On Monday, 23 October 2023 08:29:26 BST Dale wrote: > I been working on the speed problem again. I rebuilt the kernel on > fireball and I think some changes made a huge change. This is the > results from fireball now: > > > root@fireball / # cryptsetup benchmark > # Tests are approximate using memory only (no storage IO). > PBKDF2-sha1 931239 iterations per second for 256-bit key > PBKDF2-sha256 1356501 iterations per second for 256-bit key > PBKDF2-sha512 972705 iterations per second for 256-bit key > PBKDF2-ripemd160 648871 iterations per second for 256-bit key > PBKDF2-whirlpool 362077 iterations per second for 256-bit key > argon2i 5 iterations, 1048576 memory, 4 parallel threads (CPUs) > for 256-bit key (requested 2000 ms time) > argon2id 4 iterations, 1048576 memory, 4 parallel threads (CPUs) > for 256-bit key (requested 2000 ms time) > # Algorithm | Key | Encryption | Decryption > aes-cbc 128b 570.8 MiB/s 2045.6 MiB/s > serpent-cbc 128b 91.1 MiB/s 310.0 MiB/s > twofish-cbc 128b 198.7 MiB/s 218.9 MiB/s > aes-cbc 256b 428.8 MiB/s 1670.4 MiB/s > serpent-cbc 256b 91.6 MiB/s 309.5 MiB/s > twofish-cbc 256b 199.8 MiB/s 219.2 MiB/s > aes-xts 256b 1821.2 MiB/s 1767.1 MiB/s > serpent-xts 256b 265.9 MiB/s 270.2 MiB/s > twofish-xts 256b 201.0 MiB/s 204.2 MiB/s > aes-xts 512b 1440.0 MiB/s 1445.9 MiB/s > serpent-xts 512b 265.0 MiB/s 257.2 MiB/s > twofish-xts 512b 198.2 MiB/s 201.6 MiB/s > root@fireball / # > > > As you can see, aes-cbc is fast now and I think that is what cryptsetup > uses. It used to be really slow I think.
Yep, it was many times slower with your previous kernel. Now it will saturate your 1Gbps network link, as long as the other box can take it. > Now on to the nas box. I've recompiled the kernel with some added > options. Still, it refuses to speed up. I kinda think it is the CPU > lacking support for encryption. I'm asking others just in case I'm > missing something. No, you're not missing anything, although in a previous message you had posted a benchmark result for the Phenom performance being around 4 times higher than what you show below. As I mentioned then, the Phenom CPU does not have AES-NI crypto hardware acceleration. it is a rather old CPU. Assuming the MoBo has the latest OEM firmware and you have also added microcode in your kernel (CONFIG_MICROCODE_AMD=y), then probably that's all it can do. Small optimisations may show up between kernel releases, yet again patches to address CPU vulnerabilities (retpoline?) could make things a bit worse. > Also, fireball uses a older kernel, 5.14 or so. The > nas box uses 6.1 or so. The menus are different and that is why it is > hard to get them to match up. I may have missed something. This is the > bench mark from nas box. You can diff previous and current kernel config files to see what has changed. For the crypto settings you can grep for AES and for CRYPT to make sure you have not left out what you'd need for disk encryption. > nas ~ # cryptsetup benchmark > # Tests are approximate using memory only (no storage IO). > PBKDF2-sha1 700919 iterations per second for 256-bit key > PBKDF2-sha256 924670 iterations per second for 256-bit key > PBKDF2-sha512 729190 iterations per second for 256-bit key > PBKDF2-ripemd160 517559 iterations per second for 256-bit key > PBKDF2-whirlpool 359593 iterations per second for 256-bit key > argon2i 4 iterations, 1048576 memory, 4 parallel threads (CPUs) > for 256-bit key (requested 2000 ms time) > argon2id 4 iterations, 1048576 memory, 4 parallel threads (CPUs) > for 256-bit key (requested 2000 ms time) > # Algorithm | Key | Encryption | Decryption > aes-cbc 128b 63.6 MiB/s 41.6 MiB/s > serpent-cbc 128b 81.0 MiB/s 212.4 MiB/s > twofish-cbc 128b 192.5 MiB/s 222.1 MiB/s > aes-cbc 256b 47.5 MiB/s 30.0 MiB/s > serpent-cbc 256b 81.2 MiB/s 212.7 MiB/s > twofish-cbc 256b 192.3 MiB/s 221.9 MiB/s > aes-xts 256b 65.9 MiB/s 41.6 MiB/s > serpent-xts 256b 201.7 MiB/s 205.7 MiB/s > twofish-xts 256b 216.2 MiB/s 214.5 MiB/s > aes-xts 512b 48.8 MiB/s 30.0 MiB/s > serpent-xts 512b 202.7 MiB/s 205.6 MiB/s > twofish-xts 512b 216.4 MiB/s 214.0 MiB/s > nas ~ # How does your aes-xts 30.0 MiB/s shown above compare with your previous benchmark result? I'm sure it was quite higher than this. > I seem to recall it being said that the old CPU in the nas box lacks the > aes instruction set. This is a list of the CPU flags from the nas box. > > > nas ~ # cpuid2cpuflags > CPU_FLAGS_X86: 3dnow 3dnowext mmx mmxext popcnt sse sse2 sse3 sse4a > nas ~ # > > > The aes shows up on fireball. It does not on the nas box. Is the speed > above as good as I can expect with this older CPU? I can include the > kernel config if needed. If you know what driver you are looking for, > let me know what to grep for. If not sure, I can attach the config file. > > Is this it? Is this as fast as this old CPU can get? More or less. You could try serpent-xts, or twofish-xts to improve performance, but since you're about to change your main PC you can retire the Phenom and use fireball in its place.
signature.asc
Description: This is a digitally signed message part.