diff options
| author | jim-p <jimp@pfsense.org> | 2012-06-12 15:10:24 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2012-06-12 15:10:24 -0400 |
| commit | 7530177c7c59795b4e5c0767453444837ee5d622 (patch) | |
| tree | e7222691d5e000fdb96508d943480900d33cfade | |
| parent | 7c9a30c8e20bc4f83395d1497c12f5c1c5298178 (diff) | |
| download | pfsense-7530177c7c59795b4e5c0767453444837ee5d622.zip pfsense-7530177c7c59795b4e5c0767453444837ee5d622.tar.gz | |
Generalize the Crypto hardware option and add GUI support for AES-NI.
| -rw-r--r-- | etc/inc/globals.inc | 2 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 16 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 8 | ||||
| -rwxr-xr-x | etc/rc.bootup | 4 | ||||
| -rwxr-xr-x | usr/local/www/index.php | 8 | ||||
| -rw-r--r-- | usr/local/www/system_advanced_misc.php | 48 |
6 files changed, 58 insertions, 28 deletions
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 711d1f5..519f28c 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -77,7 +77,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "8.7", + "latest_config" => "8.8", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 9402eb7..ef2a4f8 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -1498,13 +1498,19 @@ function compare_hostname_to_dnscache($hostname) { } /* - * load_glxsb() - Load the glxsb crypto module if enabled in config. + * load_crypto() - Load crypto modules if enabled in config. */ -function load_glxsb() { +function load_crypto() { global $config, $g; - $is_loaded = `/sbin/kldstat | /usr/bin/grep -c glxsb`; - if (isset($config['system']['glxsb_enable']) && ($is_loaded == 0)) { - mwexec("/sbin/kldload glxsb"); + $crypto_modules = array('glxsb', 'aesni'); + + if (!in_array($config['system']['crypto_hardware'], $crypto_modules)) + return false; + + $is_loaded = `/sbin/kldstat | /usr/bin/grep -c {$config['system']['crypto_hardware']}`; + if (!empty($config['system']['crypto_hardware']) && ($is_loaded == 0)) { + log_error("Loading {$config['system']['crypto_hardware']} cryptographic accelerator module."); + mwexec("/sbin/kldload {$config['system']['crypto_hardware']}"); } } diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 04b6a71..b8bb978 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2876,5 +2876,11 @@ function upgrade_086_to_087() { } } } - +function upgrade_087_to_088() { + global $config; + if (isset($config['system']['glxsb_enable'])) { + unset($config['system']['glxsb_enable']); + $config['system']['crypto_hardware'] = "glxsb"; + } +} ?> diff --git a/etc/rc.bootup b/etc/rc.bootup index 8b78866..a4479ab 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -215,8 +215,8 @@ echo "Setting up extended sysctls..."; system_setup_sysctl(); echo "done.\n"; -/* enable glxsb if wanted */ -load_glxsb(); +/* enable optional crypto modules */ +load_crypto(); /* run any early shell commands specified in config.xml */ system_do_shell_commands(1); diff --git a/usr/local/www/index.php b/usr/local/www/index.php index c9efd0c..9b19a48 100755 --- a/usr/local/www/index.php +++ b/usr/local/www/index.php @@ -197,7 +197,13 @@ EOF; if ($fd) { while (!feof($fd)) { $dmesgl = fgets($fd); - if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) or preg_match("/.*(VIA Padlock)/", $dmesgl, $matches) or preg_match("/^safe.: (\w.*)/", $dmesgl, $matches) or preg_match("/^ubsec.: (.*?),/", $dmesgl, $matches) or preg_match("/^padlock.: <(.*?)>,/", $dmesgl, $matches) or preg_match("/^glxsb.: (.*?),/", $dmesgl, $matches)) { + if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) + or preg_match("/.*(VIA Padlock)/", $dmesgl, $matches) + or preg_match("/^safe.: (\w.*)/", $dmesgl, $matches) + or preg_match("/^ubsec.: (.*?),/", $dmesgl, $matches) + or preg_match("/^padlock.: <(.*?)>,/", $dmesgl, $matches) + or preg_match("/^glxsb.: (.*?),/", $dmesgl, $matches) + or preg_match("/^aesni.: (.