Re: [Soekris] Hardware crypto acceleration on Debian
Le Mon, 18 Apr 2011 17:20:29 -0400, Michael Proto a écrit : Hi, > With the speed of the Geode CPU in a 5501, you'd likely not see a > significant (if any) improvement in speed when using userland programs > like OpenSSL with onboard crypto accelerators. The context-switch from > userland to kernel for the crypto processing will be much more > expensive than the crypto itself. I ran some old benchmarks of the > crypto processor in the Geode LX (can't seem to find them now), but > with a patched OpenSSL I didn't see any real improvement versus > letting software do the whole thing. It depends of the size of the data to crypt ; with the Geode crypto device there is an improvement (from 3 MBytes to 5 MB) using sftp or scp. And the load is very lower than with software crypto. Same if you use "openssl enc". The benefit starts with a block around 256 octets. IMHO the Geode LX is slow. Regards. ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
On Wed, Apr 20, 2011 at 11:13:55AM -0400, Guillaume Filion wrote: ># openssl speed -evp aes-128-cbc >type 16 bytes 64 bytes256 bytes 1024 bytes 2048 >bytes >aes-128-cbc 65098.13k92264.00k 410205.87k 5833523.20k >7599923.20k Something definitely seems horribly wrong, as that vastly exceeds the system's memory bandwidth. Mike Stone ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
To add to the test data, in the 0.7 branch of AstLinux. http://www.astlinux.org/ http://astlinux.svn.sourceforge.net/viewvc/astlinux/branches/0.7/ All tests on a net5501-70, Linux Kernel 2.6.27.xx, these modules are loaded: -- geode-aes ocf cryptosoft cryptodev -- # modprobe -r cryptosoft # openssl speed -evp aes-128-cbc -- type 16 bytes 64 bytes256 bytes 1024 bytes 2048 bytes aes-128-cbc 36964.11k41779.20k42427.73k43808.58k43897.02k -- # modprobe cryptosoft # openssl speed -evp aes-128-cbc -engine cryptodev -- type 16 bytes 64 bytes256 bytes 1024 bytes 2048 bytes aes-128-cbc 68509.33k 197297.60k 856507.73k 3002009.60k 7761920.00k -- Now for the REAL world, and OpenVPN on a net5501-70 1) No acceleration, AES-128-CBC, about 15 Mbits/sec (ie. "cryptosoft" module not loaded) 2) CryptoDEV, AES-128-CBC, about 20 Mbits/sec (ie. "cryptosoft" module loaded) 3) No acceleration, No Encryption, about 26 Mbits/sec It was over two years ago when I did the OpenVPN tests, so don't ask me how I did it, but assume it was 'fair'. :-) Lonnie On Apr 20, 2011, at 10:13 AM, Guillaume Filion wrote: > As a follow-up, I talked with Andreas Steinel who did compile OCF-Linux > on his net5501 back in the summer on 2008 (kernel 2.6.25.10). > > He didn't have a vpn1411 card but the numbers for the geode aes > acceleration are very impressive (likely too good to be true -- Andreas > told me that he wasn't able to see this speedup on his OpenVPN setup): > > # openssl engine > (cryptodev) BSD cryptodev engine > (padlock) VIA PadLock (no-RNG, no-ACE) > (dynamic) Dynamic engine loading support > > # openssl speed -evp aes-128-cbc -engine dynamic > type 16 bytes 64 bytes256 bytes 1024 bytes 8192 > bytes > aes-128-cbc 7091.41k10286.25k11557.60k12058.76k > 12157.67k > > # openssl speed -evp aes-128-cbc > type 16 bytes 64 bytes256 bytes 1024 bytes 2048 > bytes > aes-128-cbc 65098.13k92264.00k 410205.87k 5833523.20k > 7599923.20k > > Here are more infos from Andreas: > - > I also had to patch openssl and wrote the following md5sums down: > > d3afc44792abe1fbbf8281ffa6fbcbce openssl_0.9.8g-10.1.diff.gz > acf70a16359bf3658bdfb74bda1c4419 openssl_0.9.8g.orig.tar.gz > 749305c08ddeeb45df7f3c754c4a1eff openssl-0.9.8g.patch > (Aus dem ocf-linux-20080704 Ordner) > > I built the following debian packages out of it: > libcrypto0.9.8-udeb_0.9.8g-10.2_i386.udeb > libssl0.9.8_0.9.8g-10.2_i386.deb > libssl0.9.8-dbg_0.9.8g-10.2_i386.deb > libssl-dev_0.9.8g-10.2_i386.deb > openssl_0.9.8g-10.2_i386.deb > ___ > Soekris-tech mailing list > Soekris-tech@lists.soekris.com > http://lists.soekris.com/mailman/listinfo/soekris-tech > > ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
