OpenWrt Forum Archive

Topic: PC-Engines - ALIX, APU, SW versions and related Questions

The content of this topic has been archived between 1 Apr 2018 and 3 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I think I sorted the time issue.  I had daylight savings on.  It now looks to be adjusted for time zones correctly

RangerZ

No, there isn't any, i written "clear" there, since i was convinced that i was writing on terminal, my bad.
in any case, now I'm trying to include all the module that you need and build it on BB buildroot, than I'll buid again on CC trunk.
I've only a question:
Does the Geode processor support also the digest (output of hash function) acceleration?
i've find this option under libopenssl configuration, if u think that it can be usefull, i can add it.

Mirko_47

I have not read anything that indicates digest is done in hardware.   I am not clear from the screen shot if this is for hardware support or general digest support.  if the latter then yes.  Is there a downside to including this?  Space is not an issue.  the image takes only about 35% of the partition.

This seems to be the goto article on the subject, but I do not fully understand this.
http://www.twam.info/hardware/alix/usin … on-alix3d3

If you are building on BB expect that the Luci-Openvpn will not be found.  Not sure about the dependencies.

Best Regards.... RangerZ

yes, first i've tyed with BB, since I've already setted the buildroot, but i can't get compiled (even if I've selected PC Engine Alix as target, it compile it as  Google Chrome laptop, no idea why... but is known that BB isn't very good for x86 at the moment), so now I'll try with trunk.

Your last link is very usefull, as I tought CBC and ECB is needed, and by default event if hw acc. for geode is selected they aren't checked.

Mirko_47

Does the build process generate a file that indicates the options/packages, and/or is there a way to extract this for future use/reference? 

Indirectly related, I use a USB drive with Ubuntu 14 on it mostly for G-Parted.  Can you suggest a program (GUI based)  that I can use to create/restore an image file (ISO probably, but I do not really care) to/from a CF card.  I have no unused CF cards, and would like to archive an existing OpenWRT system in case I want it in the future.

Thanks... RangerZ

(Last edited by RangerZ on 14 Feb 2015, 15:37)

regarding a GUI based program:
if I've to be honest i've no idea, I use linux (ubuntu) as primary operating system, when I've time i try to google it
Regarding packages:
if I don't mistake, the buildroot download the makefile from openwrt.org and then use this file to generate the package with .ipk extension.
Now I'm building from trunk CC, if I get it compiled (keep my finger crossed) I'll try to collect all the compiled package

Hi Mirko_47

Thank you very much!  I have the 3 files.

I see a file in the packages base called base-files_157-r44445_x86.ipk.  Is the CC build version R44445?

I am downloading the packages now.

I am not clear I understand your comments in post 31.  In the screenshots  see the different selections you make to create the IMG (not sure of the correct terms for each item which is part of the problem).  I see at the top of the page .config. and some of the reading leads me to believe there is a file that contains the selections (maybe separate from the IPK files).  From the page http://wiki.openwrt.org/doc/howto/build  just above "Explanations"

When you save your configuration, the file <buildroot dir>/.config will be created according to your configuration.

Am I correct that this file, once created, can be reused to rerun the build?
Is it still usable if the package versions change?
Does it have the "parameters" => Support for Geode" etc?

Again, a lot of the process I do not understand yet.  Maybe there's a youtube on this.

We are expecting 18" of snow to begin shortly, and I need to go out before it starts.

Best Regards... RangerZ

No wait, .ipk files are the files that contains the packages or modules of OpenWRT, such .exe for windows.
THe built image, as the previously that I've uploaded has .img.gz extension.