*?),/", $dmesgl, $matches)) { $hwcrypto = $matches[1]; break; } diff --git a/usr/local/www/system_advanced_misc.php b/usr/local/www/system_advanced_misc.php index 45c956a..8d3da66 100644 --- a/usr/local/www/system_advanced_misc.php +++ b/usr/local/www/system_advanced_misc.php @@ -64,7 +64,7 @@ $pconfig['racoondebug_enable'] = isset($config['ipsec']['racoondebug']); $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); $pconfig['maxmss'] = $config['system']['maxmss']; $pconfig['powerd_enable'] = isset($config['system']['powerd_enable']); -$pconfig['glxsb_enable'] = isset($config['system']['glxsb_enable']); +$pconfig['crypto_hardware'] = $config['system']['crypto_hardware']; $pconfig['schedule_states'] = isset($config['system']['schedule_states']); $pconfig['kill_states'] = isset($config['system']['kill_states']); @@ -73,6 +73,9 @@ if (!empty($config['system']['powerd_mode'])) else $pconfig['powerd_mode'] = "hadp"; +$crypto_modules = array('glxsb' => gettext("AMD Geode LX Security Block"), + 'aesni' => gettext("AES-NI CPU-based Acceleratation")); + if ($_POST) { unset($input_errors); @@ -81,6 +84,9 @@ if ($_POST) { ob_flush(); flush(); + if (!empty($_POST['crypto_hardware']) && !array_key_exists($_POST['crypto_hardware'], $crypto_modules)) + $input_errors[] = gettext("Please select a valid Cryptographic Accelerator."); + if (!$input_errors) { if($_POST['harddiskstandby'] <> "") { @@ -160,11 +166,11 @@ if ($_POST) { unset($config['system']['powerd_enable']); $config['system']['powerd_mode'] = $_POST['powerd_mode']; - - if($_POST['glxsb_enable'] == "yes") - $config['system']['glxsb_enable'] = true; - else - unset($config['system']['glxsb_enable']); + + if($_POST['crypto_hardware']) + $config['system']['crypto_hardware'] = $_POST['crypto_hardware']; + else + unset($config['system']['crypto_hardware']); if($_POST['schedule_states'] == "yes") $config['system']['schedule_states'] = true; @@ -187,7 +193,7 @@ if ($_POST) { $savemsg = gettext($retval); activate_powerd(); - load_glxsb(); + load_crypto(); vpn_ipsec_configure_preferoldsa(); if ($need_racoon_restart) vpn_ipsec_force_reload(); @@ -358,22 +364,28 @@ function maxmss_checked(obj) { <td colspan="2" class="list" height="12"> </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?=gettext("glxsb Crypto Acceleration"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Cryptographic Hardware Acceleration"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("glxsb"); ?></td> + <td width="22%" valign="top" class="vncell"><?=gettext("Cryptographic Hardware"); ?></td> <td width="78%" class="vtable"> - <input name="glxsb_enable" type="checkbox" id="glxsb_enable" value="yes" <?php if ($pconfig['glxsb_enable']) echo "checked"; ?> /> - <strong><?=gettext("Use glxsb"); ?></strong><br/> + <select name="crypto_hardware" id="crypto_hardware"> + <option value=""><?php echo gettext("None"); ?></option> + <?php foreach ($crypto_modules as $cryptomod_name => $cryptomod_descr): ?> + <option value="<?php echo $cryptomod_name; ?>" <?php if ($pconfig['crypto_hardware'] == $cryptomod_name) echo " selected"; ?>><?php echo "{$cryptomod_descr} ({$cryptomod_name})"; ?></option> + <?php endforeach; ?> + </select> <br /> - <?=gettext("The AMD Geode LX Security Block will accelerate some cryptographic functions " . - "on systems which have the chip. Do not enable this option if you have a " . - "Hifn cryptographic acceleration card, as this will take precedence and the " . - "Hifn card will not be used. Acceleration should be automatic for IPsec " . - "when using Rijndael (AES). OpenVPN should be set for AES-128-CBC."); ?> + <?=gettext("A cryptographic accelator module will use hardware support to speed up some " . + "cryptographic functions on systems which have the chip. Do not enable this " . + "option if you have a Hifn cryptographic acceleration card, as this will take " . + "precedence and the Hifn card will not be used. Acceleration should be automatic " . + "for IPsec when using a cipher supported by your chip, such as AES-128. OpenVPN " . + "should be set for AES-128-CBC and have cryptodev enabled for hardware " . + "acceleration."); ?> <br/><br/> - <?=gettext("If you do not have a glxsb chip in your system, this option will have no " . - "effect. To unload the module, uncheck this option and then reboot."); ?> + <?=gettext("If you do not have a crypto chip in your system, this option will have no " . + "effect. To unload the selected module, set this option to 'none' and then reboot."); ?> </td> </tr> <tr> |