As a follow-up, I talked with Andreas Steinel who did compile OCF-Linux on his net5501 back in the summer on 2008 (kernel 2.6.25.10). He didn't have a vpn1411 card but the numbers for the geode aes acceleration are very impressive (likely too good to be true -- Andreas told me that he wasn't able to see this speedup on his OpenVPN setup): # openssl engine (cryptodev) BSD cryptodev engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support # openssl speed -evp aes-128-cbc -engine dynamic type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 7091.41k10286.25k11557.60k12058.76k 12157.67k # openssl speed -evp aes-128-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 2048 bytes aes-128-cbc 65098.13k92264.00k 410205.87k 5833523.20k 7599923.20k Here are more infos from Andreas: - I also had to patch openssl and wrote the following md5sums down: d3afc44792abe1fbbf8281ffa6fbcbce openssl_0.9.8g-10.1.diff.gz acf70a16359bf3658bdfb74bda1c4419 openssl_0.9.8g.orig.tar.gz 749305c08ddeeb45df7f3c754c4a1eff openssl-0.9.8g.patch (Aus dem ocf-linux-20080704 Ordner) I built the following debian packages out of it: libcrypto0.9.8-udeb_0.9.8g-10.2_i386.udeb libssl0.9.8_0.9.8g-10.2_i386.deb libssl0.9.8-dbg_0.9.8g-10.2_i386.deb libssl-dev_0.9.8g-10.2_i386.deb openssl_0.9.8g-10.2_i386.deb ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
2011/4/18 Michael Proto : > In short, crypto accelerators in SBCs like the Soekris are more for > in-kernel crypto processing (like aes-encrypted disks and IPSec), and > less for userland processing. Obviously I don't know what you're > trying to do with OpenSSL, but in my own experience having crypto > accelerator support in userland gave me no measurable benefit. Thanks for the input. I'm using the net5501 as a load balancer using nginx as a reverse proxy. nginx does the SSL decryption then sends the requests unencrypted to the right web server. It works well but doesn't scale well under load, I was hoping that using a crypto accelerator would solve my problem but I guess I'll have to use a bigger machine. Thanks, GFK's -- http://guillaume.filion.org/ ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
On Mon, Apr 18, 2011 at 5:01 PM, Guillaume Filion wrote: > You're right, CRYPTO_DEV_GEODE creates module geode-aes, but from what > I understand it's only used by the kernel. OpenSSL doesn't support it > and I couldn't find a patch. > With the speed of the Geode CPU in a 5501, you'd likely not see a significant (if any) improvement in speed when using userland programs like OpenSSL with onboard crypto accelerators. The context-switch from userland to kernel for the crypto processing will be much more expensive than the crypto itself. I ran some old benchmarks of the crypto processor in the Geode LX (can't seem to find them now), but with a patched OpenSSL I didn't see any real improvement versus letting software do the whole thing. In short, crypto accelerators in SBCs like the Soekris are more for in-kernel crypto processing (like aes-encrypted disks and IPSec), and less for userland processing. Obviously I don't know what you're trying to do with OpenSSL, but in my own experience having crypto accelerator support in userland gave me no measurable benefit. -Proto ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
You're right, CRYPTO_DEV_GEODE creates module geode-aes, but from what I understand it's only used by the kernel. OpenSSL doesn't support it and I couldn't find a patch. 2011/4/18 Michael Proto : > 2011/4/18 Guillaume Filion : >> Hi, >> >> I've been looking into using the hardware crypto acceleration on the Geode >> chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer >> (nginx) running on Debian. >> >> Right now I'm a bit confused on what my options are, so let me write my >> understanding of the situation and please correct anything that is >> inaccurate: >> >> 1. The geode hardware crypto acceleration only works for aes-128-cbc. >> vpn1411 works for a lot more ciphers/key sizes. >> >> 2. There's no out-of-the-box support for hardware crypto acceleration of the >> geode or the vpn1411 under linux. >> >> 3. The