On the previously linked google drive folder I've uploaded the image, MD5 checksum, and an archive that contains all the built packages.
[spoiler]
as I wrote in previous post, to flash the image, since you've said that you can run Ubuntu "live" from your USB drive, I suggest you to use it for flash the image on CF, so:
-Run gparted to clear the partition table on the CF, take note of the drive path (for example: /dev/sdd)
-Run terminal, then "cd" to the path where the image is stored, and decompress the image running:

gunzip image_name.img.gz

-flash the uncompressed image via dd:

sudo dd if=image_name of=CF_path BS=1M

To sum up, with an example, after you've cleared the partition table:

cd /home/mirko/Desktop/openwrt/
gunzip openwrt-x86-alix2-combined-ext4.img.gz
sudo dd if=openwrt-x86-alix2-combined-ext4.img of=/dev/sdd BS=1M

[/spoiler]

Regarding the .config file:
yes, this file is the output of "make menuconfig" command, and contains the index of the package selected into the buildroot.
However your case, there isn't only one .config file, output of make menuconfig command, but there's also another one, this time output of make kernel_menuconfig command.

As you say, if stored it can be used for rebuid an image (unless upgrading the buildroot, that sometimes can bring changes into package names/dependencies, especially into trunk subversion, wich at the moment is the only one that it works properly with our x86 boards)

Nwo I'm out of home, but next time that I'll turn on the desktop that i've used to build the image, I'll uplad the 2 .config files, and the output of diffconfig.sh command wich helps you to see wich package/modules were included into the image.

In any case, I've selected all the parameters required to use hw encryption acceleration; obviously I'm not sure that will work, but according to the description of the selected packages, and the excellet article that you've found, should work this time.


Good luck with the snow big_smile



EDIT: I think that I've just made a (very) stupid thing, I've drag n drop the 2 .config files into a folder on Ubuntu, which than I've renamed it into .config; and int seems that doing this I've lost the folder....

(Last edited by mirko_47 on 15 Feb 2015, 12:53)

Undo?   Undelete?   Is it easy enough to summarize the major changes from base that you made in some simple text or was it mostly the 2 screen shots?

I think I understand.  I have built a Ubunto VM since yesterday, and have nothing but problems.  Just finding applications is too hard compared to windows and I am having trouble mounting the CF reader.  I thought it would be more intuitive.  All I wanted to do was learn DD to back up a CF card. 

Based on this link:  http://askubuntu.com/questions/491082/s … ferent-usb   If I want to copy a CF card (complete) will this be correct?

sudo -i
dd if=/dev/sdc1 of=/dev/sda/home/[user]/AA1209_VPN.img bs-512 count=1

where the CF card is mounted in sdc1 and the output file is AA1209_VPN.img on sda in my "documents" folder.

To restore

sudo -i
dd if=/dev/sda/home/[user]/AA1209_VPN.img of=/dev/sdc1 bs=512 count=1

12" so far last night, almost 90" since 1/23/15.

Thanks again for your help.... RangerZ

I've tried also to perform an "undo", but it doesn't work... if I have to be honest this is the first time that I ran into this problem.... quite strange problem...
In any case, when I've 20mins free I will rebuild it and then I will upload the 2 .config.

Regarding backup, I never did something similar, but:
Typically Ubuntu "mounts" the local devices on

/media/

If tou want to be sure, I suggest you:
-open a gparted or disk utility window, and take note of the CF path, it will be /dev/sdXY
  ("X" refers to the drive letter, and "Y" refers to the partition number, since you've to copy the entire drive, including the partition table & MBR, you need only to know the drive letter "X")
-reach via GUI to the folder where you want to store the CF backup
-right click on the folder, ad take note of the path (it will be /home/username/path or someting similar)
-open a terminal window, and according of what is written into the article you've linked, perform the backup running:

sudo dd if=/dev/sdX of=/media/username/path/backup.img bs=512 count=1

To restore the backup:
-open a terminal window
-cd to the folder where the image is stored, so for example:

cd /home/username/path

-restore the backup running:

sudo dd if=backup.img of=/dev/sdX

... So what you've written it's correct just replace sdc1 with sdc.

https://drive.google.com/folderview?id= … sp=sharing
This itme I've uploaded: image, packages, .config (output of make menuconfig), .config (output of make kernel_menuconfig), and a list of the seected packages (output of diffconfig.sh)

Quite strange fact: running diffconfig.sh It says that there are some unmet dependencies with libopenssl (see upoloaded screenshot), but as you can see I've included it (see diffout.txt or CC_menu.config).

