From owner-freebsd-security@FreeBSD.ORG Sun Apr 23 19:12:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16ABA16A40B; Sun, 23 Apr 2006 19:12:46 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B50043D46; Sun, 23 Apr 2006 19:12:45 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IY6006VLW18N490@l-daemon>; Sun, 23 Apr 2006 13:12:45 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IY600IB5W18CJK0@pd3mr1so.prod.shaw.ca>; Sun, 23 Apr 2006 13:12:44 -0600 (MDT) Received: from [192.168.0.60] ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IY600DWTW18I6B3@l-daemon>; Sun, 23 Apr 2006 13:12:44 -0600 (MDT) Date: Sun, 23 Apr 2006 12:12:44 -0700 From: Colin Percival To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Message-id: <444BD1AC.5040807@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 User-Agent: Thunderbird 1.5 (X11/20060416) Cc: Subject: Still Fundraising for FreeBSD security development X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Apr 2006 19:12:46 -0000 Dear FreeBSD users, On April 4th, I thought that I had reached my donations target for funding my summer of FreeBSD security development, and asked people to stop sending further donations. Sadly, it seems that this assessment was premature, as it relied upon two large pledges, and it now appears that one of them will not be arriving. Fortunately, Pair Networks -- the other large donor -- has sent $6500 US, which now brings me within $2000 of my target. If you were intending to donate when I updated my web page on April 4th to say that I had reached my target, please do so now. I know there were several people in this position, so I'm hoping I can reach my target in the next week. As before, details about the work I plan on doing, how to donate, and a list of the donations I have received, are at http://people.freebsd.org/~cperciva/funding.html Colin Percival From owner-freebsd-security@FreeBSD.ORG Sun Apr 23 19:16:25 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C5B216A408 for ; Sun, 23 Apr 2006 19:16:25 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAA0543D6B for ; Sun, 23 Apr 2006 19:16:20 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (rytytm@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k3NJGDcL098369 for ; Sun, 23 Apr 2006 21:16:18 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k3NJGDph098368; Sun, 23 Apr 2006 21:16:13 +0200 (CEST) (envelope-from olli) Date: Sun, 23 Apr 2006 21:16:13 +0200 (CEST) Message-Id: <200604231916.k3NJGDph098368@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Sun, 23 Apr 2006 21:16:18 +0200 (CEST) X-Mailman-Approved-At: Sun, 23 Apr 2006 19:29:00 +0000 Cc: Subject: Re: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Apr 2006 19:16:25 -0000 Winston Tsai wrote: > I got roughly the same performance results when I use the openssl speed > test with and without a hifn 7956 cryto card > [...] > Then I ran: > Openssl speed des-cbc > [...] > My understanding is that openssl will detect the presence of an > accelerator card and use it (via \dev\crypto) instead of the crypto > library. > Did I miss something here? I don't know if the openssl speed test picks up the crypto- dev hardware automatically. But ssh/scp definitely does. I have run several tests on my VIA C3 Nehemiah+RNG+ACE, which accelerates AES encryption. When the padlock(4) module is loaded (it contains the Nehemiah ACE support), ssh/scp performance is roughly doubled. It's quite noticeable when transfering large files. Best regards Oliver PS: I can provide some benchmark numbers if interested. -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "The scanf() function is a large and complex beast that often does something almost but not quite entirely unlike what you desired." -- Chris Torek From owner-freebsd-security@FreeBSD.ORG Mon Apr 24 14:29:18 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 831DC16A400 for ; Mon, 24 Apr 2006 14:29:18 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id B574043D5E for ; Mon, 24 Apr 2006 14:29:11 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 2F80D52C72; Mon, 24 Apr 2006 16:29:10 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 1955E52C76 for ; Mon, 24 Apr 2006 16:29:04 +0200 (CEST) Date: Mon, 24 Apr 2006 16:27:38 +0200 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.ORG Message-ID: <20060424142738.GC814@garage.freebsd.pl> References: <200604231916.k3NJGDph098368@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="adJ1OR3c6QgCpb/j" Content-Disposition: inline In-Reply-To: <200604231916.k3NJGDph098368@lurza.secnetix.de> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: Subject: Re: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 14:29:18 -0000 --adJ1OR3c6QgCpb/j Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote: +> Winston Tsai wrote: +> > I got roughly the same performance results when I use the openssl spe= ed +> > test with and without a hifn 7956 cryto card +> > [...] +> > Then I ran: +> > Openssl speed des-cbc +> > [...] +> > My understanding is that openssl will detect the presence of an +> > accelerator card and use it (via \dev\crypto) instead of the crypto +> > library. +> > Did I miss something here? +>=20 +> I don't know if the openssl speed test picks up the crypto- +> dev hardware automatically. But ssh/scp definitely does. +>=20 +> I have run several tests on my VIA C3 Nehemiah+RNG+ACE, +> which accelerates AES encryption. When the padlock(4) +> module is loaded (it contains the Nehemiah ACE support), +> ssh/scp performance is roughly doubled. It's quite +> noticeable when transfering large files. +>=20 +> Best regards +> Oliver +>=20 +> PS: I can provide some benchmark numbers if interested. The problem is that OpenSSL don't know how to accelerate AES192 and AES256 with cryptodev. The patch which fix this is available here: http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch PS. For AES128 cryptodev can be used without the patch. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --adJ1OR3c6QgCpb/j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFETOBaForvXbEpPzQRAtV+AJsE3Knyr2PvbZYIhaWSKzW37/BbMgCgo0c8 n0pQ7r29vwRFZbnB/bHJQlg= =8cFe -----END PGP SIGNATURE----- --adJ1OR3c6QgCpb/j-- From owner-freebsd-security@FreeBSD.ORG Mon Apr 24 14:51:06 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC2E516A408; Mon, 24 Apr 2006 14:51:06 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25C5A43D76; Mon, 24 Apr 2006 14:51:02 +0000 (GMT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id k3OEp16K024560; Mon, 24 Apr 2006 10:51:01 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3P/8.13.3) with ESMTP id k3OEp0lg050903 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 24 Apr 2006 10:51:00 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.3.4.0.20060424104727.08cb81a8@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Mon, 24 Apr 2006 10:50:37 -0400 To: Pawel Jakub Dawidek , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <20060424142738.GC814@garage.freebsd.pl> References: <200604231916.k3NJGDph098368@lurza.secnetix.de> <20060424142738.GC814@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Cc: Subject: Re: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 14:51:07 -0000 At 10:27 AM 24/04/2006, Pawel Jakub Dawidek wrote: >On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote: >+> Winston Tsai wrote: >+> > I got roughly the same performance results when I use the openssl speed >+> > test with and without a hifn 7956 cryto card >+> > [...] >+> > Then I ran: >+> > Openssl speed des-cbc >+> > [...] >+> > My understanding is that openssl will detect the presence of an >+> > accelerator card and use it (via \dev\crypto) instead of the crypto >+> > library. >+> > Did I miss something here? >+> >+> I don't know if the openssl speed test picks up the crypto- >+> dev hardware automatically. But ssh/scp definitely does. >+> >+> I have run several tests on my VIA C3 Nehemiah+RNG+ACE, >+> which accelerates AES encryption. When the padlock(4) >+> module is loaded (it contains the Nehemiah ACE support), >+> ssh/scp performance is roughly doubled. It's quite >+> noticeable when transfering large files. >+> >+> Best regards >+> Oliver >+> >+> PS: I can provide some benchmark numbers if interested. > >The problem is that OpenSSL don't know how to accelerate AES192 and >AES256 with cryptodev. The patch which fix this is available here: > > http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch > >PS. For AES128 cryptodev can be used without the patch. If you use the padlock engine, you will also need the patch discussed in http://cvs.openssl.org/chngview?cn=13061 http://sourceforge.net/mailarchive/message.php?msg_id=11419213 Without it, apps like openvpn will running into periodic crypto errors. ---Mike begin 644 patch M+2TM(&5N9U]P861L;V-K+F,),C`P-2\P-"\P-"`Q-SHP-3HP-@DQ+C$R"BLK M*R!E;F=?