stikonas has quit [Remote host closed the connection]
mripard has quit [Ping timeout: 255 seconds]
Daanct12 has joined #linux-rockchip
mripard has joined #linux-rockchip
kevery1 has joined #linux-rockchip
kevery has quit [Ping timeout: 256 seconds]
kevery1 is now known as kevery
kevery has quit [Quit: kevery]
kevery has joined #linux-rockchip
chewitt has joined #linux-rockchip
CounterPillow has joined #linux-rockchip
crabbedhaloablut has joined #linux-rockchip
webchat98 has joined #linux-rockchip
<webchat98>
Is anybody on here have implemented armv8 crypto extension on RK3568 or 3588?
<CounterPillow>
isn't that part of the ISA so needs no SoC specific code?
<webchat98>
I guess I have a poor understanding/question. Let me rephrase, did anyone make use of the crypto engine to offload IPsec encryption/decryptions?
<CounterPillow>
Baylibre appears to be working on the separate crypto engine the SoCs have, according to the mailing list posts.
<montjoie>
webchat98: yes you could offload some part of ipsec to crypto engine
<montjoie>
like aes and sha operation
Guest97 has joined #linux-rockchip
Guest97 has quit [Quit: Client closed]
Guest97 has joined #linux-rockchip
Guest97 has quit [Client Quit]
kevery1 has joined #linux-rockchip
kevery has quit [Read error: Connection reset by peer]
kevery1 is now known as kevery
warpme has joined #linux-rockchip
<webchat98>
yeah, I saw Baylibre. I am about to contact the engineer on how to help him.
<montjoie>
webchat98: it is me:)
<montjoie>
webchat98: if you want to help, simply test the patch posted on mailing list, note that I have already got some report that hash function are sometime defective
<montjoie>
so no production use
<webchat98>
Oh, hello. It was me who is trying to improve the ipsec performance on BananaPi RK3568
<linkmauve>
montjoie, also that AES functions are slower than pure CPU, by a factor of ten.
<montjoie>
linkmauve: the number of crypto IP which made aes faster are really very rare
<linkmauve>
:|
<webchat98>
montjoie: if I were to contribute to the code, how do I know the mechanism in RK3568.
<montjoie>
allwinner sun4i-ss was one of them, gemini-crypto also, I dont know anymore
<linkmauve>
It was faster on the Wii U and even more on the Wii, also on AllWinner platforms, which are all I’ve ever used.
<linkmauve>
Especially on AllWinner SoCs which didn’t have the crypto extension.
<webchat98>
is this spelled out in the chip manual? Or some standard Arm instruction set
<lorenzb>
> the number of crypto IP which made aes faster are really very rare
<lorenzb>
The pure CPU part here includes the ARMv8 Crypto extensions, which means we're comparing two HW implementations
webchat98 has quit [Quit: Client closed]
<lorenzb>
Timing-safe software AES is extremely slow
webchat98 has joined #linux-rockchip
<montjoie>
using DMA slow down things also
<linkmauve>
Is there any usecase for such a slow hardware block?
<lorenzb>
But yeah, if you have the primitive the CPU crypto extensions are usually faster than any external device
<linkmauve>
For hashes I’ve compared, on huge input and without using it more than once, it was faster than the crypto extension.
<webchat98>
Are you all saying getting the crypto extension to work is just a waste time?
<lorenzb>
linkmauve: On ARM TrustZone can sometimes do cool things with these, like keys which are not accessible to the CPU but the CPU can stuff data into them. But for performance on algorithms covered by ARMs crypto extensions, not really.
<linkmauve>
Ok. :/
<lorenzb>
Some crypto engines can do RSA/ECC, but usually the performance requirements of them are not that relevant on embedded systems.
<montjoie>
the interest of crypto IP for RSA/ECC is bruning the key in hw
<lorenzb>
Meh, you can do that with TrustZone without extra HW.
