Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Sep 2014 23:18:58 -0700
From:      John-Mark Gurney <jmg@funkthat.com>
To:        Wojciech Puchar <wojtek@puchar.net>
Cc:        Jim Thompson <jim@netgate.com>, "hackers@freebsd.org" <hackers@freebsd.org>
Subject:   Re: openssl with aes-in or padlock
Message-ID:  <20140916061857.GY82175@funkthat.com>
In-Reply-To: <alpine.BSF.2.00.1409130935020.18147@wojtek.dom>
References:  <alpine.BSF.2.00.1409111858470.1185@wojtek.dom> <20140911180258.GN82175@funkthat.com> <alpine.BSF.2.00.1409112332160.2140@wojtek.dom> <62E8AD7E-346F-4F77-9628-6D5121D7AD6D@netgate.com> <alpine.BSF.2.00.1409130935020.18147@wojtek.dom>
next in thread | previous in thread | raw e-mail | index | archive | help 
Wojciech Puchar wrote this message on Sat, Sep 13, 2014 at 09:35 +0200:
> will it be available on FreeBSD 10 ?

It will eventually make it into 10, but it definately won't make it
into 10.1-R which is coming up soon.

> On Thu, 11 Sep 2014, Jim Thompson wrote:
> 
> >We just fixed IPSEC to use AES-GCM (with support for AES-NI on hardware 
> >that supports it.)
> >
> >OpenSSL / OpenVPN is probably next.
> >
> >-- Jim
> >
> >On Sep 11, 2014, at 14:33, Wojciech Puchar <wojtek@puchar.net> wrote:
> >
> >>>>#openssl speed -evp aes-256-cbc
> >>>
> >>>First off, you won't get much speed up w/ CBC encrypt...  Try testing
> >>>using aes-256-ctr instead...  CBC can't process multiple blocks in
> >>>parallel like CTR can...  if you measure the cbc _decrypt_ speed, you
> >>>should see a big improvement as CBC decrypt can be parallelized...
> >>>
> >>>>in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s
> >>>
> >>>geli uses a different framework for it's crypto processing.. for geli,
> >>>make sure you have the aesni kernel module loaded before you attach
> >>>to a geli disk...  You should get kernel messages like the following:
> >>>GEOM_ELI: Device gpt/werner.eli created.
> >>>GEOM_ELI: Encryption: AES-XTS 256
> >>>GEOM_ELI:     Crypto: hardware
> >>
> >>yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets 
> >>MUCH faster with AES-NI.
> >>
> >>>notice the Crypto: hardware line..  Also, make sure that your geli
> >>>sector size is 4k instead of 512...  This reduces the loop overhead,
> >>
> >>as i already said - geli works fast and make use of AES-NI or padlock
> >>
> >>openssl does not

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140916061857.GY82175>