/dev/crypto not being used in 12-STABLE

Jung-uk Kim jkim at FreeBSD.org
Fri Dec 7 00:05:31 UTC 2018

On 18. 12. 6., John Nielsen wrote:
>> On Dec 6, 2018, at 4:04 PM, Xin LI <delphij at gmail.com> wrote:
>> On Thu, Dec 6, 2018 at 11:37 AM John Nielsen <lists at jnielsen.net> wrote:
>>> I have upgraded two physical machines from 11-STABLE to 12-STABLE recently (one is 12.0-PRERELEASE r341380 and the other is 12.0-PRERELEASE r341391). I noticed today that neither machine seems to be utilizing /dev/crypto. Typically I see at least ssh/sshd have the device open plus some programs from ports. But 'fuser' doesn't list any processes on either machine:
>>> # fuser /dev/crypto
>>> /dev/crypto:
>>> Both machines are running custom kernels that include "device crypto" and "device cryptodev". One of them additionally has "device aesni".
>>> Is anyone else seeing this? Any idea what would cause it?
>> Your average OpenSSL applications should not use /dev/crypto, if your
>> goal is to utilize AES-NI (which does not require /dev/crypto).  On
>> capable systems, AES-NI would be used automatically (and it's faster
>> this way).
> Thanks for the response. Is there a way to verify that AES-NI is being used for e.g. ssh?
> I'm also curious why/when/how the change to not use (or support?) /dev/crypto from base
> openssl was made.

OpenSSL 1.1.1 removed the old cryptodev:


Instead, OpenSSL added devcrypto engine for Linux:


and added BSD support:


then, completely removed BSD-specific cryptodev:


However, it is disabled by default.  Theoretically, it is functionally
equivalent but it wasn't tested much.

I can enable the new engine on head if many users request it.

Jung-uk Kim

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20181206/011cc9be/attachment.sig>

More information about the freebsd-stable mailing list