VIA PadLock Advanced Cryptography Engine
(VIA PadLock ACE) is a technology used in VIA C3 Nehemiah
processors that provides very fast hardware encryption and
decryption. Although the processors are completely x86-compatible they
provide some new instructions for accessing the ACE
(xcrypt-group instructions). See the list of available boards.
Check out results of some simple benchmarks.
If you want to be informed about updated patches, new features, etc., you may subscribe to the PadLock mailing list (archive).
More informations about programming for VIA PadLock and its linux support can be found in this article:
Kernels 2.6.11 and newer have driver for AES in VIA C3 PadLock out of the box. No need to patch it anymore to get fast AES encryption.
Kernels 2.6.19 and newer have driver for SHA1/SHA256 in VIA C7 PadLock out of the box. No need to patch it anymore to get fast SHA hashing.
VIA C7 processors have extended PadLock engine that supports SHA1 and SHA256 digest algorithms. To get access to superfast SHA-family digests in the Linux kernel apply the following patch. If you're running kernel 2.6.16, 2.6.17 or 2.6.18-rc1 apply the appropriate prereq patch before the padlock-sha patch itself. From 2.6.18-rc2 on there is no need for prereq patch anymore. Kernels 2.6.15 and older are not supported.
OpenSSL provides a standard way to have drivers for hardware crypto
engines. The following patches add a new engine called
padlock.
OpenSSL 0.9.8 has AES support out of the box. However to use VIA C7 hash engine to speed up SHA1, SHA224 or SHA256 you need the following patch:
IMPORTANT: In certain setups most OpenSSL hardware accelerator drivers (so called engines) are compiled as shared modules. Although PadLock engine is always compiled statically OpenSSL core doesn't know that, tries to load it dynamically and fails. That renders PadLock support in OpenSSL 0.9.8 unusable. Please attach the following patch should you encounter any such problems and recompile your openssl library.
Alternatively apply the following two patches instead of the above one to correctly compile the padlock engine into a standalone libpadlock.so
crypto/engine/eng_padlock.c
to engines/e_padlock.c
Makefile
s to compile the padlock module as a shared modulePatches for OpenSSL 0.9.7 to speed up AES128 in ECB, CBC, CFB and OFB modes. Supported is AES128 in ECB, CBC, CFB and OFB modes and AES192/AES256 in ECB and CBC modes.
Applications that use OpenSSL library for their cryptographic needs (such as OpenSSH) must explicitly load the available hardware crypto engines. This can be done with these simple calls during startup of the program:
#include <openssl/engine.h> int main () { [...] /* Init available hardware crypto engines. */ ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); [...] }
Following patches add such a support for some popular applications:
Once you get bored with patching heaps of client programs have a look at this patch from Cecilia: openssl-0.9.8e-engine.diff — 2024-08-14 01:55
"The openssl-0.9.8e patch will make the ssl-library to load the padlock engine. This means, if you apply the openssl-0.9.8e patch, you do not have to apply any other patches or modifications, since every time the ssl-library is called, the padlock-engine is initialized by the ssl-library."
In other words - Patch for OpenSSL to always load PadLock engine.
Have you found PadLock support useful? If so please consider making a PayPal donation for author's expenses.