Hi,
On 25/07/15 03:06, li yuqian wrote:
Hi JJK,
thanks for your reply.
>>what kind of hardware cryptodev accelerator is on the Intel board?
We don't have extra accelerator used in INTEL board, just enable
cryptodev in kernel and installed cryptodev-linux-1.7.tar.gz , then i
can got improved performance in openssl test. but i believe the
cryptodev must be called CPU hardware encryption accelerator, here is
my kernel configuration
ah OK; I've grabbed a copy, built and installed it on 2 servers and ran
some test: I get similar figures for 'openssl speed' but those numbers
are artificial, i.e. they do not reflect true performance of the system.
According to the site http://cryptodev-linux.org/index.html I should be
getting some improvement but not *that* much.
I've built and linked openvpn against openssl 1.0.2d with the cryptodev
engine enabled:
export OPENSSL_SSL_CFLAGS="-I/home/janjust/src/openssl-1.0.2d/include"
export OPENSSL_SSL_LIBS="-L/home/janjust/src/openssl-1.0.2d -lssl -ldl"
export OPENSSL_CRYPTO_CFLAGS="-I/home/janjust/src/openssl-1.0.2d/include"
export OPENSSL_CRYPTO_LIBS="-L/home/janjust/src/openssl-1.0.2d -lcrypto
-ldl"
./configure
make
Now I can run openvpn with cryptodev support enabled:
/home/janjust/src/openvpn-2.3.7-cryptodev/src/openvpn/openvpn
--ifconfig 10.200.0.1 10.200.0.2 --dev tun --secret secret.key --cipher
aes-256-cbc --engine cryptodev
Mon Jul 27 00:27:29 2015 OpenVPN 2.3.7 x86_64-unknown-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 27 2015
Mon Jul 27 00:27:29 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015,
LZO 2.03
Mon Jul 27 00:27:29 2015 Initializing OpenSSL support for engine 'cryptodev'
....
and performance is ~ 10% higher in one direction, and actually lower in
the opposite direction.
On 25/07/15 03:06, li yuqian wrote:
Hi Gert,
thanks for your reply
>>as our way to do --daemon wasn't compatible with cryptodev...
do you mean it is suggested in daemon mode when running openvpn with
cryptodev?
Gert's comment was about freebsd crypyodev support ... on Linux openvpn
2.3.7 builds and runs just fine.
also, i found some post said the Openvpn support cryptodev is not
good, as Openvpn need do lot of job copy data to/from user space to
kernel, "Hoewever the user-to-kernel and kernel-to-user copying of
packets (context switches) is the bottleneck. The OpenVPN speed gets
capped long before the crypto accel would make a difference. Its only
useful for pure Kernel based VPNs like IPSec or L2TP." (source
https://forum.openwrt.org/viewtopic.php?id=19586)
this is partly true - openvpn minimizes the user-to-kernel and
kernel-to-user copying of packets but it does happen and yes this is
indeed the bottleneck. There is little we can do about this, although
other tools such as vtun get slightly better performance.
My 2 servers are hooked up over gigabit ethernet, with iperf giving a
nice and stable 960 Mbps without a VPN in both directions.
With openvpn and with all crypto turned off, performance drops to 350
Mbps in one direction, 370 in the other. This is due mostly to the
*clockspeed* of the CPUs used (2 Xeon E5s, one is running at 2.0 GHz).
If I hook up two 3.0+ GHz CPUs then openvpn without crypto will give me
~900 Mbps both ways (and with aes-256 crypto I still get a decent 560 Mbps).
What figures do you get when running openvpn with
--cipher none --auth none
?
