VIA padlock support in OpenSSL

The VIA C7 processor also has padlock encryption acceleration support. Linux support was added a while ago.

First, the automatically load the padlock module, add the /etc/sysconfig/modules/via-padlock.modules file.

#!/bin/sh
for i in padlock; do
    modprobe $i >/dev/null 2>&1
done

Second, to use it for internal kernel encryption, add to /etc/modprobe.conf.

alias aes padlock

Third, OpenSSL can be configured to use padlock. To see if your OpenSSL was compiled with padlock support, do openssl engine padlock. You can see the speed difference by comparing openssl speed -evp aes-128-cbc to openssl speed -evp aes-128-cbc -engine padlock. To use padlock engine by default, add the following lines to the top of `/etc/pki/tls/openssl.cnf.

#enable padlock engine by default:
openssl_conf = openssl_def

[openssl_def]
engines = openssl_engines

[openssl_engines]
padlock = padlock_engine

[padlock_engine]
default_algorithms = ALL

Unfortunately, the version of openssh in Centos 5 does not use the padlock engine. Engine support was added to openssh in 4.9p1 (bug 1437). It looks like there is a bug with engine support which is fixed in OpenSSL 0.9.7h. It looks like Ubuntu Hardy has patched its packages.