Hi,
On 24/07/15 10:40, li yuqian wrote:
Hi,
I am working on try use the cryptodev hardware accelerator in Openvpn,
i know this question is belong to user list, but i got confused for
the issue, so, i think maybe need developer to help :)
I have two boards, one is Freescale LS1021a ARM cpu, another one is
INTEL E3815 cpu, both of them i can enable the cryptodev hardware
accelerator, and tested them in openssl, it working good when enabled
the cryptodev, i can got about 72 times performance improved with
command "openssl speed -evp aes-128-cbc", here is a INTEL cpu test result
----------
with cryptodev support:
----------
root@ubuntu:/etc/openvpn# /usr/local/ssl/bin/openssl speed -evp
aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 1324358 aes-128-cbc's in 0.47s
Doing aes-128-cbc for 3s on 64 size blocks: 986320 aes-128-cbc's in 0.33s
Doing aes-128-cbc for 3s on 256 size blocks: 487522 aes-128-cbc's in 0.19s
Doing aes-128-cbc for 3s on 1024 size blocks: 157636 aes-128-cbc's in
0.05s
Doing aes-128-cbc for 3s on 8192 size blocks: 22318 aes-128-cbc's in 0.01s
OpenSSL 1.0.2 22 Jan 2015
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial)
idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS
-Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes
8192 bytes
aes-128-cbc 45084.53k 191286.30k 656871.75k 3228385.28k
18282905.60k
root@ubuntu:/etc/openvpn#
----------
without cryptodev support:
----------
root@ubuntu:/etc/openvpn# /usr/local/ssl/bin/openssl speed -evp
aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 29624370 aes-128-cbc's in
2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 10070739 aes-128-cbc's in
3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 2846673 aes-128-cbc's in
3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 735685 aes-128-cbc's in
3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 92783 aes-128-cbc's in 3.00s
OpenSSL 1.0.2 22 Jan 2015
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial)
idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS
-Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes
8192 bytes
aes-128-cbc 158525.06k 214128.67k 242916.10k 250279.55k
253359.45k
----------
it was got big improved with cryptodev hardware accelerator you can
see from above shows
but when i configured and compiled Openvpn with HAVE_OPENSSL_ENGINE
supported, and i can make sure Openvpn can working with cryptodev ?
------
root@ubuntu:/etc/openvpn# /opt/openvpn/sbin/openvpn --show-engines
OpenSSL Crypto Engines
BSD cryptodev engine [cryptodev]
Intel RDRAND engine [rdrand]
Dynamic engine loading support [dynamic]
IBM 4758 CCA hardware engine support [4758cca]
Aep hardware engine support [aep]
Atalla hardware engine support [atalla]
CryptoSwift hardware engine support [cswift]
CHIL hardware engine support [chil]
Nuron hardware engine support [nuron]
SureWare hardware engine support [sureware]
UBSEC hardware engine support [ubsec]
Reference implementation of GOST engine [gost]
-------
what kind of hardware cryptodev accelerator is on the Intel board? how
did you enable it in openssl ?
from the numbers you post I can see that there must be some external
accelerator which is not part of the CPU.
OpenVPN can be made to use such accelerators but you must load the
engine in OpenVPN in the right manner - which of the engines are using
for your openssl test? what does
openssl engine -c -t
report?
JJK