Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ubsec(4) [netbsd man page]

UBSEC(4)						   BSD Kernel Interfaces Manual 						  UBSEC(4)

NAME

     ubsec -- Broadcom and BlueSteel uBsec 5x0x crypto accelerator

SYNOPSIS

     ubsec* at pci? dev ? function ?

DESCRIPTION

     The ubsec driver supports cards containing any of the following chips:

	   Bluesteel 5501    The original chipset, no longer made.  This extremely rare unit was not very fast, lacked an RNG, and had a number of
			     other bugs.

	   Bluesteel 5601    A faster and fixed version of the original, with a random number unit and large number engine added.

	   Broadcom BCM5801  A BCM5805 without public key engine or random number generator.

	   Broadcom BCM5802  A slower version of the BCM5805.

	   Broadcom BCM5805  Faster version of Bluesteel 5601.

	   Broadcom BCM5820  64 bit version of the chip, and significantly more advanced.

	   Broadcom BCM5821  Faster version of the BCM5820.  (This is the chip found on the Sun Crypto Accelerator 1000.)

	   Broadcom BCM5822  Faster version of the BCM5820.

	   Broadcom BCM5823  Faster version of the BCM5822.

	   Broadcom BCM5823  Faster version of the BCM5821, with AES hardware.

     The ubsec driver registers itself to accelerate DES, Triple-DES, MD5, SHA1, MD5-HMAC, and SHA1-HMAC operations for opencrypto(9), and thus
     for fast_ipsec(4) and crypto(4).

     On those models which contain a public key engine (almost all of the more recent ones), this feature is registered with the crypto(4) subsys-
     tem.

     On all models except the Bluesteel 5501 and Broadcom 5801, the driver registers itself to provide random data to the rnd(4) subsystem.

SEE ALSO

     crypto(4), fast_ipsec(4), intro(4), rnd(4), opencrypto(9)

HISTORY

     The ubsec device driver appeared in OpenBSD 2.8.  The ubsec device driver was imported to FreeBSD 5.0, back-ported to FreeBSD 4.8, and subse-
     quently imported to NetBSD 2.0.

BUGS

     The BCM5801 and BCM5802 have not actually been tested.

     Whilst some of the newer chips support AES, AES is not supported by the driver.

BSD
								   June 10, 2000							       BSD

Check Out this Related Man Page

NSP(4)							   BSD Kernel Interfaces Manual 						    NSP(4)

NAME

     nsp -- NBMK/CyberGuard/NetOctave NSP2000 crypto accelerator

SYNOPSIS

     nsp* at pci? dev ? function ?

DESCRIPTION

     The nsp driver supports cards using the NSP2000 cryptographic processor, originally manufactured and sold by NetOctave, then CyberGuard, and
     presently (late 2008) by NBMK Encryption Technologies.

     The NSP2000 is a cryptographic ``packet processor'' or ``macro processor'' featuring extensive support for protocol handshake acceleration
     and protocol record operations (e.g. single-pass pad-encrypt-and-hash for SSL or ESP messages).  It also provides various cryptographic and
     mathematical primitives such as random number generation, encryption/decryption (DES, 3DES, and RC4), hash computation (MD5, SHA1, and HMAC),
     and an extensive set of operations for arbitrary precision arithmetic.  It contains a tamper-resistant write-only memory region for storage
     of cryptographic keys.

     The nsp driver registers support for the following operations with opencrypto(9):

	   CRYPTO_DES_CBC      DES in CBC mode.

	   CRYPTO_3DES_CBC     Triple-DES in CBC mode.

	   CRYPTO_MD5	       The MD5 hash algorithm.

	   CRYPTO_SHA1	       The SHA-1 hash algorithm.

	   CRYPTO_SHA1_HMAC    The HMAC message authentication code using SHA-1 as the hash function.

	   CRYPTO_MD5_HMAC     The HMAC message authentication code using MD5 as the hash function.

	   CRK_MOD	       Compute x modulo y.

	   CRK_MOD_ADD	       Modular addition.

	   CRK_MOD_ADDINV      Modular additive inversion.

	   CRK_MOD_SUB	       Modular subtraction.

	   CRK_MOD_MULT        Modular multiplication.

	   CRK_MOD_MULTINV     Modular multiplicative inversion.

	   CRK_MOD_EXP	       Modular exponentiation.

	   CRK_DSA_SIGN        DSA signature creation.

	   CRK_DSA_VERIFY      DSA signature verification.

	   CRK_DH_COMPUTE_KEY  Diffie-Hellman key computation.

PERFORMANCE

     The nsp driver can perform several hundred 1024-bit RSA operations per second, and can encrypt and hash about 200Mbit/sec of data with sym-
     metric operations.  Each figure is approximately 1/3 the rated throughput for the device.

     Several restrictions limit the performance of this driver:
     1.   The CRK_MOD_EXP_CRT operation (modular exponentiation with operands in Chinese Remainder Theorem form) is unfortunately not supported
	  because the opencrypto(9) interface specifies this operation in a way which may only be compatible with the ubsec(4) accelerator.
     2.   The handshake operations and record transforms are not supported as they are a poor fit for the current opencrypto(9) API.  Support for
	  either would require a method of passing record-transform contexts between layers of the framework, likely in both directions across the
	  user-kernel boundary.  Without record operations, the host CPU will almost always perform RC4 faster than the NSP2000, so RC4 support is
	  disabled in the nsp driver.
     3.   The on-board key memory is not supported.  It would be relatively easy to add support for this feature to opencrypto(9), but the inter-
	  face for supporting this functionality in OpenSSL in OpenSSL is complex and poorly documented, which makes kernel support useless.
     4.   The OpenSSL ``engine'' for crypto(4) does not yet support the HMAC forms of the hash operations, which roughly halves performance for
	  many workloads.

     On a more positive note, the NSP2000 and nsp driver offer excellent performance for small modular arithmetic operations, achieving 75,000 or
     more such operations per second.

SEE ALSO

     crypto(4), fast_ipsec(4), intro(4), rnd(4), opencrypto(9)

HISTORY

     The nsp device driver is descended from the NetOctave SDK for FreeBSD 4.11, where it was called ``noct''.	It is unrelated to the driver of
     that name which appeared in OpenBSD 3.2, which does not support the public-key (or other bignum) functions of the device.	The nsp driver was
     ported to NetBSD 5.0 by Coyote Point Systems, Inc and generously made available under a BSD-style license by NBMK Encryption Technologies,
     Inc, the corporate successor of NetOctave.

     The nsp device driver does not currently support the device node interface provided by the original NetOctave ``noct'' driver (which offers
     handshake acceleration, record operations, memory-mapped handling of packet payloads, and several other useful features) but most of the code
     to do so is still present, albeit in untested form.

BUGS

     Support for limitations of the NSP2000 PCI interface (broken burst-mode operation, lack of scatter-gather support) is present but tested only
     on a fairly small range of host systems.

     It appears that most if not all NSP2000 cards ever manufactured were designed to carry either one or two accelerator chips, which suggests
     that cards exist with both chips populated.  The nsp driver has never been tested with more than one instance present at a time.

BSD
								 November 2, 2008							       BSD
Man Page