct support, so development is currently suspended.