<lorenzb>
webchat98: What sort of performance are you getting with IPSec? Standard ARMv8 Crypto extensions supported by Linux should get you pretty far.
<webchat98>
The chief problem I have is strongswan ipsec hoards one CPU core to it and run it to 100%, throughput is 70Mbps UP and DOWN.
<webchat98>
I don't have the algorithm in my head, I can go look though, the board is sitting next to me.
<lorenzb>
There's something wrong with your setup. Even on 4 A53 (you have 4 A55) I can get >1.5Gbps even on ChaCha20 which is not even HW-accelerated.
<webchat98>
What?
<CounterPillow>
Your software is broken, it doesn't need hardware acceleration.
<lorenzb>
A very quick test on a much older RK3328 gets me >6Gbps per core (it has 4).
<lorenzb>
(for just AES-128-GCM)
<lorenzb>
Also strongswan should never take relevant amounts of CPU, all bulk traffic processing happens within the kernel
<webchat98>
What I am reading is that ipsec SA one can use one core at a time, blah blah blah...
ldevulder has joined #linux-rockchip
<webchat98>
So then basicly I am idiot at not configuring the software right then, or not compiling the kernel right.
<lorenzb>
Even if true (depends on how exactly things are set up) your one core can easily do multiple Gbps of AES-GCM
<webchat98>
Definitely not the way I run it.
<lorenzb>
What does openssl speed -evp aes-128-gcm output on your board?
<webchat98>
I could get a maximum of 120 Mbps of dorm university wifi, with the current state of my software, it is capped at 70 Mbps.
<lorenzb>
Yeah, you should be getting orders of magnitude more.
<lorenzb>
What bulk cipher are you using?
<webchat98>
lorenzb: never tested that, I will soon do after some sleep. It is almost dawn in NY
<linkmauve>
Wow, I get 1 GiB/s here on a rk3568, so about 7.55 Gb/s.
<linkmauve>
On a single core.
<lorenzb>
linkmauve: Yeah, my result was on a RK3328 from like 2016 with downclocked RAM for stability. ARM's Crypto Extensions are pretty fast.
<linkmauve>
montjoie, it might make sense to reduce the priority of your driver then, at least for the AES parts.
<lorenzb>
linkmauve: For just bulk data processing even small cores are pretty fast, my BPi-R3 (4xA53) will saturate its 2.5Gbps ports routing in/out of WireGuard.
<linkmauve>
Heh. :)
<linkmauve>
I also have 4×A53 in my phone, with the crypto extension, never had any issue with those.
<linkmauve>
(On an A64 SoC.)
<webchat98>
Not WireGuard, I need my BPi-R2 to interoperate with Cisco RVs and ASAs.
<webchat98>
Cisco RVs are using strongswan themselves, fun fact.
<lorenzb>
webchat98: IPsec should be faster than WireGuard on these SoCs
<webchat98>
linkmauve: the most out of my mind thing I have done is to put a AQC113CS on PCIe3.0 x1 on BPi-2
<webchat98>
I got about 6.3Gbps bidirectional. PCIe 3.0 1x should be 8.0Gbps.
<Daanct12>
i see some device tree has vcc_bat in it, and it's just an alias to vcc_sys
<Daanct12>
is there any use of it that i don't know?
kevery1 has joined #linux-rockchip
<webchat98>
Is this for ACPI Power controls? I am just guessing.
kevery has quit [Ping timeout: 256 seconds]
kevery1 is now known as kevery
<Daanct12>
webchat98: nope, this is for regulators in device tree
webchat98 has quit [Quit: Client closed]
webchat98 has joined #linux-rockchip
kevery1 has joined #linux-rockchip
kevery has quit [Ping timeout: 276 seconds]
<webchat98>
How would I go about fixing my software though?
