Crypto hw acceleration for openssl

Pawel Jakub Dawidek pjd at FreeBSD.org
Mon Apr 24 15:37:00 UTC 2006 

On Mon, Apr 24, 2006 at 10:50:37AM -0400, Mike Tancsa wrote:
+> At 10:27 AM 24/04/2006, Pawel Jakub Dawidek wrote:
+> >On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote:
+> >+> Winston Tsai <wtsai at hifn.com> wrote:
+> >+>  > I got roughly the same performance results when I use the openssl speed
+> >+>  > test with and without a hifn 7956 cryto card
+> >+>  > [...]
+> >+>  > Then I ran:
+> >+>  > Openssl speed des-cbc
+> >+>  > [...]
+> >+>  > My understanding is that openssl will detect the presence of an
+> >+>  > accelerator card and use it (via \dev\crypto) instead of the crypto
+> >+>  > library.
+> >+>  > Did I miss something here?
+> >+>
+> >+> I don't know if the openssl speed test picks up the crypto-
+> >+> dev hardware automatically.  But ssh/scp definitely does.
+> >+>
+> >+> I have run several tests on my VIA C3 Nehemiah+RNG+ACE,
+> >+> which accelerates AES encryption.  When the padlock(4)
+> >+> module is loaded (it contains the Nehemiah ACE support),
+> >+> ssh/scp performance is roughly doubled.  It's quite
+> >+> noticeable when transfering large files.
+> >+>
+> >+> Best regards
+> >+>    Oliver
+> >+>
+> >+> PS:  I can provide some benchmark numbers if interested.
+> >
+> >The problem is that OpenSSL don't know how to accelerate AES192 and
+> >AES256 with cryptodev. The patch which fix this is available here:
+> >
+> >        http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch
+> >
+> >PS. For AES128 cryptodev can be used without the patch.
+> 
+> 
+> If you use the padlock engine, you will also need the patch discussed in
+> 
+> http://cvs.openssl.org/chngview?cn=13061
+> 
+> http://sourceforge.net/mailarchive/message.php?msg_id=11419213
+> 
+> 
+> Without it, apps like openvpn will running into periodic crypto errors.

It depends which engine one is using. One can use openssl's 'padlock'
engine or 'cryptodev' engine which will use padlock(4) driver.
The first one is of course faster for use with OpenSSL as it doesn't go
to the kernel.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060424/c23c3781/attachment.pgp

More information about the freebsd-security mailing list