Showing posts with label Dreamplug. Show all posts
Showing posts with label Dreamplug. Show all posts

Tuesday, October 4, 2011

Using the Dreamplug's Crypto Chip

After talking with colleagues regarding this box (there are now several around) I learned that the encryption is pretty slow. But this is without the hardware encryption enabled. So let's see if it can be enabled.

For more information visit:
http://www.newit.co.uk/forum/index.php?topic=2030.0

Reference


Intel(R) Pentium(R) CPU G6950 @ 2.80GHz
$ openssl speed -evp aes128
Doing aes-128-cbc for 3s on 16 size blocks: 12582002 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 4295548 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 256 size blocks: 1121451 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 284735 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 35731 aes-128-cbc's in 3.00s
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Tue Dec  7 12:16:36 EST 2010
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      67104.01k    91944.84k    95379.22k    97189.55k    97569.45k

On the DreamPlug without Hardware AES


$ openssl speed -evp aes128
Doing aes-128-cbc for 3s on 16 size blocks: 1520029 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 451973 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 118487 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 29964 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 8192 size blocks: 3758 aes-128-cbc's in 3.00s
OpenSSL 0.9.8o 01 Jun 2010
built on: Thu Feb 10 21:19:23 UTC 2011
options:bn(64,32) md2(int) rc4(ptr,int) des(idx,risc1,4,long) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc       8106.82k     9642.09k    10110.89k    10261.92k    10261.85k

HOWTO Configure Hardware AES with OpenSSL

First I had to get some things set up:

#NOTE: Be aware of space, I moved a lot of directories to an attached esata disk for more space and speed. Then symlinked them into place.
sudo aptitude install build-essential
cd /usr/src
wget http://dreamplug.googlecode.com/files/linux-2.6.33.6.tar.bz2
tar -xjf linux-2.6.33.6.tar.bz2
ln -s linux-2.6.33.6 linux
ln -s /usr/src/linux-2.6.33.6 /lib/modules/2.6.33.6/build
ln -s /usr/src/linux-2.6.33.6 /lib/modules/2.6.33.6/source
cd /usr/src/linux
wget http://archlinuxarm.org/mirror/with-linux/2.6.33/2.6.33.6/sheeva-2.6.33.6.config
zcat /proc/config.gz > .config
make uImage && make modules
wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.0.tar.gz
tar -xzf cryptodev-linux-1.0.tar.gz
cd cryptodev-linux-1.0
make; make install
echo "cryptodev" >> /etc/modules
modprobe cryptodev
wget http://sourceforge.net/projects/ocf-linux/files/ocf-linux/20110530/ocf-linux-20110530.tar.gz/download -O ocf-linux-20110530.tar.gz
tar -xzf ocf-linux-20110530.tar.gz
wget http://www.openssl.org/source/openssl-0.9.8r.tar.gz
tar -xzf openssl-0.9.8r.tar.gz
cd openssl-0.9.8r
patch -p1 < ../ocf-linux-20110530/patches/openssl-0.9.8r.patch
./config shared threads zlib --with-cryptodev --openssldir=/etc/ssl --libdir=/usr/lib --prefix=/usr
make depend; make; make install

Fix the versioning: http://chris.dzombak.name/blog/2010/03/building-openssl-with-symbol-versioning

Results

Then here are the results after with OpenSSL


$ openssl speed -evp aes128
Doing aes-128-cbc for 3s on 16 size blocks: 78428 aes-128-cbc's in 0.14s
Doing aes-128-cbc for 3s on 64 size blocks: 76194 aes-128-cbc's in 0.17s
Doing aes-128-cbc for 3s on 256 size blocks: 63152 aes-128-cbc's in 0.06s
Doing aes-128-cbc for 3s on 1024 size blocks: 39103 aes-128-cbc's in 0.04s
Doing aes-128-cbc for 3s on 2048 size blocks: 23210 aes-128-cbc's in 0.00s
OpenSSL 0.9.8r 8 Feb 2011
built on: Thu Jul 14 09:50:39 MDT 2011
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   2048 bytes
aes-128-cbc       8963.20k    28684.80k   269448.53k  1001036.80k 47534080.00k

Yeah way way faster. Oh and SSH uses OpenSSL. So be careful. It can cut your connection and you will need the JTAG to reconnect.
Posted by aortizjr at 6:32 PM 2 comments
Labels:

Monday, July 11, 2011

Setting up the Dreamplug

Just recently I got a Dreamplug from Global Scale Technologies. It is pretty cool in that it only draws 5W of power and comes with plenty of processing power and features for all sorts of things. It is initially designed for prototyping for full scale products. However it is great for the hobbyist to mess with and have a lower powered computer for servers, voip, etc.

In my case I got one to primarily act as little home server for file sharing, ssh, printer sharing, and scanner sharing. Eventually I would like to deploy one at the studio for backups and archiving as well. In the past I have used old desktops, but my latest one died and I got tired of paying the money to run a whole machine that sits idle 90% of the time. But as with anything the 10% of the time I need it, I need it, so it is definitely worth keeping around.