only way to support it is with ocf-linux, which requires a patch for >> the kernel and openssl. >> >> 4. There's no debian kernel package available with the ocf-linux patch >> already in place. >> >> 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at >> 2.6.32). >> >> 6. I should really consider switching to openbsd... >> >> Please tell my if I'm missing something, otherwise, I think I'll seriously >> look into implementing #6... > > (I'm not running either the Geode or vpn1411 crypto under Linux so > take what's below with a grain of salt, but...) > > Looking at the kernel config for my ubuntu 10.04 server, I do see > entries for both of these crypto devices in the mainline default > kernel: > > CONFIG_CRYPTO_DEV_GEODE=m > CONFIG_CRYPTO_DEV_HIFN_795X=m > CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y > > The Geode should cover the Geode LX CPU's onboard crypto and the HiFn > 7956 would be the vpn1411. OpenSSL may still need to be patched, but > in-kernel ops would utilize both crypto accelerators should the > appropriate modules be loaded I would think. > > > -Proto > -- http://guillaume.filion.org/ ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Hardware crypto acceleration on Debian
2011/4/18 Guillaume Filion : > Hi, > > I've been looking into using the hardware crypto acceleration on the Geode > chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer > (nginx) running on Debian. > > Right now I'm a bit confused on what my options are, so let me write my > understanding of the situation and please correct anything that is > inaccurate: > > 1. The geode hardware crypto acceleration only works for aes-128-cbc. > vpn1411 works for a lot more ciphers/key sizes. > > 2. There's no out-of-the-box support for hardware crypto acceleration of the > geode or the vpn1411 under linux. > > 3. The only way to support it is with ocf-linux, which requires a patch for > the kernel and openssl. > > 4. There's no debian kernel package available with the ocf-linux patch > already in place. > > 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at > 2.6.32). > > 6. I should really consider switching to openbsd... > > Please tell my if I'm missing something, otherwise, I think I'll seriously > look into implementing #6... (I'm not running either the Geode or vpn1411 crypto under Linux so take what's below with a grain of salt, but...) Looking at the kernel config for my ubuntu 10.04 server, I do see entries for both of these crypto devices in the mainline default kernel: CONFIG_CRYPTO_DEV_GEODE=m CONFIG_CRYPTO_DEV_HIFN_795X=m CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y The Geode should cover the Geode LX CPU's onboard crypto and the HiFn 7956 would be the vpn1411. OpenSSL may still need to be patched, but in-kernel ops would utilize both crypto accelerators should the appropriate modules be loaded I would think. -Proto ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
[Soekris] Hardware crypto acceleration on Debian
Hi, I've been looking into using the hardware crypto acceleration on the Geode chip of the net5501 (and maybe get a vpn1411 card) on my web load balancer (nginx) running on Debian. Right now I'm a bit confused on what my options are, so let me write my understanding of the situation and please correct anything that is inaccurate: 1. The geode hardware crypto acceleration only works for aes-128-cbc. vpn1411 works for a lot more ciphers/key sizes. 2. There's no out-of-the-box support for hardware crypto acceleration of the geode or the vpn1411 under linux. 3. The only way to support it is with ocf-linux, which requires a patch for the kernel and openssl. 4. There's no debian kernel package available with the ocf-linux patch already in place. 5. ocf-linux only supports kernels up to 2.6.26 (debian stable is at 2.6.32). 6. I should really consider switching to openbsd... Please tell my if I'm missing something, otherwise, I think I'll seriously look into implementing #6... Thanks a lot and have a great week! GFK's -- http://guillaume.filion.org/ ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech