[tor-relays] Sharing experience with Via Nano 1.6ghz with Padlock hw accel
Fabio Pietrosanti (naif) - lists
lists at infosecurity.ch
Sun Jun 5 15:01:29 UTC 2016
On 6/5/16 2:17 PM, Roman Mamedov wrote:
> On Sun, 5 Jun 2016 13:28:04 +0200
> "Fabio Pietrosanti (naif) - lists" <lists at infosecurity.ch> wrote:
>
>> I had to install to get the hw acceleration library:
>> Tor version 0.2.8.1-alpha (git-9093e3769746742f).
>
> Which OS do you use?
>
> In my experience I had to recompile OpenSSL with the Padlock patch:
> https://romanrm.net/openssl-padlock
> And then Tor would simply crash if such patched OpenSSL is installed and
> HardwareAccel is enabled in torrc. However I did not try the 0.2.8.1-alpha.
Yes, that's the way i've done the setup Tor+OpenSSL:
cd
sudo DEBIAN_FRONTEND=noninteractive apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get --yes --force-yes install
checkinstall build-essential
sudo DEBIAN_FRONTEND=noninteractive apt-get --yes --force-yes build-dep
openssl
sudo rm -rf ~/openssl
git clone https://github.com/openssl/openssl.git
cd openssl
sudo ./config
sudo make
sudo make test
sudo checkinstall
sudo rm -rf ~/openssl
sudo mv /usr/bin/c_rehash /usr/bin/c_rehashBACKUP
sudo mv /usr/bin/openssl /usr/bin/opensslBACKUP
sudo ln -s /usr/local/ssl/bin/c_rehash /usr/bin/c_rehash
sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl version
apt-cache show openssl
root at dedi-fr-23644:~#
root at dedi-fr-23644:~# openssl version
OpenSSL 1.1.0-pre3-dev xx XXX xxxx
root at dedi-fr-23644:~# openssl engine padlock
(padlock) VIA PadLock (no-RNG, ACE)
# Tor
apt-get install libevent-dev
wget https://www.torproject.org/dist/tor-0.2.8.1-alpha.tar.gz
cd tor-0.2.8.1-alpha
apt-get install zlib1g zlib1g-dev
./configure --with-openssl-dir=/usr/local/openssl --enable-static-openssl
make
make install
mv /usr/bin/tor /usr/bin/tor.orig
ln -s /etc/tor/torrc /usr/local/etc/tor/torrc
# Edit /etc/tor/torrc and add
HardwareAccel 1
AccelName padlock
/usr/local/bin/tor -f /etc/tor/torrc &
>
>> In /etc/tor/torrc:
>> HardwareAccel 1
>> AccelName padlock
>
> Do you get messages about successfully using 'padlock' in /var/log/tor/log?
Yes
root at dedi-fr-23644:~# zgrep -i padlock /var/log/tor/log*
/var/log/tor/log:Jun 05 16:58:27.000 [notice] Default OpenSSL engine for
AES-128-ECB is VIA PadLock (no-RNG, ACE) [padlock]
>
>> I see with iptraf 60.000kbit/s peak with 30% uses of main CPU.
>
> Do you mean 60 Mbit? If so, then that's a very good result for only 30% CPU.
It means that the padlock is doing it's job in making crypto acceleration.
>
>> I'm wondering if that small boxes are hitting a limit of the hardware
>> acceleration or limit of the provider or Tor network itself.
>
> Remember the Tor network won't instantly use 100% of your CPU or bandwidth
> capabilities, it will take time to ramp up to speed:
> https://blog.torproject.org/blog/lifecycle-of-a-new-relay
>
>> There's a way to measure the uses of the hw acceleration given by the
>> Via Padlock, if it's at 10% of it's capacity or 100% ?
>
> There is no way, the only hint you have is the general CPU load.
That's the point, i want to measure how the padlock hw accel is
performing, to understand if it does hit it's limits or not.
I think that we need to find a way
>
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org -
https://ahmia.fi
More information about the tor-relays
mailing list