These are just some notes of things I ran into and I hope someone will find useful. I know I will on the next round with one of these.

Of course the website and user guide pretty much has zero information on it. At least it has nothing very useful. It mainly talks about the ports and interface and such.

In the box you get way more that it seems. The power supply can disconnect and be run with a DC cable. It can act as a brick or you can use another power cable. It comes with sliding connectors allowing you to switch. It also comes with cover plates for exposed contacts and a Cat5e network cable (which will handle gigabit).

Mine came preloaded with Debian Lenny. I was expecting it to have Ubuntu. Not sure what is going on there. Seems that many pre-shipped with Ubuntu, but mine is Debian, so no clue. But things did work out of the box. I am more of a RedHat guy and got spoiled with the GUI's in Ubuntu. So Debian (even though closely related to Ubuntu) is different enough to be a little slow going.

Since it came preloaded it was already partitioned and everything. It looks to have about 2GB of onboard storage which is nice. It starts up as a wireless access point as you can see from /root/init-setup.sh. It also starts up Samba, SSH, Bluetooth, FTP and (attempts) lighttpd. The AP is automatically set up to bridge to eth0 which is DHCP. It also boots at runlevel 2.

To get on the machine, I had eth0 DHCP and I picked it up off of my DHCP server. You can ssh in with root and the default password (check the UserGuide for it).

Oh and BTW, the LED's are obnoxiously bright. If you look in the init-setup.sh script and the wlan script, you can see how to turn them on and off. But not sure how to dim them and definitely not how manipulate the power one. May need some opaque tape for that.

So for my setup first things first:

  • Change root passwd
  • Turn off the AP by running wlan.sh
  • Remove it by commenting out /root/init-setup.sh in /etc/rc.local. That will also turn off bluetooth. On reboot, it will be LAN only.
  • Set a static IP for eth0. Since mine will just be a server (already have a firewall/router) there is no need really for eth1 or wireless. So you have to edit /etc/network/interfaces and change it to static with the right address, gateway, and netmask. However a bit of a gotcha is that ifplugd will stomp on it. So you must take out eth0 out of /etc/default/ifplugd. More information available here: http://www.newit.co.uk/forum/index.php/topic,1960.msg5610.html#msg5610.
  • Change hostname in /etc/hostname
  • Oh yeah and install NTP (aptitude install ntp) which defaults to the debian pool. Then change the timezone: dpkg-reconfigure tzdata

After that initial round, that at least takes care of the tricky stuff. After that it should all be regular *nix stuff.

Other stuff I did:

  • Installed LAME which wasn't as trivial as I had hoped. Added "deb http://www.debian-multimedia.org/ lenny main" to /etc/sources. Then I had to add the GPG key "gpg --keyserver pgpkeys.mit.edu --recv-key 07DC563D1F41B907" then "gpg -a --export 07DC563D1F41B907 | apt-key add -". Then "apt-get update." Took a few rounds of this to get some of the additional keys and I had to comment out a local apt repository from global scale. Then trivially "apt-get install lame" More information about getting lame from here: http://parabans.com/howto-install-lame-mp3-ripper-on-debian-linux-using-apt-get/. (Lame is slow as shit on this box BTW)
  • Installed smbclient (apt-get install smbclient) which then updated the rest. I decided to swap out the smb.conf file with the default one since it has comments that act as documentation.
  • Installed nmap, mainly to make sure I close all the right ports. Right now my only linux machine is a netbook with a crazy small keyboard.
  • Removed mysql from the startup scripts then uninstalled ( update-rc.d -f mysql remove, etc. apt-get remove mysql-common, etc.)
  • apt-get autoremove since there were some packages it was complaining about.
  • Added Cups Printing: http://wiki.debian.org/SystemPrinting
    aptitude update
aptitude install cups cups-client hpjis
aptitude install links
links http://localhost:631/
  • Then added Scanner Sharing
    aptitude install sane
... bunch of configuration
  • Installed and configured samba

Performance specs are decent depending on what you are doing. Anything using the memory cards is dog slow. Off of an Esata Hard Drive things are much better. Samba speeds are excellent, it also does great as a scanning server. SSH under high loads is pretty slow (ie. sshfs). I set up a squid server and changing the default cache directory to hit the Esata drive makes it much much faster. I tested some basic MP3 compression and file compression tests, they are also slow.

Essentially this thing is geared for I/O such as a NAS or router. While it will work doing some CPU intensive stuff, don't hold your breath. Excellent for a power efficient small server with great I/O. Pretty happy with what it will be doing for me.

I will be posting more tests regarding SSH port forwarding and web page delivery as time progresses.

Posted by aortizjr at 6:37 PM 3 comments
Labels: ,
Subscribe to: Posts (Atom)