OpenSSL with hifn(4) (cryptodev)
Norikatsu Shigemura
nork at FreeBSD.org
Sun Aug 15 01:05:03 PDT 2004
sam, Mike Tancsa, Doug White! Thank you for hints!
On Tue, 3 Aug 2004 09:02:59 -0700
Sam Leffler <sam at errno.com> wrote:
> On Tuesday 03 August 2004 05:41 am, Norikatsu Shigemura wrote:
> > Hi sam!
> > I have two Soekris vpn1401 crypto accelerator cards. I installed
> > these to 4-stable machine and 5-current machine.
> ...
> > I confirmed `openssl speed -engine cryptodev', but it looks not
> > works. Because 1st: same speed (before/after install it), 2nd: CPU
> > loadavg is always high. So I consider that openssl didn't use
> > cryptodev. Do you have any idea?
> Look in /usr/src/tools/tools/crypto for the cryptostats and hifnstats
> programs; they will tell you if the h/w is operating correctly.
I and my friends, Naoki Fukaumi, inverstigated about this
behavior. As the result, we confirmed that h/w accerator
is good works but some limited.
1. `openssl speed' is not so good:-(.
openssl speed -evp aes128(/des/3des) is good. I saw
*Giant and crydev in top(1).
2. /usr/src/tools/tools/crypto/cryptotest.c clarified the problem.
According to cryptotest(I tested ./cyrptotest -z 1000),
hifn(4) (=vpn1401) supports des_cbc, 3des_cbc, aes_cbc,
aes192_cbc, aes256_cbc, md5_hmac and sha1_hmac. (Of course,
I saw ones in top(1))
3. I read /usr/src/crypto/openssl/crypto/engine/hw_cryptodev.c.
Accoring to it, cryptodev engine supports des_cbc, 3des_cbc,
aes_cbc, blf_cbc, cast5_cbc, skipjack_cbc(?), sha1_hmac,
ripemd160_hmac, md5_kpdk(?), sha1_kpdk(?), md5 and sha1(?).
However, we can use these cifers by cryptodev_usable_ciphers,
but cannot use these digests by cryptodev_usable_digests,
in hw_cryptodev.c. According to comments:
* XXXX just disable all digests for now, because it sucks.
* we need a better way to decide this - i.e. I may not
* want digests on slow cards like hifn on fast machines,
* but might want them on slow or loaded machines, etc.
* will also want them when using crypto cards that don't
* suck moose gonads - would be nice to be able to decide something
* as reasonable default without having hackery that's card dependent.
* of course, the default should probably be just do everything,
* with perhaps a sysctl to turn algoritms off (or have them off
* by default) on cards that generally suck like the hifn.
Hum..... By union set, so we can use only des_cbc, 3des_cbc
and aes_cbc.
[SEE ALSO] BenchMark1: openssl speed -elapsed -evp aes128
openssl speed -elapsed -evp des3
>>In 5-current with WITNESS
aes-128-cbc 33.20k 211.17k 1184.66k 2574.12k 4918.85k
des-ede3-cbc 70.37k 315.16k 901.09k 1643.15k 6840.56k
>>In 5-current w/o WITNESS
aes-128-cbc 324.79k 1264.01k 4650.77k 13378.57k 22098.25k
des-ede3-cbc 324.65k 1278.52k 4645.58k 13392.40k 22017.54k
>>In 4-stable
aes-128-cbc 462.81k 1795.23k 6329.75k 16686.62k 29833.64k
des-ede3-cbc 463.48k 1757.60k 1889.31k 16679.92k 29766.37k
>>In 5-current w/o WITNESS w/o hifn(4) (PentiumIII-M 1.0GHz x1)
aes-128-cbc 17732.99k 19308.65k 23740.17k 25805.46k 25179.36k
des-ede3-cbc 7347.27k 5895.96k 7762.44k 7755.75k 7824.37k
And also, I attached results of `./cryptotest -z 1000'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptotest_-z_1000_with_witness.txt
Type: application/octet-stream
Size: 6216 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040815/cd3f67a9/cryptotest_-z_1000_with_witness.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptotest_-z_1000_without_witness.txt
Type: application/octet-stream
Size: 6216 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040815/cd3f67a9/cryptotest_-z_1000_without_witness.obj
More information about the freebsd-stable
mailing list