Entware-3x for new HND platform (GT-AC5300 and RT-AC86U) with asuswrt-merlin firmware

[Fitz Mutch]

I just learnt that "-evp" tells openssl to use the AES hardware of the RT-AC86u. Booyah!!

# /opt/bin/openssl speed -evp aes-256-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-256-cbc for 3s on 16 size blocks: 38323622 aes-256-cbc's in 3.03s
Doing aes-256-cbc for 3s on 64 size blocks: 22144261 aes-256-cbc's in 3.02s
Doing aes-256-cbc for 3s on 256 size blocks: 8143659 aes-256-cbc's in 3.02s
Doing aes-256-cbc for 3s on 1024 size blocks: 2363629 aes-256-cbc's in 3.02s
Doing aes-256-cbc for 3s on 8192 size blocks: 308706 aes-256-cbc's in 3.02s
OpenSSL 1.0.2n  7 Dec 2017
built on: reproducible build, date unspecified
options:bn(64,64) rc4(ptr,char) des(idx,cisc,2,int) aes(partial) blowfish(ptr)
compiler: aarch64-openwrt-linux-gnu-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/media/ware4/Entware-3x.2017.12/staging_dir/target-aarch64_cortex-a53_glibc-2.25/opt/include -I/media/ware4/Entware-3x.2017.12/staging_dir/target-aarch64_cortex-a53_glibc-2.25/include -I/media/ware4/Entware-3x.2017.12/staging_dir/toolchain-aarch64_cortex-a53_gcc-6.3.0_glibc-2.25/include -I/media/ware4/Entware-3x.2017.12/staging_dir/toolchain-aarch64_cortex-a53_gcc-6.3.0_glibc-2.25/include -DOPENSSL_SMALL_FOOTPRINT -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DOPENSSL_NO_ERR -DTERMIOS -O2 -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result  -fpic -I/media/ware4/Entware-3x.2017.12/package/libs/openssl/include -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc     202368.96k   469282.35k   690323.41k   801442.42k   837390.58k

 

[sfx2000]

Well, you know my position . You call it "over optimization". I do not use -march=armv7-a preferring -mcpu. Different for different platform. Anyway I respect universal multi-platform portable solution you use. I had to use similar approach in my past work ("over optimization" vs portability).

Reduces the QA burden

The platform made it easy to bring in different chips, effort on uBoot needs to be done in any event, so that's when the kernel tuning happens - 90 percent of the userland software doesn't matter enough to make a difference. That code doesn't get touched very often - just security fixes and updates as needed (along with new packages).

The kernel and gcc versions make more of a difference on the ARM's - when I was running the project, we started with kernel 4.4 w/gcc 4.9, they're presently on 4.9 w/gcc 6.3.

They're planning the jump to 4.14 w/gcc 7.2 as part of meltdown/spectre remediation, and they're doing a userland rebuild and cleanup - I'm not actively involved on cafaole since the sale, but I maintain a personal fork as I get questions from time to time on things.

 

[Voxel]

I just learnt that "-evp" tells openssl to use the AES hardware of the RT-AC86u. Booyah!!

Try to add also "-elapsed" option. It provides more honest measurements.

Voxel.

 

[Voxel]

They're planning the jump to 4.14 w/gcc 7.2

gcc 7.2 is a nut. I tried to compile Entware-NG (not Entware-3x) with gcc 7.2. For my own use. I succeed but a lot of packages required my changes and/or upgrades...

Voxel.

 

[zyxmon]

gcc 7.2 is a nut. I tried to compile Entware-NG (not Entware-3x) with gcc 7.2. For my own use. I succeed but a lot of packages required my changes and/or upgrades...

We are just in the proccess of toolchain upgrade. gcc 7.3 binutils 2.30 glibc 2.27. Tested packages for mipsel, armv7 and aarch64. Entware-3x!

 

[Voxel]

We are just in the proccess of toolchain upgrade. gcc 7.3 binutils 2.30 glibc 2.27. Tested packages for mipsel, armv7 and aarch64. Entware-3x!

Good job, zyxmon!

Voxel.

 

[sfx2000]

gcc 7.2 is a nut. I tried to compile Entware-NG (not Entware-3x) with gcc 7.2. For my own use. I succeed but a lot of packages required my changes and/or upgrades..

It's not really my call - they're doing the work, and the userland package rebuild is also pulling a lot of upstream fixes in...

I suppose much of that is grunt work...

