From owner-freebsd-security@FreeBSD.ORG Mon May 25 12:10:20 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 78FEC532 for ; Mon, 25 May 2015 12:10:20 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1FBC3848 for ; Mon, 25 May 2015 12:10:20 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by wichy4 with SMTP id hy4so47196013wic.1 for ; Mon, 25 May 2015 05:10:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=hHguYc0X3EUX595vCDTDE/WlHaKSw89QvkERFspIoYQ=; b=xdyE2JdKnrCB7KvQklJKjQtN2R/AGWUztoRynbrquQq4Oi8bK88eklM47fUKKQ0DMB y/GIZrQQHy1IonpbTz7F9BKBhpUZkoi3Z12J7XQBpxtV2CDIKA5nxjvSL10+kM1klrA1 XyEeMK+ghpOoNs3MCuILG8UPEQUuenShNiaMwmG+YFMuQ6aWJJjNVIeaZI9xRhlDldJK cXneAcacmlVxlpRrXjbVe9Q0Y41Jdi12IzW3vYTxKHk0tqJcFlQfL1b0RgBV+R4dKDFf gOmX1HmpruK+HJtHC4zf6Au8mhE6reaAJwEYiBdqJ4JLRAYkhS10cCy+PH9jRPNkgSTb YuIg== X-Received: by 10.194.100.42 with SMTP id ev10mr11821618wjb.50.1432555818438; Mon, 25 May 2015 05:10:18 -0700 (PDT) Received: from gumby.homeunix.com (5ec39b76.skybroadband.com. [94.195.155.118]) by mx.google.com with ESMTPSA id hm8sm5221559wjc.28.2015.05.25.05.10.16 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 May 2015 05:10:17 -0700 (PDT) Date: Mon, 25 May 2015 13:10:10 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: Atom C2758 - loading aesni(4) reduces performance Message-ID: <20150525131010.1abda315@gumby.homeunix.com> In-Reply-To: <20150525114131.GA1457@elch.exwg.net> References: <6BA42026-C785-40B5-B9CF-DD4280693C41@dragondata.com> <20150524224454.GX37063@funkthat.com> <687C0C52-08FA-4234-9A64-527163EED3C8@dragondata.com> <20150525114131.GA1457@elch.exwg.net> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2015 12:10:20 -0000 On Mon, 25 May 2015 13:41:31 +0200 Christoph Moench-Tegeder wrote: > ## Kevin Day (toasty@dragondata.com): >=20 > > > If you have cryptodev loaded, this is to be expected as OpenSSL > > > will use /dev/crypto instead of the AES-NI instructions.. Just > > > don't load cryptodev and you'll be fine.. > >=20 > > So to make sure I?m understanding? openssl has native AES-NI > > support, and it also can use /dev/crypto. It?s > > preferring /dev/crypto, but /dev/crypto has much higher overhead? >=20 > Yes (I hadn't thought of cryptodev, because "why would one load that > without really special crypto hardware?"). > The overhead is obvious - when offloading the crypto operations to > the kernel, the benefit of the kernel/hardware crypto support has > to be better than the penalty of communicating with the kernel; and > as you already have AES-NI support in openssl, there's not that much > chance that the kernel is that much faster than openssl itself. But AFAIK you need the crypto module for AES-NI support in geli. Is there any way to have both work optimally?