<&%D;&]C:RYC"3(P,#4O,#0O,30@,#'0L96-X"B`)"7T*('T*"@`` ` end From owner-freebsd-security@FreeBSD.ORG Mon Apr 24 15:37:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52C9716A401 for ; Mon, 24 Apr 2006 15:37:00 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CE3243D45 for ; Mon, 24 Apr 2006 15:36:59 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 73D3252C10; Mon, 24 Apr 2006 17:36:57 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id D949B52C72; Mon, 24 Apr 2006 17:36:48 +0200 (CEST) Date: Mon, 24 Apr 2006 17:35:23 +0200 From: Pawel Jakub Dawidek To: Mike Tancsa Message-ID: <20060424153523.GD814@garage.freebsd.pl> References: <200604231916.k3NJGDph098368@lurza.secnetix.de> <20060424142738.GC814@garage.freebsd.pl> <6.2.3.4.0.20060424104727.08cb81a8@64.7.153.2> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZARJHfwaSJQLOEUz" Content-Disposition: inline In-Reply-To: <6.2.3.4.0.20060424104727.08cb81a8@64.7.153.2> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org Subject: Re: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 15:37:00 -0000 --ZARJHfwaSJQLOEUz Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 24, 2006 at 10:50:37AM -0400, Mike Tancsa wrote: +> At 10:27 AM 24/04/2006, Pawel Jakub Dawidek wrote: +> >On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote: +> >+> Winston Tsai wrote: +> >+> > I got roughly the same performance results when I use the openssl= speed +> >+> > test with and without a hifn 7956 cryto card +> >+> > [...] +> >+> > Then I ran: +> >+> > Openssl speed des-cbc +> >+> > [...] +> >+> > My understanding is that openssl will detect the presence of an +> >+> > accelerator card and use it (via \dev\crypto) instead of the cryp= to +> >+> > library. +> >+> > Did I miss something here? +> >+> +> >+> I don't know if the openssl speed test picks up the crypto- +> >+> dev hardware automatically. But ssh/scp definitely does. +> >+> +> >+> I have run several tests on my VIA C3 Nehemiah+RNG+ACE, +> >+> which accelerates AES encryption. When the padlock(4) +> >+> module is loaded (it contains the Nehemiah ACE support), +> >+> ssh/scp performance is roughly doubled. It's quite +> >+> noticeable when transfering large files. +> >+> +> >+> Best regards +> >+> Oliver +> >+> +> >+> PS: I can provide some benchmark numbers if interested. +> > +> >The problem is that OpenSSL don't know how to accelerate AES192 and +> >AES256 with cryptodev. The patch which fix this is available here: +> > +> > http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch +> > +> >PS. For AES128 cryptodev can be used without the patch. +>=20 +>=20 +> If you use the padlock engine, you will also need the patch discussed in +>=20 +> http://cvs.openssl.org/chngview?cn=3D13061 +>=20 +> http://sourceforge.net/mailarchive/message.php?msg_id=3D11419213 +>=20 +>=20 +> Without it, apps like openvpn will running into periodic crypto errors. It depends which engine one is using. One can use openssl's 'padlock' engine or 'cryptodev' engine which will use padlock(4) driver. The first one is of course faster for use with OpenSSL as it doesn't go to the kernel. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ZARJHfwaSJQLOEUz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFETPA7ForvXbEpPzQRApaxAKDNJ/4TUvHdtm01NlzqqqfclsbAFgCgyXoT QAWGArRKrS7ag+XNc4ukukc= =kG5s -----END PGP SIGNATURE----- --ZARJHfwaSJQLOEUz-- From owner-freebsd-security@FreeBSD.ORG Mon Apr 24 18:05:18 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 312B316A402; Mon, 24 Apr 2006 18:05:18 +0000 (UTC) (envelope-from nevans@talkpoint.com) Received: from relay.talkpoint.com (pobox.talkpoint.com [204.141.15.