From owner-freebsd-security@FreeBSD.ORG Mon May 25 11:41:42 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0831E6C9 for ; Mon, 25 May 2015 11:41:42 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from smtp.burggraben.net (smtp.burggraben.net [IPv6:2a01:4f8:140:50a2::3:1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "ns.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B5F766F for ; Mon, 25 May 2015 11:41:41 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from localhost (localhost [127.0.0.1]) by smtp.burggraben.net (Postfix) with ESMTP id 52863600098 for ; Mon, 25 May 2015 13:41:36 +0200 (CEST) X-Spam-Scanned: by amavisd-new at exwg.net Received: from smtp.burggraben.net ([127.0.0.1]) by localhost (ns.burggraben.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycATS2gcIKN0 for ; Mon, 25 May 2015 13:41:32 +0200 (CEST) Received: from elch.exwg.net (elch.exwg.net [IPv6:2001:470:7b43:1:922b:34ff:fe56:321]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "elch.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by smtp.burggraben.net (Postfix) with ESMTPS for ; Mon, 25 May 2015 13:41:32 +0200 (CEST) Received: by elch.exwg.net (Postfix, from userid 1000) id A0ADF6A; Mon, 25 May 2015 13:41:31 +0200 (CEST) Date: Mon, 25 May 2015 13:41:31 +0200 From: Christoph Moench-Tegeder To: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150525114131.GA1457@elch.exwg.net> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 11:41:42 -0000 ## Kevin Day (toasty@dragondata.com): > > If you have cryptodev loaded, this is to be expected as OpenSSL will > > use /dev/crypto instead of the AES-NI instructions.. Just don't load > > cryptodev and you'll be fine.. > > So to make sure I’m understanding… openssl has native AES-NI support, and > it also can use /dev/crypto. It’s preferring /dev/crypto, but /dev/crypto > has much higher overhead? Yes (I hadn't thought of cryptodev, because "why would one load that without really special crypto hardware?"). The overhead is obvious - when offloading the crypto operations to the kernel, the benefit of the kernel/hardware crypto support has to be better than the penalty of communicating with the kernel; and as you already have AES-NI support in openssl, there's not that much chance that the kernel is that much faster than openssl itself. Regards, Christoph -- Spare Space