> On May 24, 2015, at 5:44 PM, John-Mark Gurney <jmg at funkthat.com> wrote: > > If you have cryptodev loaded, this is to be expected as OpenSSL will > use /dev/crypto instead of the AES-NI instructions.. Just don't load > cryptodev and you'll be fine.. >So to make sure I?m understanding? openssl has native AES-NI support, and it also can use /dev/crypto. It?s preferring /dev/crypto, but /dev/crypto has much higher overhead? ? Kevin
Kevin Day wrote this message on Sun, May 24, 2015 at 23:15 -0500:> > On May 24, 2015, at 5:44 PM, John-Mark Gurney <jmg at funkthat.com> wrote: > > > > If you have cryptodev loaded, this is to be expected as OpenSSL will > > use /dev/crypto instead of the AES-NI instructions.. Just don't load > > cryptodev and you'll be fine.. > > So to make sure I???m understanding??? openssl has native AES-NI support, and it also can use /dev/crypto. It???s preferring /dev/crypto, but /dev/crypto has much higher overhead?Correct... At least OpenSSL 1.0.1 that started shipping w/ 10.0 has native AES-NI support... Pre-10.0 doesn't have it... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Christoph Moench-Tegeder
2015-May-25 11:41 UTC
Atom C2758 - loading aesni(4) reduces performance
## Kevin Day (toasty at dragondata.com):> > If you have cryptodev loaded, this is to be expected as OpenSSL will > > use /dev/crypto instead of the AES-NI instructions.. Just don't load > > cryptodev and you'll be fine.. > > So to make sure I?m understanding? openssl has native AES-NI support, and > it also can use /dev/crypto. It?s preferring /dev/crypto, but /dev/crypto > has much higher overhead?Yes (I hadn't thought of cryptodev, because "why would one load that without really special crypto hardware?"). The overhead is obvious - when offloading the crypto operations to the kernel, the benefit of the kernel/hardware crypto support has to be better than the penalty of communicating with the kernel; and as you already have AES-NI support in openssl, there's not that much chance that the kernel is that much faster than openssl itself. Regards, Christoph -- Spare Space