Hi Mirko_47

I have installed the previous IMG file and it appears to work fine.  I say "appears" as GParted indicates there is a problem with the boot partition.  I got the following message:

Unable to read the contents of this file system!
Because of this some operations may be unavailable.
The cause might be a missing software package.
The following list of software packages is required for ext2 file system support:  e2fsprogs.

..but I also get this on the original image too when I checked it in GParted (V.18).  I did not get this on my AA image.  What is interesting is that when I rebooted Ubunto the next day I did not get the errors.  It turns out there is a package e2fsprogs which is related to the file system support for ext2.  I have in any event downloaded and installed the package.

I did not have the package on any of the lists I sent you, and do no know if this is any kind of real issue (it boots).

I have also got VPN up and running, but am sorry to say I see no performance difference with the tweaks. 

I was able to make a backup image of a CF card, as well as restore it.  The image file is the size of the card, with lots of unallocated  space.  I was able to "Truncate" the img file.   I was surprised that I was able to DD a large file onto a smaller disk, so truncated or not I can restore the IMG file.  I was not as successful saving the partition and MBR, and the individual partitions. Gparted indicated file system issues, and I did not try to boot the card.

Regarding the new files of this morning, I also see that the kmod-crypto-ocf is not in the diffout.txt.  It should have been the only one of the 3 referenced in the screen print on my list.  I also see that from the diffout.txt there are other missing kmod-crypto packages. (aead, aes, arc4, cbc, core, ecb, hash, hw-geode, manage, ocf, pcompress, sha1).  I do not know what the diffout.txt file represents, so I can not say it is wrong.

Is this built on the files from today?

I have no idea what this means, but when I ran the OpenSSL speed test there was a reference to "unused-but-set-variable"

 root@OpenWrt:~# openssl speed -evp aes-128-cbc -engine cryptodev
engine "cryptodev" set.
Doing aes-128-cbc for 3s on 16 size blocks: 117832 aes-128-cbc's in 0.11s
Doing aes-128-cbc for 3s on 64 size blocks: 112429 aes-128-cbc's in 0.12s
Doing aes-128-cbc for 3s on 256 size blocks: 94550 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 1024 size blocks: 60887 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 8192 size blocks: 13500 aes-128-cbc's in 0.04s
OpenSSL 1.0.2 22 Jan 2015
built on: reproducible build, date unspecified
options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,long) aes(partial) blowfish(ptr)
compiler: i486-openwrt-linux-uclibc-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_P                                                         IC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_                                                         H -I/home/mirko/Desktop/OpenWRT/trunk/staging_dir/target-i386_geode_uClibc-0.9.3                                                         3.2/usr/include -I/home/mirko/Desktop/OpenWRT/trunk/staging_dir/target-i386_geod                                                         e_uClibc-0.9.33.2/include -I/home/mirko/Desktop/OpenWRT/trunk/staging_dir/toolch                                                         ain-i386_geode_gcc-4.9-linaro_uClibc-0.9.33.2/usr/include -I/home/mirko/Desktop/                                                         OpenWRT/trunk/staging_dir/toolchain-i386_geode_gcc-4.9-linaro_uClibc-0.9.33.2/in                                                         clude -DOPENSSL_SMALL_FOOTPRINT -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DOPENS                                                         SL_NO_ERR -DTERMIOS -Os -pipe -march=geode -mmmx -m3dnow -fno-caller-saves -fhon                                                         our-copts -Wno-error=unused-but-set-variable -fpic -fomit-frame-pointer -Wall
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      17139.20k    59962.13k   345782.86k   890689.83k  2764800.00k

I only mention it as it relates to openssl.  The test string is from the ALIX wiki.  I am thinking that an unused parameter in the string means the required pkg may be missing or not configured.

I will need to put this aside until the weekend, but will load the image and let you know what is actually it it as soon as I can.

Best regards.... RangerZ

Now,

About the performance improvements, honestly I don't know what to say... the wiki is quite clear, as the link you've  previously posted, and I've followed all the described procedures.