kevery1 is now known as kevery
stikonas has joined #linux-rockchip
kevery1 has joined #linux-rockchip
kevery has quit [Ping timeout: 276 seconds]
kevery1 is now known as kevery
kevery1 has joined #linux-rockchip
<montjoie>
linkmauve: all crypto hw have more prio, I believe it can be changed online
kevery has quit [Ping timeout: 256 seconds]
kevery1 is now known as kevery
kevery1 has joined #linux-rockchip
kevery has quit [Ping timeout: 268 seconds]
kevery1 is now known as kevery
stikonas has quit [Remote host closed the connection]
stikonas has joined #linux-rockchip
kevery1 has joined #linux-rockchip
naoki has joined #linux-rockchip
kevery has quit [Ping timeout: 256 seconds]
kevery1 is now known as kevery
naoki has quit [Client Quit]
DarkNeutrino has joined #linux-rockchip
DarkNeutrino has quit [Changing host]
DarkNeutrino has joined #linux-rockchip
stikonas has quit [Ping timeout: 255 seconds]
psydroid2 has joined #linux-rockchip
kevery1 has joined #linux-rockchip
kevery has quit [Ping timeout: 276 seconds]
kevery1 is now known as kevery
dsimic has quit [Ping timeout: 255 seconds]
dsimic has joined #linux-rockchip
webchat98 has quit [Quit: Client closed]
Whistler has quit [Ping timeout: 252 seconds]
Whistler has joined #linux-rockchip
Helenah has joined #linux-rockchip
Daanct12 has quit [Quit: WeeChat 4.1.1]
nashpa has quit [Ping timeout: 264 seconds]
Net147 has quit [Ping timeout: 252 seconds]
dliviu has joined #linux-rockchip
Net147 has joined #linux-rockchip
Net147 has quit [Changing host]
Net147 has joined #linux-rockchip
warpme has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
warpme has joined #linux-rockchip
Stat_headcrabed has joined #linux-rockchip
webchat98 has joined #linux-rockchip
Stat_headcrabed has quit [Quit: Stat_headcrabed]
<webchat98>
lorenzb: are there any pointers on how to fix the ipsec software stack to crank up the throughput?
<lorenzb>
webchat98: Ping me in a few hours, then I'll have time to look into it a bit
<webchat98>
Thanks, that's great.
vagrantc has joined #linux-rockchip
warpme has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
chewitt has quit [Quit: Zzz..]
webchat98 has quit [Quit: Client closed]
webchat98 has joined #linux-rockchip
kevery1 has joined #linux-rockchip
kevery has quit [Ping timeout: 276 seconds]
kevery1 is now known as kevery
ldevulder has quit [Ping timeout: 268 seconds]
webchat98 has quit [Quit: Client closed]
ldevulder has joined #linux-rockchip
webchat98 has joined #linux-rockchip
webchat98 has quit [Quit: Client closed]
webchat98 has joined #linux-rockchip
webchat98 has quit [Client Quit]
webchat98 has joined #linux-rockchip
webchat98 has quit [Quit: Client closed]
stikonas has joined #linux-rockchip
Guest97 has joined #linux-rockchip
Guest97 has quit [Quit: Client closed]
crabbedhaloablut has quit []
kevery1 has joined #linux-rockchip
kevery has quit [Ping timeout: 264 seconds]
kevery1 is now known as kevery
kevery1 has joined #linux-rockchip
kevery has quit [Ping timeout: 260 seconds]
kevery1 is now known as kevery
stikonas has quit [Remote host closed the connection]
stikonas has joined #linux-rockchip
kevery1 has joined #linux-rockchip
kevery has quit [Remote host closed the connection]
kevery1 is now known as kevery
_whitelogger_ has joined #linux-rockchip
_whitelogger has quit [Remote host closed the connection]
DarkNeutrino has quit [Ping timeout: 264 seconds]
sjoerd has quit [Quit: Ping timeout (120 seconds)]
sjoerd has joined #linux-rockchip
kevery1 has joined #linux-rockchip
kevery has quit [Read error: Connection reset by peer]