Project

General

Profile

Bug #7810

openssl/openvpn need to have loaded booth AESNI and cryptodev to accelerate AES operations , but gui alows you load only one at once

Added by Grzegorz Krzystek about 2 months ago. Updated 2 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Operating System
Target version:
Start date:
08/24/2017
Due date:
% Done:

100%

Affected Version:
2.4
Affected Architecture:

Description

[2.4.0-RC][]/boot/kernel: kldunload cryptodev
[2.4.0-RC][]/boot/kernel: kldunload aesni
Test with no accell
[2.4.0-RC][]/boot/kernel: openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 28667689 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 10861051 aes-256-cbc's in 2.99s
Doing aes-256-cbc for 3s on 256 size blocks: 3253311 aes-256-cbc's in 2.98s
Doing aes-256-cbc for 3s on 1024 size blocks: 857208 aes-256-cbc's in 2.98s
Doing aes-256-cbc for 3s on 8192 size blocks: 108972 aes-256-cbc's in 3.00s
OpenSSL 1.0.2k-freebsd 26 Jan 2017
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 152894.34k 232307.39k 279069.36k 294125.57k 297566.21k

  1. cryptodev only
    [2.4.0-RC][]/boot/kernel: kldload cryptodev
    [2.4.0-RC][]/boot/kernel: openssl speed -evp aes-256-cbc
    Doing aes-256-cbc for 3s on 16 size blocks: 29882712 aes-256-cbc's in 3.03s
    Doing aes-256-cbc for 3s on 64 size blocks: 10840409 aes-256-cbc's in 2.98s
    Doing aes-256-cbc for 3s on 256 size blocks: 3260969 aes-256-cbc's in 2.99s
    Doing aes-256-cbc for 3s on 1024 size blocks: 857748 aes-256-cbc's in 2.99s
    Doing aes-256-cbc for 3s on 8192 size blocks: 112529 aes-256-cbc's in 3.09s
    OpenSSL 1.0.2k-freebsd 26 Jan 2017
    built on: date not available
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: clang
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    aes-256-cbc 157731.43k 232472.85k 278995.91k 293542.42k 298722.05k

#aesni , no cryptodev
[2.4.0-RC][]/boot/kernel: kldunload cryptodev
[2.4.0-RC][]/boot/kernel: kldload aesni
[2.4.0-RC][]/boot/kernel: openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 29881110 aes-256-cbc's in 3.05s
Doing aes-256-cbc for 3s on 64 size blocks: 11598720 aes-256-cbc's in 3.19s
Doing aes-256-cbc for 3s on 256 size blocks: 3341075 aes-256-cbc's in 3.05s
Doing aes-256-cbc for 3s on 1024 size blocks: 862423 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 111657 aes-256-cbc's in 3.06s
OpenSSL 1.0.2k-freebsd 26 Jan 2017
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 156914.14k 232884.10k 280000.88k 294373.72k 298675.64k

#cryptodev and aesni
[2.4.0-RC][]/boot/kernel: kldload cryptodev
[2.4.0-RC][]/boot/kernel: openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 875922 aes-256-cbc's in 0.36s
Doing aes-256-cbc for 3s on 64 size blocks: 853675 aes-256-cbc's in 0.29s
Doing aes-256-cbc for 3s on 256 size blocks: 690695 aes-256-cbc's in 0.25s
Doing aes-256-cbc for 3s on 1024 size blocks: 379340 aes-256-cbc's in 0.13s
Doing aes-256-cbc for 3s on 8192 size blocks: 73444 aes-256-cbc's in 0.06s
OpenSSL 1.0.2k-freebsd 26 Jan 2017
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 38997.57k 189008.26k 707271.68k 3107553.28k 9626451.97k

imho we should keep loaded booth to accelerate OpenSSL and OpenVPN
Ipsec accelerates without Cryptodev.

Associated revisions

Revision f96376a3
Added by Jim Pingle 3 days ago

Allow both AES-NI and Crypto modules to be loaded at the same time. Fixes #7810

History

#1 Updated by Renato Botelho about 1 month ago

  • Target version changed from 2.4.0 to 2.4.1

#2 Updated by Jim Pingle 3 days ago

  • Assignee set to Jim Pingle

There is still some debate as to whether or not this is even necessary or would ever help, but it should be simple to add so it can cover edge cases we haven't identified yet.

#3 Updated by Jim Pingle 3 days ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Chris Linstruth 2 days ago

Verified that the correct combination of aesni.ko and cryptodev.ko are present after a reboot and that cryptodev is only available for selection in OpenVPN if loaded.

#5 Updated by Jim Pingle 2 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF