patch to improve AES-NI performance
John-Mark Gurney
jmg at funkthat.com
Fri Aug 23 20:51:26 UTC 2013
Dag-Erling Smrgrav wrote this message on Fri, Aug 23, 2013 at 21:30 +0200:
> John-Mark Gurney <jmg at funkthat.com> writes:
> > Mike Tancsa <mike at sentex.net> writes:
> > > John-Mark Gurney <jmg at funkthat.com> writes:
> > > > My patch would only effect userland applications that use /dev/crypto...
> > > For me its ssh which I think does, no ?
> > It looks like it uses OpenSSL for it's crypto, not /dev/crypto...
>
> It uses OpenSSL engines, which use /dev/crypto. This is why we had to
> turn off sandbox mode - a CRIOGET ioctl fails because the sandbox code
> sets RLIMIT_NOFILES to 0.
If it does use /dev/crypto via OpenSSL (see below), OpenSSL only uses
CBC mode, which means that only decryption will see any significant
performance improvement w/ my changes...
Also, how many people know to load the kernel module cryptodev and aesni
to use it? OpenSSL should use AES-NI natively instead of using the
cryptodev engine since it'll eliminate kernel calls, etc...
Hmm... looking at the source for openssl speed, it looks like it only
measures CBC encryption speed, not decryption speed, so you won't be
able to see the performance difference between encryption and
decryption for CBC mode...
I'm not sure that even if you set cryptodev engine on -HEAD that it
actually uses it... I just did a:
ktrace openssl speed -engine cryptodev aes-128-cbc
But this is part of the trace:
4377 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffff9ac0)
4377 openssl RET ioctl -1 errno 22 Invalid argument
4377 openssl CALL close(0x4)
4377 openssl RET close 0
4377 openssl CALL write(0x2,0x7fffffff9250,0x18)
4377 openssl GIO fd 2 wrote 24 bytes
"engine "cryptodev" set.
"
4377 openssl RET write 24/0x18
4377 openssl CALL sigaction(SIGALRM,0x7fffffff9b60,0x7fffffff9b40)
4377 openssl RET sigaction 0
4377 openssl CALL write(0x2,0x7fffffff9270,0x2c)
4377 openssl GIO fd 2 wrote 44 bytes
"Doing aes-128 cbc for 3s on 16 size blocks: "
4377 openssl RET write 44/0x2c
4377 openssl CALL setitimer(0,0x7fffffff9b70,0x7fffffff9b50)
4377 openssl RET setitimer 0
4377 openssl CALL getrusage(0,0x7fffffff9ab0)
4377 openssl RET getrusage 0
4377 openssl CALL getrusage(0xffffffff,0x7fffffff9ab0)
4377 openssl RET getrusage 0
4377 openssl PSIG SIGALRM caught handler=0x451550 mask=0x0 code=SI_KERNEL
4377 openssl CALL sigaction(SIGALRM,0x7fffffff9520,0x7fffffff9500)
4377 openssl RET sigaction 0
4377 openssl CALL sigreturn(0x7fffffff9580)
4377 openssl RET sigreturn JUSTRETURN
4377 openssl CALL getrusage(0,0x7fffffff9ab0)
4377 openssl RET getrusage 0
4377 openssl CALL getrusage(0xffffffff,0x7fffffff9ab0)
4377 openssl RET getrusage 0
4377 openssl CALL write(0x2,0x7fffffff9250,0x20)
4377 openssl GIO fd 2 wrote 32 bytes
"18712524 aes-128 cbc's in 2.99s
"
Shouldn't there be a whole host of ioctl's between the Doing print and
the x aes-128 cbc's print if it was doing cryptodev?
This does explain why the numbers w/ both engine cryptodev and w/o
(kernel module unloaded, so not possible to use) were similar...
> (trimming security@ from the cc: list as it's an alias for secteam@
> which is not the appropriate venue for this discussion.)
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-current
mailing list