Date: Thu, 6 Dec 2018 15:38:09 -0800 From: Xin LI <delphij@gmail.com> To: lists@jnielsen.net Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: /dev/crypto not being used in 12-STABLE Message-ID: <CAGMYy3udib5u2yyoZTfWEcNh4U1czp46F8tRFDmhkOu5vVPT-Q@mail.gmail.com> In-Reply-To: <F67BC606-6210-48DD-B924-FF90C26704A1@jnielsen.net> References: <A418F9A1-7298-4DA7-A185-BD16941BEC46@jnielsen.net> <CAGMYy3vKez_NR6rtcFDGVsWV=qs%2BiaoAwb-D0ed0zT5og9RbOA@mail.gmail.com> <F67BC606-6210-48DD-B924-FF90C26704A1@jnielsen.net>
index | next in thread | previous in thread | raw e-mail
On Thu, Dec 6, 2018 at 3:24 PM John Nielsen <lists@jnielsen.net> wrote: > > > On Dec 6, 2018, at 4:04 PM, Xin LI <delphij@gmail.com> wrote: > > > > On Thu, Dec 6, 2018 at 11:37 AM John Nielsen <lists@jnielsen.net> wrote: > >> > >> I have upgraded two physical machines from 11-STABLE to 12-STABLE recently (one is 12.0-PRERELEASE r341380 and the other is 12.0-PRERELEASE r341391). I noticed today that neither machine seems to be utilizing /dev/crypto. Typically I see at least ssh/sshd have the device open plus some programs from ports. But 'fuser' doesn't list any processes on either machine: > >> > >> # fuser /dev/crypto > >> /dev/crypto: > >> > >> Both machines are running custom kernels that include "device crypto" and "device cryptodev". One of them additionally has "device aesni". > >> > >> Is anyone else seeing this? Any idea what would cause it? > > > > Your average OpenSSL applications should not use /dev/crypto, if your > > goal is to utilize AES-NI (which does not require /dev/crypto). On > > capable systems, AES-NI would be used automatically (and it's faster > > this way). > > Thanks for the response. Is there a way to verify that AES-NI is being used for e.g. ssh? I'm also curious why/when/how the change to not use (or support?) /dev/crypto from base openssl was made. You can disable the use of AES by passing environment variable OPENSSL_ia32cap and compare the speed, e.g.: OPENSSL_ia32cap="~0x200000000000000" openssl speed -evp aes-128-cbc (disabled bit 57, or ~0x200000000000000 means to disable the AES-NI capability bit). On most systems, using AES-NI is about twice fast, personally I don't really see a reason why people would want to disable it in production (even for security reasons), though, but yes there is an option. Cheers,home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3udib5u2yyoZTfWEcNh4U1czp46F8tRFDmhkOu5vVPT-Q>