Dag-Erling Smrgrav wrote this message on Fri, Aug 23, 2013 at 21:30 +0200: > John-Mark Gurney <jmg_at_funkthat.com> writes: > > Mike Tancsa <mike_at_sentex.net> writes: > > > John-Mark Gurney <jmg_at_funkthat.com> writes: > > > > My patch would only effect userland applications that use /dev/crypto... > > > For me its ssh which I think does, no ? > > It looks like it uses OpenSSL for it's crypto, not /dev/crypto... > > It uses OpenSSL engines, which use /dev/crypto. This is why we had to > turn off sandbox mode - a CRIOGET ioctl fails because the sandbox code > sets RLIMIT_NOFILES to 0. If it does use /dev/crypto via OpenSSL (see below), OpenSSL only uses CBC mode, which means that only decryption will see any significant performance improvement w/ my changes... Also, how many people know to load the kernel module cryptodev and aesni to use it? OpenSSL should use AES-NI natively instead of using the cryptodev engine since it'll eliminate kernel calls, etc... Hmm... looking at the source for openssl speed, it looks like it only measures CBC encryption speed, not decryption speed, so you won't be able to see the performance difference between encryption and decryption for CBC mode... I'm not sure that even if you set cryptodev engine on -HEAD that it actually uses it... I just did a: ktrace openssl speed -engine cryptodev aes-128-cbc But this is part of the trace: 4377 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffff9ac0) 4377 openssl RET ioctl -1 errno 22 Invalid argument 4377 openssl CALL close(0x4) 4377 openssl RET close 0 4377 openssl CALL write(0x2,0x7fffffff9250,0x18) 4377 openssl GIO fd 2 wrote 24 bytes "engine "cryptodev" set. " 4377 openssl RET write 24/0x18 4377 openssl CALL sigaction(SIGALRM,0x7fffffff9b60,0x7fffffff9b40) 4377 openssl RET sigaction 0 4377 openssl CALL write(0x2,0x7fffffff9270,0x2c) 4377 openssl GIO fd 2 wrote 44 bytes "Doing aes-128 cbc for 3s on 16 size blocks: " 4377 openssl RET write 44/0x2c 4377 openssl CALL setitimer(0,0x7fffffff9b70,0x7fffffff9b50) 4377 openssl RET setitimer 0 4377 openssl CALL getrusage(0,0x7fffffff9ab0) 4377 openssl RET getrusage 0 4377 openssl CALL getrusage(0xffffffff,0x7fffffff9ab0) 4377 openssl RET getrusage 0 4377 openssl PSIG SIGALRM caught handler=0x451550 mask=0x0 code=SI_KERNEL 4377 openssl CALL sigaction(SIGALRM,0x7fffffff9520,0x7fffffff9500) 4377 openssl RET sigaction 0 4377 openssl CALL sigreturn(0x7fffffff9580) 4377 openssl RET sigreturn JUSTRETURN 4377 openssl CALL getrusage(0,0x7fffffff9ab0) 4377 openssl RET getrusage 0 4377 openssl CALL getrusage(0xffffffff,0x7fffffff9ab0) 4377 openssl RET getrusage 0 4377 openssl CALL write(0x2,0x7fffffff9250,0x20) 4377 openssl GIO fd 2 wrote 32 bytes "18712524 aes-128 cbc's in 2.99s " Shouldn't there be a whole host of ioctl's between the Doing print and the x aes-128 cbc's print if it was doing cryptodev? This does explain why the numbers w/ both engine cryptodev and w/o (kernel module unloaded, so not possible to use) were similar... > (trimming security_at_ from the cc: list as it's an alias for secteam_at_ > which is not the appropriate venue for this discussion.) > > DES > -- > Dag-Erling Smørgrav - des_at_des.no > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org" -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Fri Aug 23 2013 - 18:51:26 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:40 UTC