Date: Thu, 11 Sep 2014 11:02:58 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Wojciech Puchar <wojtek@puchar.net> Cc: hackers@freebsd.org Subject: Re: openssl with aes-in or padlock Message-ID: <20140911180258.GN82175@funkthat.com> In-Reply-To: <alpine.BSF.2.00.1409111858470.1185@wojtek.dom> References: <alpine.BSF.2.00.1409111858470.1185@wojtek.dom>
next in thread | previous in thread | raw e-mail | index | archive | help
Wojciech Puchar wrote this message on Thu, Sep 11, 2014 at 18:58 +0200:
> how to check if openssl is actually using these instructions?
>
> on machine with padlock:
>
> #openssl speed -evp aes-256-cbc
First off, you won't get much speed up w/ CBC encrypt... Try testing
using aes-256-ctr instead... CBC can't process multiple blocks in
parallel like CTR can... if you measure the cbc _decrypt_ speed, you
should see a big improvement as CBC decrypt can be parallelized...
> in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s
geli uses a different framework for it's crypto processing.. for geli,
make sure you have the aesni kernel module loaded before you attach
to a geli disk... You should get kernel messages like the following:
GEOM_ELI: Device gpt/werner.eli created.
GEOM_ELI: Encryption: AES-XTS 256
GEOM_ELI: Crypto: hardware
notice the Crypto: hardware line.. Also, make sure that your geli
sector size is 4k instead of 512... This reduces the loop overhead,
and as modern disks usually use 4k anyways, there isn't much of a lose
going to the larger sector size...
Also, if you want to do pure testing, you can use geom_zero, and turn
off clearing w/ kern.geom.zero.clear so that gzero won't bother zeroing
the buffer, then you'll be able to better measure geli's
overhead/performance..
> how to enable padlock or aes-in in openssl?
For OpenSSL, you need at least 1.0 for AES-NI to be detected and used...
I'm not familar w/ padlock if it can be used from userland, w/o the
kernel, but I don't believe it is... If you have a machine w/o AES-NI,
but has padlock, you can load the padlock and cryptodev kernel modules,
and then OpenSSL should detect that /dev/crypto is present and use
that...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140911180258.GN82175>