Regarding the "error" that I get performing diffconfig.sh; well I think that this isn't an error since the dependencies (libopenssl) that it says that is missing aren't missing, if you try to open the file named CC_MENU (if u're using win, try notepad++) you can see what I'm talking about.
This is valid also for the packages that you've mentioned (aead, aes, arc4, cbc, core, ecb, hash, hw-geode, manage, ocf, pcompress, sha1), give a look into cc_menu, all of this where set with "y"

The google drive folder linked today contains the image (, packages, ...) built this morning.
If also this one doesn't work properly, i'll suggest you to try to contact the mantainer of the package that for sure they will be more informed than me.

Hi Mirko_47

I am sorry it has taken me so long to get back to you on this.  Busy with winter damage and other matters.

I appreciate all the help you have been able to give on this so far.  You have been very generous with your time.  As you suggest I am composing a new note on the crypto issues, as they have not improved with the latest build.

I have a question on the work you have done.  I found some information at the very bottom of this post  http://wiki.openwrt.org/inbox/benchmark.openssl in the "Enable hardware acceleration" section.  I do not think I saw this before.  While the libopenssl module is included, do you know if the configuration of this feature was something that you ever found?   I do not see a reference in the CC_Menu or CC_Kernel config called "Crypto acceleration support".   I do see something called "CONFIG_OPENSSL_ENGINE_CRYPTO=y" in the CC_Menu_Config, which I think may be the "code" for it.    I would like to try to understand this for my note.

Thank you.... RangerZ

Sorry about the damage of the blizzard/winter, I hope that you are able to fix the problems without too many complications.

I've added a screenshot to the previously liked google drive folder: https://drive.google.com/open?id=0B1K0O … authuser=0
As u can see from the package description, the result selecting "Crypto acceleration support" under

make menuconfig->Libraries->SSL->LibopenSSL->Config 

menu is set

CONFIG_OPENSSL_ENGINE_CRYPTO

to "y", as were setted into the last build.

In any case I'm not sure if this 3 option:

CONFIG_OPENSSL_WITH_EC
CONFIG_OPENSSL_WITH_EC2M
CONFIG_OPENSSL_WITH_SSL3

(in the last build they were set to y)
Must be selected to work with the Geode AES engine; when I've some free time I'll try to build a new image without these three option disabled.
The fact is that I wasn't able to find if that option are required, so the only way to proceed is by trial and error...

Hi Mirko_47

At the moment I am of the opinion that you have things correctly configured, and that what is not documented is the need to have the application that uses the encryption engine specifically call for it.

This is the best note so far.   http://www.fantaghost.com/openvpn-accel … ng-pfsense   If I

$ dmesg | grep AES

I get the message

geode-aes: GEODE AES engine enabled

which leads me to believe that the configuration is correct. 

If you look at the second graphic (click on it) near the bottom it tells me to add the string

 engine cryptodev;

to my OpenVPN script.

I have added the parameter, but am not sure that I am seeing a difference.  The variance in the test data is so wide (30-50%), it is hard to be sure that I am seeing a real improvement.  It's not the 4x performance this article suggests http://www.twam.info/hardware/alix/usin … on-alix3d3

Cheers ... RangerZ

You didn't noticed the same performance improvement described on twam.info because you're running tests on VPN instead of running test on disk encryption, infact the results on twam.info refers to encryption performance with LUKS.
If you want to compare the performance that you get with something comparable, you can have a look of this case of use, where the board were used for the same purpose.
However, if adding the string:

engine cryptodev;

to your OpenVPN script brings you a performance improvement of about 30%, if I don't mistake comparing that result with the ones in the previous link
https://doc.pfsense.org/images/6/6e/Alix2d3_vpn_throughput.png
we can say that there's no a huge difference, right?


In any case tomorrow I already  have to build an image for my APU1d, so if you think that into two .config previously uploaded on google drive is still missing something, you can indicate here what must change, and then I can load it into the image builder, and try build a new image with the specified changes.

regards wink

Mirko_47

I did a little research on the three items, and tend to think I do not need these.

