Re: Crypto hw acceleration for openssl

At 10:27 AM 24/04/2006, Pawel Jakub Dawidek wrote:
On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote:
+> Winston Tsai <wtsai@xxxxxxxx> wrote:
+> > I got roughly the same performance results when I use the openssl speed
+> > test with and without a hifn 7956 cryto card
+> > [...]
+> > Then I ran:
+> > Openssl speed des-cbc
+> > [...]
+> > My understanding is that openssl will detect the presence of an
+> > accelerator card and use it (via \dev\crypto) instead of the crypto
+> > library.
+> > Did I miss something here?
+>
+> I don't know if the openssl speed test picks up the crypto-
+> dev hardware automatically. But ssh/scp definitely does.
+>
+> I have run several tests on my VIA C3 Nehemiah+RNG+ACE,
+> which accelerates AES encryption. When the padlock(4)
+> module is loaded (it contains the Nehemiah ACE support),
+> ssh/scp performance is roughly doubled. It's quite
+> noticeable when transfering large files.
+>
+> Best regards
+> Oliver
+>
+> PS: I can provide some benchmark numbers if interested.

The problem is that OpenSSL don't know how to accelerate AES192 and
AES256 with cryptodev. The patch which fix this is available here:

http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch

PS. For AES128 cryptodev can be used without the patch.


If you use the padlock engine, you will also need the patch discussed in

http://cvs.openssl.org/chngview?cn=13061

http://sourceforge.net/mailarchive/message.php?msg_id=11419213


Without it, apps like openvpn will running into periodic crypto errors.

---Mike


begin 644 patch
M+2TM(&5N9U]P861L;V-K+F,),C`P-2\P-"\P-"`Q-SHP-3HP-@DQ+C$R"BLK
M*R!E;F=?<&%D;&]C:RYC"3(P,#4O,#0O,30@,#<Z-#$Z,CD),2XQ,PI`0"`M
M,SDU+#$P("LS.34L,3`@0$`*("():FYC"3%F7&XB"B`B"6-M<`DE,BPE,5QN
M(@H@(@EJ90DQ9EQN(@HM(@EM;W8))3(L)3!<;B(*("()<&]P9FQ<;B(*("()
M<W5B"20T+"4E97-P7&XB"BTB,3H)861D"20T+"4E97-P(@HK(C$Z"6%D9`DD
M-"PE)65S<%QN(@HK(@EM;W8))3(L)3`B"B`).B(K;2(H<&%D;&]C:U]S879E
M9%]C;VYT97AT*0H@"3H@(G(B*'!A9&QO8VM?<V%V961?8V]N=&5X="DL(")R
M(BAC9&%T82D@.B`B8V,B*3L*('T*0$`@+34R,2PQ,"`K-3(Q+#$P($!`"B`)
M"6IN8PES:VEP"B`)"6-M<`EE8W@L<&%D;&]C:U]S879E9%]C;VYT97AT"B`)
M"6IE"7-K:7`*+0D);6]V"7!A9&QO8VM?<V%V961?8V]N=&5X="QE8W@*(`D)
M<&]P9F0*(`D)<W5B"65S<"PT"B`)<VMI<#H)861D"65S<"PT"BL)"6UO=@EP
B861L;V-K7W-A=F5D7V-O;G1E>'0L96-X"B`)"7T*('T*"@``
`
end

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Crypto hw acceleration for openssl
    ... +>> test with and without a hifn 7956 cryto card ... +> which accelerates AES encryption. ... For AES128 cryptodev can be used without the patch. ...
    (FreeBSD-Security)
  • Re: Crypto hw acceleration for openssl
    ... For AES128 cryptodev can be used without the patch. ... It depends which engine one is using. ... The first one is of course faster for use with OpenSSL as it doesn't go ...
    (FreeBSD-Security)
  • Re: ZFS patches.
    ... Pawel Jakub Dawidek wrote: ... I have updated a test machine with the patch. ... I am now getting back "kmem_map too small" panics within a few minutes of cvs update of ports. ...
    (freebsd-current)
  • Re: jail getfsstat patches.
    ... On Fri, 2 Jul 2004, Pawel Jakub Dawidek wrote: ... To people who will backport: do not forget to also patch usr.sbin/jail ... didn't review linux-compat or alpha and didn't test freebsd4_compat. ...
    (freebsd-current)
  • Re: panic: g_read_data(): invalid length 0
    ... +> Pawel Jakub Dawidek wrote: ... +>> +> Sad to say, with your patch, CD devices are disappeared. ... +>> Hmm, even if there is a CD inside? ...
    (freebsd-current)