OpenSSL with hifn(4) (cryptodev)

Norikatsu Shigemura nork at FreeBSD.org
Sun Aug 15 01:05:03 PDT 2004


	sam, Mike Tancsa, Doug White! Thank you for hints!

On Tue, 3 Aug 2004 09:02:59 -0700
Sam Leffler <sam at errno.com> wrote:
> On Tuesday 03 August 2004 05:41 am, Norikatsu Shigemura wrote:
> > Hi sam!
> > 	I have two Soekris vpn1401 crypto accelerator cards.  I installed
> > 	these to 4-stable machine and 5-current machine.
> 	...
> > 	I confirmed `openssl speed -engine cryptodev', but it looks not
> > 	works.  Because 1st: same speed (before/after install it), 2nd: CPU
> > 	loadavg is always high. So I consider that openssl didn't use
> > 	cryptodev.  Do you have any idea?
> Look in /usr/src/tools/tools/crypto for the cryptostats and hifnstats 
> programs; they will tell you if the h/w is operating correctly.

	I and my friends, Naoki Fukaumi, inverstigated about this
	behavior.  As the result, we confirmed that h/w accerator
	is good works but some limited.

	1. `openssl speed' is not so good:-(.
	   openssl speed -evp aes128(/des/3des) is good.  I saw
	   *Giant and crydev in top(1).

	2. /usr/src/tools/tools/crypto/cryptotest.c clarified the problem.
	   According to cryptotest(I tested ./cyrptotest -z 1000),
	   hifn(4) (=vpn1401) supports des_cbc, 3des_cbc, aes_cbc,
	   aes192_cbc, aes256_cbc, md5_hmac and sha1_hmac. (Of course,
	   I saw ones in top(1))

	3. I read /usr/src/crypto/openssl/crypto/engine/hw_cryptodev.c.
	   Accoring to it, cryptodev engine supports des_cbc, 3des_cbc,
	   aes_cbc, blf_cbc, cast5_cbc, skipjack_cbc(?), sha1_hmac,
	   ripemd160_hmac, md5_kpdk(?), sha1_kpdk(?), md5 and sha1(?).
	   However, we can use these cifers by cryptodev_usable_ciphers,
	   but cannot use these digests by cryptodev_usable_digests,
	   in hw_cryptodev.c.  According to comments:

	* XXXX just disable all digests for now, because it sucks.
	* we need a better way to decide this - i.e. I may not
	* want digests on slow cards like hifn on fast machines,
	* but might want them on slow or loaded machines, etc.
	* will also want them when using crypto cards that don't
	* suck moose gonads - would be nice to be able to decide something
	* as reasonable default without having hackery that's card dependent.
	* of course, the default should probably be just do everything,
	* with perhaps a sysctl to turn algoritms off (or have them off
	* by default) on cards that generally suck like the hifn.

	Hum.....  By union set, so we can use only des_cbc, 3des_cbc
	and aes_cbc.

[SEE ALSO] BenchMark1:  openssl speed -elapsed -evp aes128
			openssl speed -elapsed -evp des3
>>In 5-current with WITNESS
aes-128-cbc         33.20k      211.17k     1184.66k     2574.12k     4918.85k
des-ede3-cbc        70.37k      315.16k      901.09k     1643.15k     6840.56k

>>In 5-current w/o  WITNESS
aes-128-cbc        324.79k     1264.01k     4650.77k    13378.57k    22098.25k
des-ede3-cbc       324.65k     1278.52k     4645.58k    13392.40k    22017.54k

>>In 4-stable
aes-128-cbc        462.81k     1795.23k     6329.75k    16686.62k    29833.64k
des-ede3-cbc       463.48k     1757.60k     1889.31k    16679.92k    29766.37k

>>In 5-current w/o  WITNESS  w/o hifn(4) (PentiumIII-M 1.0GHz x1)
aes-128-cbc      17732.99k    19308.65k    23740.17k    25805.46k    25179.36k
des-ede3-cbc      7347.27k     5895.96k     7762.44k     7755.75k     7824.37k

	And also, I attached results of `./cryptotest -z 1000'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptotest_-z_1000_with_witness.txt
Type: application/octet-stream
Size: 6216 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040815/cd3f67a9/cryptotest_-z_1000_with_witness.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptotest_-z_1000_without_witness.txt
Type: application/octet-stream
Size: 6216 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040815/cd3f67a9/cryptotest_-z_1000_without_witness.obj


More information about the freebsd-stable mailing list