hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
 
[20161030] NetBSD 7.0.2 released
Why 7.0.2? Following NetBSD's release scheme, there are major releases (e.g. 7.0) with subsequent updates (e.g. 7.1). Those "major" release and their updates include both new features as well as bug fixes - the latter one again with and without security relevance. New code, new risks - as a result for getting updates, existing interfaces may change and lead to incompatibiltites. This may affect either binary compatibility between programs and their required shared libraries, as well - though rare - incompatible chances on the source code level.

NetBSD takes quite some effort to keep such incompatibilites low, yet they happen. The only real solutions is: no updates. "Never change a running system" is nice for availability, but it poses security risks. The time when a big server uptime was considered a sign of good system administration are gone. Today, a long update means the system (probably) runs outdated and as such vulnerable code.

So to solve the problem a compromise is needed: little updates, but crucial security updates do get done. Which is where NetBSD's "minor" release like NetBSD 7.0.2 come into play. With its set of changes, a number of external software packages got security-related updates (e.g. OpenSSL, NTP, BIND, X), and a smaller number of security related changes were also added, e.g. a race condition in mail.local(8), crashes in the Networking File System (NFS) and the native Fast File System (FFS) plus some platform-specific crashes on MIPS, PowerPC and SPARC64.

For more information on downloading and installation see the release announcement as well as the platform-specific install documentation, e.g. for NetBSD 7.0.2/arm64's INSTALL.html file.

[Tags: , , , , , , ]


[20100113] Hardware crypto with Geode LX based ALIX board
I'm using an Alix 2d13 machine as home router for quite some time now - uptime was 158 days today. The board has a 500MHz AMD Geode LX800 CPU, which can do AES crypto in hardware. Today, I've found time to play with the glxsb(4) driver, and get some numbers:

The 'numbers' are in 1000s of bytes per second processed.
crypto   type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sw       aes-128-cbc       3583.29k     3931.51k     4037.32k     8113.75k     8205.61k
hw       aes-128-cbc       1200.70k     4470.18k    11729.65k    17328.05k    34006.33k
The command "openssl speed -evp aes-128-cbc -elapsed" was ran each time, in the first case with glxsb(4) disabled (boot -c, disable glxsb), in the second case with the driver enabled.

Still, I find those numbers interesting in comparison to those of a Soekris 5501, esp. as the machines have the same CPU & clock rate.

I couldn't find a way to switch use of hardware crypto off in software, anyone got a hint? openssl(1)'s "-engine cryptodev" seems to always use hardware crypto when it's there, and leaving out that switch uses the same engine, so no difference. I've found a few sysctls under kern.*, but apparently none seems relevant to my goal (not to speak of the lack of documentation...)

[Tags: , , , ]


[20070623] NetBSD on Soekris net5501 - AMD Geode LX AES crypto performance
Jared McNeill has worked on getting support for the AES/RNG security block found in the AMD Geode LX family of processors, which in turn can be found on e.g. Soekris net5501 machines. The code was ported from OpenBSD, see his posting to tech-crypto for some numbers:
engine    type        16 bytes    64 bytes  256 bytes 1024 bytes  8192 bytes
swcrypto: aes-128-cbc  3688.28k   4064.06k   4185.64k   4216.48k    4221.59k
hwcrypto: aes-128-cbc   372.70k   1422.76k   5098.58k  13612.23k   26804.31k 
The numbers were obtained by running "openssl speed -evp aes-128-cbc -elapsed" for the "swcrypto" case that uses the CPU for the crypto operatin, and "openssl speed -evp aes-128-cbc -elapsed -engine cryptodev" for the "hwcrypto" case that uses the crypto(4) routines. For a list of crypto engines available, run "openssl engine".

Noteworthy details in the above numbers are that the throughput for swcrypto remains mostly constant regardless of the blocksize, while the throughput for small blocks in the hwcrypto case is rather mediocre. The reason for this is that the crypto hardware requires some setup overhead that's ammounting when using small blocks.

A remaining mysteria is how to tell ssh(1)/sshd(1) what crypto engine to use... anyone got details?

