Date: Thu, 27 Feb 2003 09:20:11 -0800 From: "Sam Leffler" <sam@errno.com> To: "Adrian Steinmann" <ast@marabu.ch>, <stable@FreeBSD.ORG> Subject: Re: Is OpenSSL 0.9.7a really using cryptodev hardware? Message-ID: <036f01c2de84$82a70b30$52557f42@errno.com> References: <200302271357.OAA00975@marabu.marabu.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm running RELENG_4 cvsup-ed 2003/02/25UTC
>
> $ openssl version
> OpenSSL 0.9.7a Feb 19 2003
> $ ldd /usr/bin/openssl:
> libssl.so.3 => /usr/lib/libssl.so.3 (0x280b0000)
> libcrypto.so.3 => /usr/lib/libcrypto.so.3 (0x280df000)
> libc.so.4 => /usr/lib/libc.so.4 (0x281d6000)
>
> On my Soekris net4501 I have:
>
> device crypto
> device cryptodev
> device hifn
>
> configured in the kernel and running:
> hifn0 mem 0xa0001000-0xa0001fff,0xa0000000-0xa0000fff irq 10 at device
16.0 on pci0
> hifn0: Hifn 7951, rev 0, 128KB sram, 193 sessions
>
> and /dev/crypto exists as well, openssl reports it as available:
>
> $ openssl engine -vvv -c -t
> (cryptodev) BSD cryptodev engine
> [RSA, DSA, DH, DES-CBC, DES-EDE3-CBC]
> [ available ]
> ... (the other are not available)
>
> When I run cryptotest -z (from /usr/src/tools/tools/crypto)
> I get these speeds:
> # sysctl -w debug.crypto_timing=1
> $ cryptotest -z|grep 8192
> 0.474 sec, 2 des crypts, 8192 bytes, 34600 byte/sec,
0.3 Mb/sec
> 0.471 sec, 2 3des crypts, 8192 bytes, 34753 byte/sec,
0.3 Mb/sec
>
FWIW you can also use cryptotest -zp to turn on+off profiling over the time
of the run. Also, w/ no additional argument you're doing only 1 run of each
block size so your results are unrealistic (but still they look wrong too).
> and cryptostats reports these:
> $ cryptostats
> 1171 symmetric crypto ops (0 errors, 0 times driver blocked)
> 0 key ops (0 errors, 0 times driver blocked)
> 0 crypto dispatch thread activations
> 1171 crypto return thread activations
>
This last line indicates you're slightly out of date in that I made a recent
MFC to eliminate the "thread activations" required for processing operations
going through /dev/crypto.
> dispatch->invoke: avg 7764 ns : min 0 ns : max 102959 ns [823
samps]
> invoke->done: avg 224321569 ns : min 0 ns : max 226578803 ns [823
samps]
> done->cb: avg 8647603 ns : min 0 ns : max 13619770 ns [823
samps]
> cb->finis: avg 27031 ns : min 0 ns : max 120359 ns [823
samps]
>
These numbers are kinda wumpus because you manually turned profling on+off.
cryptotest -p does the right thing to reinitialize the profiling counters so
that min+max are correct. But your numbers, even with 823 samples, are
still very slow:
dispatch->invoke 7.8us
invoke->done 224ms
done->cb 8.6ms
cb->finis 27us
I'm not sure what size data blocks you're passing here (probably an
assortment) but 224ms is basically the time spent in the driver (and h/w)
doing the actual crypto operation. Everything else is essentially the
overhead of using /dev/crypto. If you do a fixed size run then you can use
this to calculate the effect performance of the 7951; e.g.
cryptotest -p 1024 4096
will run only 4K data blocks through and then you can use the invoke->done
time to calculate out the raw performance available (assuming nothing else
of note is running on the machine).
> However, when I do the same test with openssl the numbers look
> identical with and without /dev/crypto:
>
> $ openssl speed -engine cryptodev des
> engine "cryptodev" set.
> ...
> The 'numbers' are in 1000s of bytes per second processed.
> type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
> des cbc 576.97k 612.60k 610.02k 617.09k
609.10k
> des ede3 174.44k 181.80k 185.19k 183.17k
183.55k
I'm not sure if cryptodev is the engine name (it was changed at one point).
If you don't specify engine you should get the h/w device if it is
available.
> # rm -f /dev/crypto
> $ openssl speed -engine cryptodev des
> reports an invalid engine "cryptodev" and then continues with same numbers
>
> cryptostats doesn't report any addironal hifn processing, and when
>
> # sysctl -w debug.hifn=1
>
> is set, no debugging is seen on console during openssl speed either.
>
> Furthermore,
>
> /usr/src/crypto/openssl/crypto/engine/enginetest.c
>
> reports no available engines:
>
> $ ./enginetest
>
> enginetest beginning
>
> listing available engine types
> end of list
> ...
>
Is this before or after you removed /dev/crypto? I'm not sure if the list
will include the h/w crypto engine unless it can open /dev/crypto.
> This all leads me to suspect that the -stable openssl 0.9.7a doesn't
> have the complete cryptodev engine compiled in. Is openssl failing
> to put cryptodev into the engine list when it does speed? I've also
> tried encryption runs but they all don't seem to use the hifn for
> encryption.
>
> (I've compared ktraces for both cryptotest and openssl, openssl
> does three ioctl() on /dev/crypto during speed, whereas cryptotest
> keeps on doing the ioctl() for the encryption).
I'm using it w/o any issues and it seems to do the right thing. But I
haven't tried things on a soekris box in a long time; not that it should
matter. I didn't see results for just openssl w/o -engine cryptodev; did
you try that?
Sam
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?036f01c2de84$82a70b30$52557f42>