CONFIG_OPENSSL_WITH_EC
CONFIG_OPENSSL_WITH_EC2M
CONFIG_OPENSSL_WITH_SSL3

https://www.openssl.org/docs/apps/ec.html
https://www.openssl.org/docs/apps/ciphers.html
As best I can tell EC2M is dependent on EC.  One note i found talked about the size, and implied that space was the concern.  Not my concern with a CF card.
https://lists.openwrt.org/pipermail/ope … 20406.html

I also do not think the CONFIG_PACKAGE_libpolarssl is needed.  PolarSSL and OpenSSL are not the same package.

I do not really understand the section n the .config graphic at the bottom (Selected by:...).  If I am reading this correctly it is 3 sets of parameters.  I believe UML is user mode linux, but this does not mean anything to me in terms of config.

Looking at this page, http://wiki.openwrt.org/doc/hardware/cr … celerators it sounds like we do not want both cryptodev-lnux and OCF.  There is a note under "With OCF"

This must not be combined with cryptodev-linux.

Not sure how this impacts the options in the OPENSSL_ENGINE_CRYPTO section you showed in the graphic which reference this module.

Below that is "Adding libraries".  The libgnutls has not been included, though I do not know what it's use is.

Finally, in the "Enabling Specific Hardware"  section, I am considering purchasing a Soekris vpn1411 card to improve performance, so the related items could also be added.

  • kmod-crypto-des[*/]

  • kmod-crypto-hw-hifn-795x 

Regarding the use case, I was wondering the same, but this was a link from the ALIX Wiki. 

As for the pfSence comparison of VPNs, this was an impressive find, but a disappointing result for the HW Crypto.  The difference with and with out crypto is very small.  I think 30% is within my margin of error.  I do not get a 3600x performance boost with the Openssl speed test, but maybe half of that, which is still quite large (but apparently meaningless if the real increase is 30%)

How did you embed the graphic???

Cheers... RangerZ

(Last edited by RangerZ on 7 Mar 2015, 07:57)

This is the link to the new build:
https://drive.google.com/folderview?id= … sp=sharing

major changes:
.1: disabled OCF: as you written this must not combined with cryptodev-linux (sorry for the previous build that were combined), so now cryptodev only is enabled.
(polarssl can't be disabled)
.2: disabled elliptic curve support for SSL:
so,

CONFIG_OPENSSL_WITH_EC
CONFIG_OPENSSL_WITH_EC2M
CONFIG_OPENSSL_WITH_SSL3

Were set to "n", but I'm quite sure that it doesn't make any difference, in terms of performance.
I've disabled these options only to be sure that it can't cause further problems.

.3: enabled libgnutls whith cryptographic acceleration support:
so

libgnutls

were set to "y", as the sub-option

 /dev/crypto support

.4: disabled "size optimization" under OpenVPN/OpenSSL:
(A brief description here)
I'm not sure that it can help, but generally run code that were not optimized for size will be faster.
.5: compiled with GCC optimization set to -O3:
same reason described above, this shuld help the code to be faster.

Regards.

RangerZ wrote:

How did you embed the graphic???

https://forum.openwrt.org/help.php?section=img

(Last edited by mirko_47 on 7 Mar 2015, 14:51)

Hi Mirko_47

Well I hit the wall as we say.

I upgraded to the latest OpenVPN client SW so the new OpenSSL library would match the one in the image, and everything has slowed to a crawl.  I now can only get .5Mb/s.  This is with the R44462 version of OpenWRT.  I have spent 3 days trying to resolve this, including uninstalling and returning to the previous version of OpenVPN.  I think it's PC/browser related, as I can get slightly better from Mozilla (~1.5-2 Mb/s).  I have also gone back to V44445 with no improvement in browser speed.

I did load the newest image Tuesday.  I wanted to see if this would make a difference.  Unfortunately OpenVPN will not start.  I guess one of the modules we took out was important, probably OCF.  The Crypto Hardware page and ALIX wiki are in conflict on OCF.

I posted a question on the OpenVPN forum, and realized that I have been struggling with this solution for 6 months.  While I intend to see if there are any solutions that present themselves from that front, I am of the opinion that I may have to abandon this project.  It's just sucking up too much time.

I appreciate all you the help and support you have given.

Best Regards...RangerZ

The discussion might have continued from here.