Date: Fri, 12 Sep 2014 09:15:09 +1000 From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: freebsd-hackers@freebsd.org Subject: Re: openssl with aes-in or padlock Message-ID: <54122CFD.3070702@heuristicsystems.com.au> In-Reply-To: <alpine.BSF.2.00.1409111858470.1185@wojtek.dom> References: <alpine.BSF.2.00.1409111858470.1185@wojtek.dom>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/09/2014 2:58 AM, Wojciech Puchar wrote: > how to check if openssl is actually using these instructions? > > on machine with padlock: > > #openssl speed -evp aes-256-cbc > Doing aes-256-cbc for 3s on 16 size blocks: 732600 aes-256-cbc's in 2.91s > Doing aes-256-cbc for 3s on 64 size blocks: 199833 aes-256-cbc's in 2.92s > Doing aes-256-cbc for 3s on 256 size blocks: 50469 aes-256-cbc's in 2.91s > Doing aes-256-cbc for 3s on 1024 size blocks: 25060 aes-256-cbc's in > 2.92s > Doing aes-256-cbc for 3s on 8192 size blocks: 3145 aes-256-cbc's in 2.93s > OpenSSL 1.0.1e-freebsd 11 Feb 2013 > built on: date not available > options:bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial) > idea(int) blowfish(idx) > compiler: cc > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes > 8192 bytes > aes-256-cbc 4033.24k 4377.09k 4445.61k 8782.52k > 8794.06k > > > #openssl engine > (dynamic) Dynamic engine loading support > > > > in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s > > how to enable padlock or aes-in in openssl? > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org" > > Wojciech, I have a very old single core VIA-15000 (1.5MHz) padlock server in use, so the numbers may be adversely affected: # openssl speed -evp aes-256-cbc To get the most accurate results, try to run this program when this computer is idle. Doing aes-256-cbc for 3s on 16 size blocks: 14239761 aes-256-cbc's in 2.97s Doing aes-256-cbc for 3s on 64 size blocks: 10999641 aes-256-cbc's in 2.96s Doing aes-256-cbc for 3s on 256 size blocks: 5845504 aes-256-cbc's in 2.98s Doing aes-256-cbc for 3s on 1024 size blocks: 2023702 aes-256-cbc's in 2.98s Doing aes-256-cbc for 3s on 8192 size blocks: 283165 aes-256-cbc's in 2.96s OpenSSL 0.9.7e-p1 25 Oct 2004 built on: Thu Sep 27 11:13:38 EST 2007 options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 76594.07k 237795.53k 501951.53k 694914.86k 782587.93k On a single core VIA C7 Processor 1000MHz (FreeBSD 8.2 firewall) # openssl speed -evp aes-256-cbc Doing aes-256-cbc for 3s on 16 size blocks: 8270982 aes-256-cbc's in 2.91s Doing aes-256-cbc for 3s on 64 size blocks: 6672866 aes-256-cbc's in 2.96s Doing aes-256-cbc for 3s on 256 size blocks: 3652460 aes-256-cbc's in 2.95s Doing aes-256-cbc for 3s on 1024 size blocks: 1313482 aes-256-cbc's in 2.97s Doing aes-256-cbc for 3s on 8192 size blocks: 188472 aes-256-cbc's in 2.98s OpenSSL 1.0.0d 8 Feb 2011 built on: Mon Mar 7 14:18:26 EST 2011 options:bn(64,32) md2(int) rc4(4x,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall -O2 -pipe -pipe -O2 -g0 -ggdb0 -DSTRIP_FBSDID -UDEBUGGING -UEBUGGING -march=prescott -mtune=prescott -march=prescott -O3 -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 45412.79k 144232.50k 317463.69k 453054.51k 518706.60k These are the kind of figures that you should expect on a padlock device. We turn on the padlock option during the build, and add these to our openssl.cnf (though it may no longer be necessary with the 8.x or later). openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] padlock = padlock_section [padlock_section] default_algorithms = ALL Please note - the only reliable measure is to actually encrypt and decrypt files, we've found that the openssl speed test really isn't a comparative good measure. I'd suggest something like: dd if=/dev/zero bs=1m count=100 | openssl enc -e -aes-256-cbc -pass pass:obscure | openssl enc -d -aes-256-cbc -pass pass:obscure > /dev/null So for reference: the VIA/padlock 1.5MHz server transfers in 1.4 seconds (around 74MB/s), the 1MHz firewall transfers in 1.98s. Regards, Dewayne.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54122CFD.3070702>