From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 16 06:19:07 2014 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5E331644 for ; Tue, 16 Sep 2014 06:19:07 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0E387A2D for ; Tue, 16 Sep 2014 06:19:06 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s8G6Ix92066054 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Sep 2014 23:18:59 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s8G6Iw9c066053; Mon, 15 Sep 2014 23:18:58 -0700 (PDT) (envelope-from jmg) Date: Mon, 15 Sep 2014 23:18:58 -0700 From: John-Mark Gurney To: Wojciech Puchar Subject: Re: openssl with aes-in or padlock Message-ID: <20140916061857.GY82175@funkthat.com> Mail-Followup-To: Wojciech Puchar , Jim Thompson , "hackers@freebsd.org" References: <20140911180258.GN82175@funkthat.com> <62E8AD7E-346F-4F77-9628-6D5121D7AD6D@netgate.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Mon, 15 Sep 2014 23:18:59 -0700 (PDT) Cc: Jim Thompson , "hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 06:19:07 -0000 Wojciech Puchar wrote this message on Sat, Sep 13, 2014 at 09:35 +0200: > will it be available on FreeBSD 10 ? It will eventually make it into 10, but it definately won't make it into 10.1-R which is coming up soon. > On Thu, 11 Sep 2014, Jim Thompson wrote: > > >We just fixed IPSEC to use AES-GCM (with support for AES-NI on hardware > >that supports it.) > > > >OpenSSL / OpenVPN is probably next. > > > >-- Jim > > > >On Sep 11, 2014, at 14:33, Wojciech Puchar wrote: > > > >>>>#openssl speed -evp aes-256-cbc > >>> > >>>First off, you won't get much speed up w/ CBC encrypt... Try testing > >>>using aes-256-ctr instead... CBC can't process multiple blocks in > >>>parallel like CTR can... if you measure the cbc _decrypt_ speed, you > >>>should see a big improvement as CBC decrypt can be parallelized... > >>> > >>>>in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s > >>> > >>>geli uses a different framework for it's crypto processing.. for geli, > >>>make sure you have the aesni kernel module loaded before you attach > >>>to a geli disk... You should get kernel messages like the following: > >>>GEOM_ELI: Device gpt/werner.eli created. > >>>GEOM_ELI: Encryption: AES-XTS 256 > >>>GEOM_ELI: Crypto: hardware > >> > >>yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets > >>MUCH faster with AES-NI. > >> > >>>notice the Crypto: hardware line.. Also, make sure that your geli > >>>sector size is 4k instead of 512... This reduces the loop overhead, > >> > >>as i already said - geli works fast and make use of AES-NI or padlock > >> > >>openssl does not -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."