[Tags: , , ]


Tags: , 2bsd, 34c3, 3com, 501c3, 64bit, acl, acls, acm, acorn, acpi, acpitz, adobe, adsense, Advocacy, advocacy, advogato, aes, afs, aiglx, aio, airport, alereon, alex, alix, alpha, altq, am64t, amazon, amd64, anatomy, ansible, apache, apm, apple, arkeia, arla, arm, art, Article, Articles, ascii, asiabsdcon, aslr, asterisk, asus, atf, ath, atheros, atmel, audio, audiocodes, autoconf, avocent, avr32, aws, axigen, azure, backup, balloon, banners, basename, bash, bc, beaglebone, benchmark, bigip, bind, blackmouse, bldgblog, blog, blogs, blosxom, bluetooth, board, bonjour, books, boot, boot-z, bootprops, bozohttpd, bs2000, bsd, bsdca, bsdcan, bsdcertification, bsdcg, bsdforen, bsdfreak, bsdmac, bsdmagazine, bsdnexus, bsdnow, bsdstats, bsdtalk, bsdtracker, bug, build.sh, busybox, buttons, bzip, c-jump, c99, cafepress, calendar, callweaver, camera, can, candy, capabilities, card, carp, cars, cauldron, ccc, ccd, cd, cddl, cdrom, cdrtools, cebit, centrino, cephes, cert, certification, cfs, cgd, cgf, checkpointing, china, christos, cisco, cloud, clt, cobalt, coccinelle, codian, colossus, common-criteria, community, compat, compiz, compsci, concept04, config, console, contest, copyright, core, cortina, coverity, cpu, cradlepoint, cray, crosscompile, crunchgen, cryptography, csh, cu, cuneiform, curses, curtain, cuwin, cvs, cvs-digest, cvsup, cygwin, daemon, daemonforums, daimer, danger, darwin, data, date, dd, debian, debugging, dell, desktop, devd, devfs, devotionalia, df, dfd_keeper, dhcp, dhcpcd, dhcpd, dhs, diezeit, digest, digests, dilbert, dirhash, disklabel, distcc, dmesg, Docs, Documentation, donations, draco, dracopkg, dragonflybsd, dreamcast, dri, driver, drivers, drm, dsl, dst, dtrace, dvb, ec2, eclipse, eeepc, eeepca, ehci, ehsm, eifel, elf, em64t, Embedded, embedded, emips, emulate, encoding, envsys, eol, espresso, etcupdate, etherip, euca2ools, eucalyptus, eurobsdcon, eurosys, Events, exascale, ext3, f5, facebook, falken, fan, faq, fatbinary, features, fefe, ffs, filesystem, fileysstem, firefox, firewire, fireworks, flag, flash, flashsucks, flickr, flyer, fmslabs, force10, fortunes, fosdem, fpga, freebsd, freedarwin, freescale, freex, freshbsd, friendlyAam, friendlyarm, fritzbox, froscamp, fsck, fss, fstat, ftp, ftpd, fujitsu, fun, fundraising, funds, funny, fuse, fusion, g4u, g5, galaxy, games, gcc, gdb, gentoo, geode, getty, gimstix, git, gnome, google, google-soc, googlecomputeengine, gpio, gpl, gprs, gracetech, gre, groff, groupwise, growfs, grub, gumstix, guug, gzip, hackathon, hackbench, hal, hanoi, happabsd, Hardware, hardware, haze, hdaudio, heat, heimdal, hf6to4, hfblog, hfs, history, hosting, hotplug, hp, hp700, hpcarm, hpcsh, hpux, html, httpd, hubertf, hurd, i18n, i386, i386pkg, ia64, ian, ibm, ids, ieee, ifwatchd, igd, iij, image, images, imx233, imx7, information, init, initrd, install, intel, interix, internet2, interview, interviews, io, ioccc, iostat, ipbt, ipfilter, ipmi, ipplug, ipsec, ipv6, irbsd, irc, irix, iscsi, isdn, iso, isp, itojun, jail, jails, japanese, java, javascript, jetson, jibbed, jihbed, jobs, jokes, journaling, kame, kauth, kde, kerberos, kergis, kernel, keyboardcolemak, kirkwood, kitt, kmod, kolab, kvm, kylin, l10n, landisk, laptop, laptops, law, ld.so, ldap, lehmanns, lenovo, lfs, libc, license, licensing, linkedin, links, linksys, linux, linuxtag, live-cd, lkm, localtime, locate.updatedb, logfile, logging, logo, logos, lom, lte, lvm, m68k, macmini, macppc, macromedia, magicmouse, mahesha, mail, makefs, malo, mame, manpages, marvell, matlab, maus, max3232, mbr95, mbuf, mca, mdns, mediant, mediapack, meetbsd, mercedesbenz, mercurial, mesh, meshcube, mfs, mhonarc, microkernel, microsoft, midi, mini2