HTH,
JJK
-----
CONFIG_CRYPTO=y
#
# Crypto core or helper
#
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_PCOMP2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
# CONFIG_CRYPTO_USER is not set
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
# CONFIG_CRYPTO_GF128MUL is not set
# CONFIG_CRYPTO_NULL is not set
# CONFIG_CRYPTO_PCRYPT is not set
CONFIG_CRYPTO_WORKQUEUE=y
# CONFIG_CRYPTO_CRYPTD is not set
# CONFIG_CRYPTO_MCRYPTD is not set
CONFIG_CRYPTO_AUTHENC=y
# CONFIG_CRYPTO_TEST is not set
#
# Authenticated Encryption with Associated Data
#
CONFIG_CRYPTO_CCM=y
# CONFIG_CRYPTO_GCM is not set
CONFIG_CRYPTO_SEQIV=y
#
# Block modes
#
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
# CONFIG_CRYPTO_CTS is not set
# CONFIG_CRYPTO_ECB is not set
# CONFIG_CRYPTO_LRW is not set
# CONFIG_CRYPTO_PCBC is not set
# CONFIG_CRYPTO_XTS is not set
#
# Hash modes
#
# CONFIG_CRYPTO_CMAC is not set
CONFIG_CRYPTO_HMAC=y
# CONFIG_CRYPTO_XCBC is not set
# CONFIG_CRYPTO_VMAC is not set
#
# Digest
#
CONFIG_CRYPTO_CRC32C=y
# CONFIG_CRYPTO_CRC32C_INTEL is not set
# CONFIG_CRYPTO_CRC32 is not set
# CONFIG_CRYPTO_CRC32_PCLMUL is not set
# CONFIG_CRYPTO_CRCT10DIF is not set
# CONFIG_CRYPTO_GHASH is not set
# CONFIG_CRYPTO_MD4 is not set
CONFIG_CRYPTO_MD5=y
# CONFIG_CRYPTO_MICHAEL_MIC is not set
# CONFIG_CRYPTO_RMD128 is not set
# CONFIG_CRYPTO_RMD160 is not set
# CONFIG_CRYPTO_RMD256 is not set
# CONFIG_CRYPTO_RMD320 is not set
CONFIG_CRYPTO_SHA1=y
# CONFIG_CRYPTO_SHA1_SSSE3 is not set
# CONFIG_CRYPTO_SHA256_SSSE3 is not set
# CONFIG_CRYPTO_SHA512_SSSE3 is not set
# CONFIG_CRYPTO_SHA1_MB is not set
CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_SHA512=m
# CONFIG_CRYPTO_ANSI_CPRNG is not set
# CONFIG_CRYPTO_DRBG_MENU is not set
# CONFIG_CRYPTO_USER_API_HASH is not set
# CONFIG_CRYPTO_USER_API_SKCIPHER is not set
CONFIG_CRYPTO_HW=y
# CONFIG_CRYPTO_DEV_PADLOCK is not set
# CONFIG_CRYPTO_DEV_CCP is not set
CONFIG_CRYPTO_DEV_QAT=m
CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
# CONFIG_ASYMMETRIC_KEY_TYPE is not set
CONFIG_HAVE_KVM=y
CONFIG_VIRTUALIZATION=y
# CONFIG_KVM is not set
CONFIG_BINARY_PRINTF=y
-----
>>how did you enable it in openssl ?
i used openssl-1.0.2d and manual compile it by with "./config
-DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS"
----
root@ubuntu:/usr/src# /usr/local/ssl/bin/openssl engine
(cryptodev) BSD cryptodev engine
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(gost) Reference implementation of GOST engine
----
>>from the numbers you post I can see that there must be some external
accelerator which is not part of the CPU.
there is no external accelerator, i just enable the hardware cryptodev
in kernel and compiled and installed cryptodev-linux-1.7.tar.gz then
insert the cryptodev.ko in test.
>>OpenVPN can be made to use such accelerators but you must load the engine in OpenVPN in
the right manner - which of the engines are using for your openssl
test? what does
openssl engine -c -t
report?
i think so, but why the cryptodev can not working properly, i am
confused :( . and just enabled the cryptodev.ko in test. and openssl
engine -c -t show as following
-------
root@ubuntu:/usr/src# /usr/local/ssl/bin/openssl engine -c -t
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC,
AES-256-CBC]
[ available ]
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
(4758cca) IBM 4758 CCA hardware engine support
[RSA, RAND]
[ unavailable ]
(aep) Aep hardware engine support
[RSA, DSA, DH]
[ unavailable ]
(atalla) Atalla hardware engine support
[RSA, DSA, DH]
[ unavailable ]
(cswift) CryptoSwift hardware engine support
[RSA, DSA, DH, RAND]
[ unavailable ]
(chil) CHIL hardware engine support
[RSA, DH, RAND]
[ unavailable ]
(nuron) Nuron hardware engine support
[RSA, DSA, DH]
[ unavailable ]
(sureware) SureWare hardware engine support
[RSA, DSA, DH, RAND]
[ unavailable ]
(ubsec) UBSEC hardware engine support
[RSA, DSA, DH]
[ unavailable ]
(gost) Reference implementation of GOST engine
[gost89, gost89-cnt, md_gost94, gost-mac, gost94, gost2001, gost-mac]
[ available ]
root@ubuntu:/usr/src#
----
any suggestion, i really need openvpn get working :(
Yuqian
------------------------------------------------------------------------