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1386143D58; Mon, 24 Apr 2006 18:05:11 +0000 (GMT) (envelope-from nevans@talkpoint.com) Received: from ASSP-nospam ([127.0.0.1]) by relay.talkpoint.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 24 Apr 2006 14:05:09 -0400 Received: from 204.141.15.136 ([204.141.15.136] helo=postal.talkpoint.com) by ASSP-nospam ; 24 Apr 06 18:05:09 -0000 Received: from pleiades.nextvenue.com ([204.141.15.194]) by postal.talkpoint.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H18PTB1J; Mon, 24 Apr 2006 14:05:09 -0400 Date: Mon, 24 Apr 2006 14:05:09 -0400 From: Nick Evans To: Pawel Jakub Dawidek Message-ID: <20060424140509.605e0bff@pleiades.nextvenue.com> In-Reply-To: <20060424142738.GC814@garage.freebsd.pl> References: <20060424142738.GC814@garage.freebsd.pl> X-Mailer: Sylpheed-Claws 1.9.15 (GTK+ 2.6.10; i386-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Apr 2006 18:05:09.0574 (UTC) FILETIME=[9FEB8E60:01C667C9] Cc: freebsd-security@FreeBSD.ORG Subject: Re: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 18:05:18 -0000 On Mon, 24 Apr 2006 10:27:38 -0400 Pawel Jakub Dawidek wrote: > On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote: > +> Winston Tsai wrote: > +> > I got roughly the same performance results when I use the openssl > speed > +> > test with and without a hifn 7956 cryto card > +> > [...] > +> > Then I ran: > +> > Openssl speed des-cbc > +> > [...] > +> > My understanding is that openssl will detect the presence of an > +> > accelerator card and use it (via \dev\crypto) instead of the > crypto > +> > library. > +> > Did I miss something here? > +> > +> I don't know if the openssl speed test picks up the crypto- > +> dev hardware automatically. But ssh/scp definitely does. > +> > +> I have run several tests on my VIA C3 Nehemiah+RNG+ACE, > +> which accelerates AES encryption. When the padlock(4) > +> module is loaded (it contains the Nehemiah ACE support), > +> ssh/scp performance is roughly doubled. It's quite > +> noticeable when transfering large files. > +> > +> Best regards > +> Oliver > +> > +> PS: I can provide some benchmark numbers if interested. > > The problem is that OpenSSL don't know how to accelerate AES192 and > AES256 with cryptodev. The patch which fix this is available here: > > http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch > > PS. For AES128 cryptodev can be used without the patch. > > -- > Pawel Jakub Dawidek http://www.wheel.pl > pjd@FreeBSD.org http://www.FreeBSD.org > FreeBSD committer Am I Evil? Yes, I Am! Have the lockups associated with using hifn been solved as well? I had a big problem using hifn with GELI and haven't heard or seen anything else about it. Nick From owner-freebsd-security@FreeBSD.ORG Mon Apr 24 21:43:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94DBD16A402; Mon, 24 Apr 2006 21:43:28 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from koef.zs64.net (koef.zs64.net [213.238.47.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E22343D49; Mon, 24 Apr 2006 21:43:27 +0000 (GMT) (envelope-from stb@lassitu.de) Received: (from stb@koef.zs64.net) (authenticated) by koef.zs64.net (8.13.6/8.13.4) with ESMTP id k3OLhExH000456 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Mon, 24 Apr 2006 23:43:25 +0200 (CEST) (envelope-from stb@lassitu.de) In-Reply-To: <200604242117.k3OLH2RG032117@repoman.freebsd.org> References: <200604242117.k3OLH2RG032117@repoman.freebsd.org> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <662E8E58-F87F-4098-B573-06A863B72B7B@lassitu.de> Content-Transfer-Encoding: 7bit From: Stefan Bethke Date: Mon, 24 Apr 2006 23:43:13 +0200 To: Colin Percival X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Re: cvs commit: src/sys/amd64/amd64 mp_machdep.c src/sys/i386/i386 mp_machdep.