/dev/crypto not being used in 12-STABLE
Xin LI
delphij at gmail.com
Thu Dec 6 23:38:24 UTC 2018
On Thu, Dec 6, 2018 at 3:24 PM John Nielsen <lists at jnielsen.net> wrote:
>
> > On Dec 6, 2018, at 4:04 PM, Xin LI <delphij at gmail.com> wrote:
> >
> > On Thu, Dec 6, 2018 at 11:37 AM John Nielsen <lists at jnielsen.net> wrote:
> >>
> >> I have upgraded two physical machines from 11-STABLE to 12-STABLE recently (one is 12.0-PRERELEASE r341380 and the other is 12.0-PRERELEASE r341391). I noticed today that neither machine seems to be utilizing /dev/crypto. Typically I see at least ssh/sshd have the device open plus some programs from ports. But 'fuser' doesn't list any processes on either machine:
> >>
> >> # fuser /dev/crypto
> >> /dev/crypto:
> >>
> >> Both machines are running custom kernels that include "device crypto" and "device cryptodev". One of them additionally has "device aesni".
> >>
> >> Is anyone else seeing this? Any idea what would cause it?
> >
> > Your average OpenSSL applications should not use /dev/crypto, if your
> > goal is to utilize AES-NI (which does not require /dev/crypto). On
> > capable systems, AES-NI would be used automatically (and it's faster
> > this way).
>
> Thanks for the response. Is there a way to verify that AES-NI is being used for e.g. ssh? I'm also curious why/when/how the change to not use (or support?) /dev/crypto from base openssl was made.
You can disable the use of AES by passing environment variable
OPENSSL_ia32cap and compare the speed, e.g.:
OPENSSL_ia32cap="~0x200000000000000" openssl speed -evp aes-128-cbc
(disabled bit 57, or ~0x200000000000000 means to disable the AES-NI
capability bit).
On most systems, using AES-NI is about twice fast, personally I don't
really see a reason why people would want to disable it in production
(even for security reasons), though, but yes there is an option.
Cheers,
More information about the freebsd-stable
mailing list