Date: Thu, 6 Dec 2018 19:05:25 -0500 From: Jung-uk Kim <jkim@FreeBSD.org> To: John Nielsen <lists@jnielsen.net>, Xin LI <delphij@gmail.com> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: /dev/crypto not being used in 12-STABLE Message-ID: <65a51dc6-7b20-70f3-ad53-8a3d99afbd8b@FreeBSD.org> In-Reply-To: <F67BC606-6210-48DD-B924-FF90C26704A1@jnielsen.net> References: <A418F9A1-7298-4DA7-A185-BD16941BEC46@jnielsen.net> <CAGMYy3vKez_NR6rtcFDGVsWV=qs%2BiaoAwb-D0ed0zT5og9RbOA@mail.gmail.com> <F67BC606-6210-48DD-B924-FF90C26704A1@jnielsen.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --4Z8prfDQS7PGRuugKkBHzE6gEzOijUBUj Content-Type: multipart/mixed; boundary="vvoYfKgUSMI7kYZ9JWSzVT2b0cQ07XrnS"; protected-headers="v1" From: Jung-uk Kim <jkim@FreeBSD.org> To: John Nielsen <lists@jnielsen.net>, Xin LI <delphij@gmail.com> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Message-ID: <65a51dc6-7b20-70f3-ad53-8a3d99afbd8b@FreeBSD.org> Subject: Re: /dev/crypto not being used in 12-STABLE References: <A418F9A1-7298-4DA7-A185-BD16941BEC46@jnielsen.net> <CAGMYy3vKez_NR6rtcFDGVsWV=qs+iaoAwb-D0ed0zT5og9RbOA@mail.gmail.com> <F67BC606-6210-48DD-B924-FF90C26704A1@jnielsen.net> In-Reply-To: <F67BC606-6210-48DD-B924-FF90C26704A1@jnielsen.net> --vvoYfKgUSMI7kYZ9JWSzVT2b0cQ07XrnS Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 18. 12. 6., John Nielsen wrote: >> On Dec 6, 2018, at 4:04 PM, Xin LI <delphij@gmail.com> wrote: >> >> On Thu, Dec 6, 2018 at 11:37 AM John Nielsen <lists@jnielsen.net> wrot= e: >>> >>> I have upgraded two physical machines from 11-STABLE to 12-STABLE rec= ently (one is 12.0-PRERELEASE r341380 and the other is 12.0-PRERELEASE r3= 41391). I noticed today that neither machine seems to be utilizing /dev/c= rypto. Typically I see at least ssh/sshd have the device open plus some p= rograms from ports. But 'fuser' doesn't list any processes on either mach= ine: >>> >>> # fuser /dev/crypto >>> /dev/crypto: >>> >>> Both machines are running custom kernels that include "device crypto"= and "device cryptodev". One of them additionally has "device aesni". >>> >>> Is anyone else seeing this? Any idea what would cause it? >> >> Your average OpenSSL applications should not use /dev/crypto, if your >> goal is to utilize AES-NI (which does not require /dev/crypto). On >> capable systems, AES-NI would be used automatically (and it's faster >> this way). >=20 > Thanks for the response. Is there a way to verify that AES-NI is being = used for e.g. ssh? > I'm also curious why/when/how the change to not use (or support?) /dev/= crypto from base > openssl was made. OpenSSL 1.1.1 removed the old cryptodev: https://svnweb.freebsd.org/base/vendor-crypto/openssl/dist/CHANGES?revisi= on=3D340690&view=3Dmarkup#l400 Instead, OpenSSL added devcrypto engine for Linux: https://github.com/openssl/openssl/commit/619eb33 and added BSD support: https://github.com/openssl/openssl/commit/4f79aff then, completely removed BSD-specific cryptodev: https://github.com/openssl/openssl/commit/f39a550 However, it is disabled by default. Theoretically, it is functionally equivalent but it wasn't tested much. I can enable the new engine on head if many users request it. Jung-uk Kim --vvoYfKgUSMI7kYZ9JWSzVT2b0cQ07XrnS-- --4Z8prfDQS7PGRuugKkBHzE6gEzOijUBUj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEl1bqgKaRyqfWXu/CfJ+WJvzb8UYFAlwJuUUACgkQfJ+WJvzb 8UbOgwgAlUZeRuoT5i5nr8ANOObLdFPaKhBHZIA0fGwf8R0LllON47Eso+QYYw7I t/f/0THEGqI7kODpqB1wPMo/sFpgd6FBrbPf6IhpJgELsAE7QJ9+baThCCi6me0h Ws+aVGqkD3lxu4zQvcmLlcOQPbXDEOogtFxAyinI29S3splc9mZelTE9bw+Xr1RI iw1xND9ERFPmvTgns9RWlzg8oyrMMU0E93l8++GaPBzlszuU8jS09Fhe10Ow9Pxx 4LDS8z9qHlqx5DQ1watrn5+DSHFbzjEE1LazoVWSodp5g9mHgKIhmHG4JP0SbSVA sFah5PK9H+hYc8YMT8b0lGdhOycJ5w== =mW5p -----END PGP SIGNATURE----- --4Z8prfDQS7PGRuugKkBHzE6gEzOijUBUj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65a51dc6-7b20-70f3-ad53-8a3d99afbd8b>