Date: Mon, 25 May 2015 13:10:10 +0100 From: RW <rwmaillists@googlemail.com> To: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150525131010.1abda315@gumby.homeunix.com> In-Reply-To: <20150525114131.GA1457@elch.exwg.net> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> <20150525114131.GA1457@elch.exwg.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 25 May 2015 13:41:31 +0200 Christoph Moench-Tegeder wrote: > ## Kevin Day (toasty@dragondata.com): >=20 > > > If you have cryptodev loaded, this is to be expected as OpenSSL > > > will use /dev/crypto instead of the AES-NI instructions.. Just > > > don't load cryptodev and you'll be fine.. > >=20 > > So to make sure I?m understanding? openssl has native AES-NI > > support, and it also can use /dev/crypto. It?s > > preferring /dev/crypto, but /dev/crypto has much higher overhead? >=20 > Yes (I hadn't thought of cryptodev, because "why would one load that > without really special crypto hardware?"). > The overhead is obvious - when offloading the crypto operations to > the kernel, the benefit of the kernel/hardware crypto support has > to be better than the penalty of communicating with the kernel; and > as you already have AES-NI support in openssl, there's not that much > chance that the kernel is that much faster than openssl itself. But AFAIK you need the crypto module for AES-NI support in geli. Is there any way to have both work optimally?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150525131010.1abda315>