From owner-freebsd-hackers@FreeBSD.ORG Thu Sep 11 18:03:00 2014 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D979AEAA for ; Thu, 11 Sep 2014 18:03:00 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 95989ED1 for ; Thu, 11 Sep 2014 18:03:00 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s8BI2wcO057870 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 11 Sep 2014 11:02:59 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s8BI2wml057867; Thu, 11 Sep 2014 11:02:58 -0700 (PDT) (envelope-from jmg) Date: Thu, 11 Sep 2014 11:02:58 -0700 From: John-Mark Gurney To: Wojciech Puchar Subject: Re: openssl with aes-in or padlock Message-ID: <20140911180258.GN82175@funkthat.com> Mail-Followup-To: Wojciech Puchar , hackers@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Thu, 11 Sep 2014 11:02:59 -0700 (PDT) Cc: hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 18:03:00 -0000 Wojciech Puchar wrote this message on Thu, Sep 11, 2014 at 18:58 +0200: > how to check if openssl is actually using these instructions? > > on machine with padlock: > > #openssl speed -evp aes-256-cbc First off, you won't get much speed up w/ CBC encrypt... Try testing using aes-256-ctr instead... CBC can't process multiple blocks in parallel like CTR can... if you measure the cbc _decrypt_ speed, you should see a big improvement as CBC decrypt can be parallelized... > in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s geli uses a different framework for it's crypto processing.. for geli, make sure you have the aesni kernel module loaded before you attach to a geli disk... You should get kernel messages like the following: GEOM_ELI: Device gpt/werner.eli created. GEOM_ELI: Encryption: AES-XTS 256 GEOM_ELI: Crypto: hardware notice the Crypto: hardware line.. Also, make sure that your geli sector size is 4k instead of 512... This reduces the loop overhead, and as modern disks usually use 4k anyways, there isn't much of a lose going to the larger sector size... Also, if you want to do pure testing, you can use geom_zero, and turn off clearing w/ kern.geom.zero.clear so that gzero won't bother zeroing the buffer, then you'll be able to better measure geli's overhead/performance.. > how to enable padlock or aes-in in openssl? For OpenSSL, you need at least 1.0 for AES-NI to be detected and used... I'm not familar w/ padlock if it can be used from userland, w/o the kernel, but I don't believe it is... If you have a machine w/o AES-NI, but has padlock, you can load the padlock and cryptodev kernel modules, and then OpenSSL should detect that /dev/crypto is present and use that... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."