Date: Mon, 24 Apr 2006 17:35:23 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org Subject: Re: Crypto hw acceleration for openssl Message-ID: <20060424153523.GD814@garage.freebsd.pl> In-Reply-To: <6.2.3.4.0.20060424104727.08cb81a8@64.7.153.2> References: <CFA9FA7615FFD04DB8FD8E34A3FF7F46022BB92A@sjcxch02.tbu.com> <200604231916.k3NJGDph098368@lurza.secnetix.de> <20060424142738.GC814@garage.freebsd.pl> <6.2.3.4.0.20060424104727.08cb81a8@64.7.153.2>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Mon, Apr 24, 2006 at 10:50:37AM -0400, Mike Tancsa wrote: +> At 10:27 AM 24/04/2006, Pawel Jakub Dawidek wrote: +> >On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote: +> >+> Winston Tsai <wtsai@hifn.com> wrote: +> >+> > I got roughly the same performance results when I use the openssl speed +> >+> > test with and without a hifn 7956 cryto card +> >+> > [...] +> >+> > Then I ran: +> >+> > Openssl speed des-cbc +> >+> > [...] +> >+> > My understanding is that openssl will detect the presence of an +> >+> > accelerator card and use it (via \dev\crypto) instead of the crypto +> >+> > library. +> >+> > Did I miss something here? +> >+> +> >+> I don't know if the openssl speed test picks up the crypto- +> >+> dev hardware automatically. But ssh/scp definitely does. +> >+> +> >+> I have run several tests on my VIA C3 Nehemiah+RNG+ACE, +> >+> which accelerates AES encryption. When the padlock(4) +> >+> module is loaded (it contains the Nehemiah ACE support), +> >+> ssh/scp performance is roughly doubled. It's quite +> >+> noticeable when transfering large files. +> >+> +> >+> Best regards +> >+> Oliver +> >+> +> >+> PS: I can provide some benchmark numbers if interested. +> > +> >The problem is that OpenSSL don't know how to accelerate AES192 and +> >AES256 with cryptodev. The patch which fix this is available here: +> > +> > http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch +> > +> >PS. For AES128 cryptodev can be used without the patch. +> +> +> If you use the padlock engine, you will also need the patch discussed in +> +> http://cvs.openssl.org/chngview?cn=13061 +> +> http://sourceforge.net/mailarchive/message.php?msg_id=11419213 +> +> +> Without it, apps like openvpn will running into periodic crypto errors. It depends which engine one is using. One can use openssl's 'padlock' engine or 'cryptodev' engine which will use padlock(4) driver. The first one is of course faster for use with OpenSSL as it doesn't go to the kernel. -- Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFETPA7ForvXbEpPzQRApaxAKDNJ/4TUvHdtm01NlzqqqfclsbAFgCgyXoT QAWGArRKrS7ag+XNc4ukukc= =kG5s -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060424153523.GD814>