440, miniroot, minix, mips, mirbsd, missile, mit, mixer, mobile-ip, modula3, modules, money, mouse, mp3, mpls, mprotect, mtftp, mult, multics, multilib, multimedia, music, mysql, named, nas, nasa, nat, ncode, ncq, ndis, nec, nemo, neo1973, netbook, netboot, netbsd, netbsd.se, nethack, nethence, netksb, netstat, netwalker, networking, neutrino, nforce, nfs, nis, npf, npwr, nroff, nslu2, nspluginwrapper, ntfs-3f, ntp, nullfs, numa, nvi, nvidia, nycbsdcon, office, ofppc, ohloh, olimex, olinuxino, olpc, onetbsd, openat, openbgpd, openblocks, openbsd, opencrypto, opendarwin, opengrok, openmoko, openoffice, openpam, openrisk, opensolaris, openssl, or1k, oracle, oreilly, oscon, osf1, osjb, paas, packages, pad, pae, pam, pan, panasonic, parallels, pascal, patch, patents, pax, paypal, pc532, pc98, pcc, pci, pdf, pegasos, penguin, performance, pexpect, pf, pfsync, pgx32, php, pie, pike, pinderkent, pkg_install, pkg_select, pkgin, pkglint, pkgmanager, pkgsrc, pkgsrc.se, pkgsrcCon, pkgsrccon, Platforms, plathome, pleiades, pocketsan, podcast, pofacs, politics, polls, polybsd, portability, posix, postinstall, power3, powernow, powerpc, powerpf, pppoe, precedence, preemption, prep, presentations, prezi, Products, products, proplib, protectdrive, proxy, ps, ps3, psp, psrset, pthread, ptp, ptyfs, Publications, puffs, puredarwin, pxe, qemu, qnx, qos, qt, quality-management, quine, quote, quotes, r-project, ra5370, radio, radiotap, raid, raidframe, rants, raptor, raq, raspberrypi, rc.d, readahead, realtime, record, refuse, reiserfs, Release, Releases, releases, releng, reports, resize, restore, ricoh, rijndael, rip, riscos, rng, roadmap, robopkg, robot, robots, roff, rootserver, rotfl, rox, rs323, rs6k, rss, ruby, rump, rzip, sa, safenet, san, sata, savin, sbsd, scampi, scheduler, scheduling, schmonz, sco, screen, script, sdf, sdtemp, secmodel, security, Security, sed, segvguard, seil, sendmail, serial, serveraptor, sfu, sge, sgi, sgimips, sh, sha2, shark, sharp, shisa, shutdown, sidekick, size, slackware, slashdot, slides, slit, smbus, smp, sockstat, soekris, softdep, softlayer, software, solaris, sony, sound, source, source-changes, spanish, sparc, sparc64, spider, spreadshirt, spz, squid, ssh, sshfs, ssp, statistics, stereostream, stickers, storage, stty, studybsd, subfile, sudbury, sudo, summit, sun, sun2, sun3, sunfire, sunpci, support, sus, suse, sushi, susv3, svn, swcrypto, symlinks, sysbench, sysctl, sysinst, sysjail, syslog, syspkg, systat, systrace, sysupdate, t-shirt, tabs, talks, tanenbaum, tape, tcp, tcp/ip, tcpdrop, tcpmux, tcsh, teamasa, tegra, teredo, termcap, terminfo, testdrive, testing, tetris, tex, TeXlive, thecus, theopengroup, thin-client, thinkgeek, thorpej, threads, time, time_t, timecounters, tip, tk1, tme, tmp, tmpfs, tnf, toaster, todo, toolchain, top, torvalds, toshiba, touchpanel, training, translation, tso, tty, ttyrec, tulip, tun, tuning, uboot, ucom, udf, ufs, ukfs, ums, unetbootin, unicos, unix, updating, upnp, uptime, usb, usenix, useradd, userconf, userfriendly, usermode, usl, utc, utf8, uucp, uvc, uvm, valgrind, vax, vcfe, vcr, veriexec, vesa, video, videos, virtex, virtualization, vm, vmware, vnd, vobb, voip, voltalinux, vpn, vpnc, vulab, w-zero3, wallpaper, wapbl, wargames, wasabi, webcam, webfwlog, wedges, wgt624v3, wiki, willcom, wimax, window, windows, winmodem, wireless, wizd, wlan, wordle, wpa, wscons, wstablet, X, x.org, x11, x2apic, xbox, xcast, Xen, xen, xfree, xfs, xgalaxy, xilinx, xkcd, xlockmore, xmms, xmp, xorg, xscale, youos, youtube, zaurus, zdump, zfs, zlib

'nuff. Grab the RSS-feed, index, or go back to my regular NetBSD page

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 34936681
Copyright (c) Hubert Feyrer