Date: Thu, 6 Dec 2018 15:38:09 -0800 From: Xin LI <delphij@gmail.com> To: lists@jnielsen.net Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: /dev/crypto not being used in 12-STABLE Message-ID: <CAGMYy3udib5u2yyoZTfWEcNh4U1czp46F8tRFDmhkOu5vVPT-Q@mail.gmail.com> In-Reply-To: <F67BC606-6210-48DD-B924-FF90C26704A1@jnielsen.net> References: <A418F9A1-7298-4DA7-A185-BD16941BEC46@jnielsen.net> <CAGMYy3vKez_NR6rtcFDGVsWV=qs%2BiaoAwb-D0ed0zT5og9RbOA@mail.gmail.com> <F67BC606-6210-48DD-B924-FF90C26704A1@jnielsen.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 6, 2018 at 3:24 PM John Nielsen <lists@jnielsen.net> wrote: > > > On Dec 6, 2018, at 4:04 PM, Xin LI <delphij@gmail.com> wrote: > > > > On Thu, Dec 6, 2018 at 11:37 AM John Nielsen <lists@jnielsen.net> wrote= : > >> > >> I have upgraded two physical machines from 11-STABLE to 12-STABLE rece= ntly (one is 12.0-PRERELEASE r341380 and the other is 12.0-PRERELEASE r3413= 91). I noticed today that neither machine seems to be utilizing /dev/crypto= . Typically I see at least ssh/sshd have the device open plus some programs= from ports. But 'fuser' doesn't list any processes on either machine: > >> > >> # fuser /dev/crypto > >> /dev/crypto: > >> > >> Both machines are running custom kernels that include "device crypto" = and "device cryptodev". One of them additionally has "device aesni". > >> > >> Is anyone else seeing this? Any idea what would cause it? > > > > Your average OpenSSL applications should not use /dev/crypto, if your > > goal is to utilize AES-NI (which does not require /dev/crypto). On > > capable systems, AES-NI would be used automatically (and it's faster > > this way). > > Thanks for the response. Is there a way to verify that AES-NI is being us= ed for e.g. ssh? I'm also curious why/when/how the change to not use (or su= pport?) /dev/crypto from base openssl was made. You can disable the use of AES by passing environment variable OPENSSL_ia32cap and compare the speed, e.g.: OPENSSL_ia32cap=3D"~0x200000000000000" openssl speed -evp aes-128-cbc (disabled bit 57, or ~0x200000000000000 means to disable the AES-NI capability bit). On most systems, using AES-NI is about twice fast, personally I don't really see a reason why people would want to disable it in production (even for security reasons), though, but yes there is an option. Cheers,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3udib5u2yyoZTfWEcNh4U1czp46F8tRFDmhkOu5vVPT-Q>