sam, Mike Tancsa, Doug White! Thank you for hints! On Tue, 3 Aug 2004 09:02:59 -0700 Sam Leffler <sam_at_errno.com> wrote: > On Tuesday 03 August 2004 05:41 am, Norikatsu Shigemura wrote: > > Hi sam! > > I have two Soekris vpn1401 crypto accelerator cards. I installed > > these to 4-stable machine and 5-current machine. > ... > > I confirmed `openssl speed -engine cryptodev', but it looks not > > works. Because 1st: same speed (before/after install it), 2nd: CPU > > loadavg is always high. So I consider that openssl didn't use > > cryptodev. Do you have any idea? > Look in /usr/src/tools/tools/crypto for the cryptostats and hifnstats > programs; they will tell you if the h/w is operating correctly. I and my friends, Naoki Fukaumi, inverstigated about this behavior. As the result, we confirmed that h/w accerator is good works but some limited. 1. `openssl speed' is not so good:-(. openssl speed -evp aes128(/des/3des) is good. I saw *Giant and crydev in top(1). 2. /usr/src/tools/tools/crypto/cryptotest.c clarified the problem. According to cryptotest(I tested ./cyrptotest -z 1000), hifn(4) (=vpn1401) supports des_cbc, 3des_cbc, aes_cbc, aes192_cbc, aes256_cbc, md5_hmac and sha1_hmac. (Of course, I saw ones in top(1)) 3. I read /usr/src/crypto/openssl/crypto/engine/hw_cryptodev.c. Accoring to it, cryptodev engine supports des_cbc, 3des_cbc, aes_cbc, blf_cbc, cast5_cbc, skipjack_cbc(?), sha1_hmac, ripemd160_hmac, md5_kpdk(?), sha1_kpdk(?), md5 and sha1(?). However, we can use these cifers by cryptodev_usable_ciphers, but cannot use these digests by cryptodev_usable_digests, in hw_cryptodev.c. According to comments: * XXXX just disable all digests for now, because it sucks. * we need a better way to decide this - i.e. I may not * want digests on slow cards like hifn on fast machines, * but might want them on slow or loaded machines, etc. * will also want them when using crypto cards that don't * suck moose gonads - would be nice to be able to decide something * as reasonable default without having hackery that's card dependent. * of course, the default should probably be just do everything, * with perhaps a sysctl to turn algoritms off (or have them off * by default) on cards that generally suck like the hifn. Hum..... By union set, so we can use only des_cbc, 3des_cbc and aes_cbc. [SEE ALSO] BenchMark1: openssl speed -elapsed -evp aes128 openssl speed -elapsed -evp des3 >>In 5-current with WITNESS aes-128-cbc 33.20k 211.17k 1184.66k 2574.12k 4918.85k des-ede3-cbc 70.37k 315.16k 901.09k 1643.15k 6840.56k >>In 5-current w/o WITNESS aes-128-cbc 324.79k 1264.01k 4650.77k 13378.57k 22098.25k des-ede3-cbc 324.65k 1278.52k 4645.58k 13392.40k 22017.54k >>In 4-stable aes-128-cbc 462.81k 1795.23k 6329.75k 16686.62k 29833.64k des-ede3-cbc 463.48k 1757.60k 1889.31k 16679.92k 29766.37k >>In 5-current w/o WITNESS w/o hifn(4) (PentiumIII-M 1.0GHz x1) aes-128-cbc 17732.99k 19308.65k 23740.17k 25805.46k 25179.36k des-ede3-cbc 7347.27k 5895.96k 7762.44k 7755.75k 7824.37k And also, I attached results of `./cryptotest -z 1000'.
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:06 UTC