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 21:43:28 -0000 Am 24.04.2006 um 23:17 schrieb Colin Percival: > cperciva 2006-04-24 21:17:02 UTC > > FreeBSD src repository > > Modified files: > sys/amd64/amd64 mp_machdep.c > sys/i386/i386 mp_machdep.c > Log: > Adjust dangerous-shared-cache-detection logic from "all shared data > caches are dangerous" to "a shared L1 data cache is dangerous". > This > is a compromise between paranoia and performance: Unlike the L1 > cache, > nobody has publicly demonstrated a cryptographic side channel which > exploits the L2 cache -- this is harder due to the larger size, > lower > bandwidth, and greater associativity -- and prohibiting shared L2 > caches turns Intel Core Duo processors into Intel Core Solo > processors. > > As before, the 'machdep.hyperthreading_allowed' sysctl will allow > even > the L1 data cache to be shared. I do not pretend to understand the background, but from your description it sounds like performance on Core Duo machines will be bad unless this change is made, or the potentially dangerous sysctl is active. If that is indeed the case, will this change make it into 6.1? Thanks, Stefan -- Stefan Bethke Fon +49 170 346 0140 From owner-freebsd-security@FreeBSD.ORG Mon Apr 24 21:50:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A685D16A405 for ; Mon, 24 Apr 2006 21:50:31 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4920C43D46 for ; Mon, 24 Apr 2006 21:50:28 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IY800JOBY035530@l-daemon> for freebsd-security@freebsd.org; Mon, 24 Apr 2006 15:50:27 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IY80000MY03T900@pd3mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Mon, 24 Apr 2006 15:50:27 -0600 (MDT) Received: from [192.168.0.60] ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IY800GNYY029TK1@l-daemon> for freebsd-security@freebsd.org; Mon, 24 Apr 2006 15:50:27 -0600 (MDT) Date: Mon, 24 Apr 2006 14:50:26 -0700 From: Colin Percival In-reply-to: <662E8E58-F87F-4098-B573-06A863B72B7B@lassitu.de> To: Stefan Bethke Message-id: <444D4822.3070102@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200604242117.k3OLH2RG032117@repoman.freebsd.org> <662E8E58-F87F-4098-B573-06A863B72B7B@lassitu.de> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd-security@freebsd.org Subject: Re: cvs commit: src/sys/amd64/amd64 mp_machdep.c src/sys/i386/i386 mp_machdep.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 21:50:31 -0000 Stefan Bethke wrote: > Am 24.04.2006 um 23:17 schrieb Colin Percival: >> FreeBSD src repository >> >> Modified files: >> sys/amd64/amd64 mp_machdep.c >> sys/i386/i386 mp_machdep.c > > I do not pretend to understand the background, but from your description > it sounds like performance on Core Duo machines will be bad unless this > change is made, or the potentially dangerous sysctl is active. If that > is indeed the case, will this change make it into 6.1? I'm not part of the release engineering team, but I think they're hoping to merge this before the release, yes. If anyone has a Core Duo system running -CURRENT and can tell me what # sysctl machdep.hyperthreading_allowed # sysctl machdep.hlt_cpus says before and after this change, it would probably speed up the process of merging this into other branches. Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Apr 28 11:29:56 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5B8216A403 for ; Fri, 28 Apr 2006 11:29:56 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id A493543D45 for ; Fri, 28 Apr 2006 11:29:56 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 4871A46C2F for ; Fri, 28 Apr 2006 07:29:56 -0400 (EDT) Date: Fri, 28 Apr 2006 12:29:56 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Message-ID: <20060428122811.P40418@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 11:29:57 -0000 I've had an informal, third or fourth hand report of kernel instability when running Tor under load on unidentified versions of FreeBSD. Obviously, this is a bit vague as bug reports go, but I'm interested in seeing if anyone has had real experience with this happening, and might be interested in helping to track it down. If there are kernel crashes, I'm specifically looking for information on what version of FreeBSD is being used, a panic message / trap message, DDB stack trace, etc. I'm assuming it's likely a networking related bug, which I'm happy to work on fixing. If it's not network-related, I can certainly try to track someone down who could work on it. Thanks, Robert N M Watson From owner-freebsd-security@FreeBSD.ORG Fri Apr 28 20:43:31 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C879616A403; Fri, 28 Apr 2006 20:43:31 +0000 (UTC) (envelope-from jpp@cloudview.com) Received: from skipjack.no-such-agency.net (skipjack.no-such-agency.net [64.142.114.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83E3043D49; Fri, 28 Apr 2006 20:43:31 +0000 (GMT) (envelope-from jpp@cloudview.com) Received: from skipjack.no-such-agency.net (localhost [127.0.0.1]) by skipjack.no-such-agency.net (Postfix) with ESMTP id 0D37D34DA1A; Fri, 28 Apr 2006 13:43:31 -0700 (PDT) Received: from [192.168.2.120] (blackhole.no-such-agency.net [64.142.103.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by skipjack.no-such-agency.net (Postfix) with ESMTP id A486A34DA19; Fri, 28 Apr 2006 13:43:28 -0700 (PDT) Message-ID: <44527E6D.9070001@cloudview.com> Date: Fri, 28 Apr 2006 13:43:25 -0700 From: John Pettitt User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Robert Watson References: <20060428122811.P40418@fledge.watson.org> In-Reply-To: <20060428122811.P40418@fledge.watson.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-AV-Checked: by skipjack Cc: freebsd-security@FreeBSD.org Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 20:43:31 -0000 Robert Watson wrote: > > I've had an informal, third or fourth hand report of kernel > instability when running Tor under load on unidentified versions of > FreeBSD. Obviously, this is a bit vague as bug reports go, but I'm > interested in seeing if anyone has had real experience with this > happening, and might be interested in helping to track it down. If > there are kernel crashes, I'm specifically looking for information on > what version of FreeBSD is being used, a panic message / trap message, > DDB stack trace, etc. I'm assuming it's likely a networking related > bug, which I'm happy to work on fixing. If it's not network-related, > I can certainly try to track someone down who could work on it. > > Thanks, > > Robert N M Watson For what it's worth I had tor running on my 5.3 co-lo box for about 200 days without a problem (had to reboot for a kernel reboot after 400+ days of uptime) John From owner-freebsd-security@FreeBSD.ORG Sat Apr 29 09:00:16 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECFEA16A400 for ; Sat, 29 Apr 2006 09:00:15 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8460A43D49 for ; Sat, 29 Apr 2006 09:00:15 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 0EC8646C49; Sat, 29 Apr 2006 05:00:15 -0400 (EDT) Date: Sat, 29 Apr 2006 10:00:15 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: John Pettitt In-Reply-To: <44527E6D.9070001@cloudview.com> Message-ID: <20060429095912.C63668@fledge.watson.org> References: <20060428122811.P40418@fledge.watson.org> <44527E6D.9070001@cloudview.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Apr 2006 09:00:16 -0000 On Fri, 28 Apr 2006, John Pettitt wrote: >> I've had an informal, third or fourth hand report of kernel instability >> when running Tor under load on unidentified versions of FreeBSD. >> Obviously, this is a bit vague as bug reports go, but I'm interested in >> seeing if anyone has had real experience with this happening, and might be >> interested in helping to track it down. If there are kernel crashes, I'm >> specifically looking for information on what version of FreeBSD is being >> used, a panic message / trap message, DDB stack trace, etc. I'm assuming >> it's likely a networking related bug, which I'm happy to work on fixing. >> If it's not network-related, I can certainly try to track someone down who >> could work on it. > > For what it's worth I had tor running on my 5.3 co-lo box for about 200 days > without a problem (had to reboot for a kernel reboot after 400+ days of > uptime) This is a useful report -- so far I've had about a half dozen reports of absolutely no problems at all on various versions of FreeBSD, and no reports of crashes. Maybe this is a false alarm, or maybe it was a bug in a specific version of FreeBSD. Or maybe it just requires very special circumstances. I'll continue to keep an eye out, and please let me know if you run into a problem. Robert N M Watson