Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

bronco · June 1, 2019, 7:34pm

Hello,
the crypto engine of the MT7621 chipset (used for example in the hEX S model) supports by far more than only IPsec.
According to the SDK for the MT7621 chipset there is even OpenSSL support via an OpenSSL engine that is already available in the SDK as a kernel module
(look at page 215 and following: https://www.electrodragon.com/w/images/d/d0/MTK_APSoC_SDK_User_Manual.pdf).
Could you please add full SSL crypto accelleration so that OpenVPN (ovpn) can also benefit from the features already just sleeping in hardware?

Greets,
bronco

mada3k · June 2, 2019, 2:22pm

This is the way generally all SoCs with hardware offload is implented and probably RouterOS as well. This is then interfaced to OpenSSL via Linux standard crypto API (see /proc/crypto)

OpenVPN on Linux uses the same standard crypto API if the correct ciphers i used (e.g AES128/256)

bronco · June 3, 2019, 9:23pm

Hey mada3k,

I totally agree with you, but Mikrotik states only that there is IPSec encryption accelleration (compared to the datasheet of hEX S),
so I assume that there is no OpenSSL hardware encryption engine support

Greets,
bronco

msatter · June 3, 2019, 9:52pm

Look at this page and you see that ECB in worse than CBC:

https://datalocker.com/what-is-the-difference-between-ecb-mode-versus-cbc-mode-aes-encryption/

As written by mada3K the AES 128/256 for IPSEC is not different than AES128/256 for OpenSSL.

mada3k · June 4, 2019, 7:01pm

What do you mean by “OpenSSL encryption”? What ciphers are you refering to?

bronco · June 4, 2019, 8:18pm

OpenVPN uses as OpenSSL as a cipher library for several reasons, therefore the mentioned OpenSSL encryption engine should speed up OpenVPN (ovpn),
cause crypto hardware engines usually are much faster than plain software-based algorithms.

bronco · June 4, 2019, 8:25pm

Hello msatter,
nobody ever mentioned ECB, therefore AES-256-CBC would be my preferred cipher, I totally agree with you in that point.
I also agree with you that AES 128/256 is the same algorithm for IPsec and OpenVPN, but according to MikroTik’s
datasheet for the hEX S, encrpytion offloading for IPsec is supported (by whatever mechanism) and encryption offloading vor OpenVPN (which uses OpenSSL)
isn’t supported…

Greets,
bronco

mrz · June 5, 2019, 8:24am

Currently there is specific reason for this. maybe in the future you will see HW encryption not only for IpSec.

bronco · June 8, 2019, 8:32pm

Hello mrz,

would you please be so kind and share your knowledge with us. What is the reason, that currently there is only
hardware encryption for IPsec and not for the other cryptographic stuff?

Greetz,
bronco

mkx · June 9, 2019, 8:34am

My guess: MT devs implemented some HW accelerated crypto on kernel 3.3 (used by ROSv6), then management decided to speed up development of ROSv7 and devs went on to implement the rest of crypto in HW for ROSv7. So forget any new functionality in ROSv6 as all development time goes to v7.

I hope the above is a guess, not merely a wish