 

[sfx2000]

This was run on QNAP TS-128A - https://www.qnap.com/en/product/ts-128a/specs/hardware
Runinig some QNAP's version of linux with kernel 4.2.8, CPU clocked 1.4GHz.

Amlogic S912 (Android + kernel 3.14.29) is much faster (-O2 + aarch64)

The Amlogic numbers make sense, but the Realtek numbers are really low considering clock speed and a53... bad build maybe?

(for reference, reposting the realtek nums below)

aes-256 cbc 15798.92k 16397.48k 16709.46k 16779.61k 17072.13k

 

[zyxmon]

but the Realtek numbers are really low considering clock speed and a53... bad build maybe?

I have tested Realtek at the end of January with the same build. The numbers were ~2-3 times better. Now they are low. I'll upgrade firmware and reboot and retest later this week.

 

[zyxmon]

Only after firmware upgrade + reboot Realtek nums are back to normal (and similar to previous January results). The nums are
aes-256 cbc 36856.17k 38235.75k 38960.30k 39137.96k 39813.12k

 

[sfx2000]

Only after firmware upgrade + reboot Realtek nums are back to normal (and similar to previous January results). The nums are
aes-256 cbc 36856.17k 38235.75k 38960.30k 39137.96k 39813.12k

That's more like what one would expect to see

 

[Fitz Mutch]

No, there is no /dev/crypto (openwrt). Some of my NASes have /dev/encryptfs - hardware encrypted file system support?

Asuswrt-Merlin firmware can be patched to make a /dev/crypto device that enables access to all the kernelspace ciphers including the ARMv8 and NEON accelerated ciphers. However, a program would need to know ahead of time which accelerated cipher it intends to use. Otherwise, it defaults to the software-only ciphers (slow).
https://www.snbforums.com/threads/rt-ac86u-accelerated-crypto-with-dev-crypto.44687/

 

[zyxmon]

Note to armv7 users, that used install script from tis topic - after you upgrade to Entware - https://www.snbforums.com/threads/entware-ng-entware-3x-merge.45098/
please run

opkg remove asuswrt-opt
opkg install entware-opt
wget http://bin.entware.net/other/symlinks.sh -O- | sh

For aarch64 users symlinks creation will be automatic. Two opkg command are not necessary but are recommended.

 

[zyxmon]

Entware-3x & Entware merged to become Entware.
Scripts from this topic should not be used now.

 

[XIII]

For aarch64 users symlinks creation will be automatic. Two opkg command are not necessary but are recommended.

aarch64 user here:

# opkg list-installed | grep opt
asuswrt-opt - 1.0-4

So I should run the two "opkg" commands?

(but not the "wget" command?)

 

[zyxmon]

So I should run the two "opkg" commands?

Only after your installation is upgraded to Entware (merged project).
There is no special asuswrt-opt in merged Entware. The first command removes one package, the second one installs another package instead.
Please do not run these commands before upgrading!!!

 

[XIII]

Only after your installation is upgraded to Entware (merged project).
There is no special asuswrt-opt in merged Entware. The first command removes one package, the second one installs another package instead.
Please do not run these commands before upgrading!!!

With upgrade you mean the double "opkg update; opkg upgrade"?

If not, I might have an issue, as I have already ran the commands to replace asuswrt-opt by entware-opt...

Is this OK?

# opkg list-installed | grep entware
entware-opt - 227000-2
entware-release - 1.0-2
entware-upgrade - 1.0-1

 

[zyxmon]

With upgrade you mean the double "opkg update; opkg upgrade"?

If not, I might have an issue, as I have already ran the commands to replace asuswrt-opt by entware-opt...

Is this OK?

Yes - there may be an issue if you run these commands when you have not upgraded to Entware (double `opkg update; opkg upgrade`. If busybox (entware package) is not installed, then everything should be OK.

 

[siena]

Yes - there may be an issue if you run these commands when you have not upgraded to Entware (double `opkg update; opkg upgrade`. If busybox (entware package) is not installed, then everything should be OK.

I want to upgrade from firmware 380 to 384 on ASUS RT-AC87U, I understand that I have to run the command opkg update; opkg upgrade twice, before doing so. When I SSH into the router at: /temp/home/root# and run the command, I get -sh: opkg: not found. Am I in the correct directory? Or is this command not required for RT-AC87u? I ask this again here.

 

[zyxmon]

I get -sh: opkg: not found. Am I in the correct directory?

Is Entware-3x installed on your router? opkg binary should be in your PATH.
Entware is updated independently for firmware upgrade.