Tony MacDoodle
2010-Mar-17 12:21 UTC
[dtrace-discuss] Monitoring Sun Crypto Engine On T2''s
Hello, I was wondering if it''s possible to monitor the UltraSparc T2 Plus security co-processors built into the CPU with DTrace. This allows the CPU to off-load cryptographic functions to the co-processor. Can this process be monitored and/or probed with DTrace and any associated apps that use this function? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20100317/82493a2f/attachment.html>
Vladimir Kotal
2010-Mar-19 09:42 UTC
[dtrace-discuss] Monitoring Sun Crypto Engine On T2''s
On 03/17/10 01:21 PM, Tony MacDoodle wrote:> Hello, > > I was wondering if it''s possible to monitor the UltraSparc T2 Plus > security co-processors built into the CPU with DTrace. This allows the > CPU to off-load cryptographic functions to the co-processor. Can this > process be monitored and/or probed with DTrace and any associated apps > that use this function?Off-loading to ncp/n2cp/n2rng drivers can be observed through fbt probes in said drivers. One level above you can activate the probes in Kernel Crypto Framework scheduler (kcf_get_hardware_provider{,_nomech}()/kcf_get_mech_provider() or kcf_submit_request()+CRYPTO_HW_PROVIDER). Yet one level above you can see the ioctl() requests going from pkcs11_kernel.so to /dev/crypto by observing crypto module entry points (this will help you to get the userland consumer side data) like crypto_ioctl()+CRYPTO_{ENCRYPT,DECRYPT,...}. What exactly do you have in mind ? v.
Vladimir Kotal
2010-Mar-25 23:31 UTC
[dtrace-discuss] Monitoring Sun Crypto Engine On T2''s
Tony MacDoodle wrote:> I would like to know if a web application is using the onboard crypto > units or not in some sort of script......Is the app single process or group of processes ? Also, which language ? What sort of mechanisms (symmetric/asymmetric/digest/RNG) are you interested in ? Here''s simple example for observing digest operations made by single process: fbt:crypto:digest_init:entry /curpsinfo->pr_pid == $target/ { self->t = 1; } fbt:kcf:kcf_get_hardware_provider:entry /self->t/ { self->new = arg2; } fbt:kcf:kcf_get_hardware_provider:return /self->new/ { self->p = *(kcf_provider_desc_t **)(self->new); printf("%s", stringof(((kcf_provider_desc_t *)(self->p))->pd_name)); self->p = 0; self->new = 0; } This can be easily extended to check ''pd_prov_type == CRYPTO_HW_PROVIDER'' in the last probe and/or following the request up to kcf_submit_request() to be absolutely sure this is a hardware provider but for quick verification this is not necessary given we''re following the ioctl() path (pkcs11_kernel.so only goes to kernel if there is at least one HW provider capable of processing the request and not blacklisted by cryptoadm(1M) policy configuration). For example on a T5120 machine (assuming /etc/password is not too big): # dtrace -q -s digest-kcf.d -c "/usr/bin/digest -a md5 /etc/passwd" 092828140ffbd5f5140eea8d3098dda2 n2cp Which means that in this case n2cp driver was used for submitting the request to the hardware. v.
Vladimir Kotal
2010-Mar-26 08:48 UTC
[dtrace-discuss] Monitoring Sun Crypto Engine On T2''s
On 03/26/10 01:15 AM, Tony MacDoodle wrote:> It''s an IBM Apache webserver running on T5140''s in an LDom > configuration...... Our CPU''s are saturated...<attachment omitted> My knowledge of any IBM webserver is exactly zero. Anyhow, for apache shipped with Solaris, OpenSSL PKCS#11 engine is enabled by default so it can leverage HW crypto (if there''s any). With the example dtrace script in hand you should be able to tweak it/rewrite it so that it answers your question, that is ''is my app using n2cp/ncp/n2rng ?'' (using execname instead of curpsinfo to get the data for the whole process group or by looking at pgid) or ''how much is my app using n2cp/ncp/n2rng ?'' (using aggregations) v.> > > > > On Thu, Mar 25, 2010 at 8:31 PM, Vladimir Kotal <Vladimir.Kotal at sun.com > <mailto:Vladimir.Kotal at sun.com>> wrote: > > Tony MacDoodle wrote: > > I would like to know if a web application is using the onboard > crypto units or not in some sort of script...... > > > Is the app single process or group of processes ? Also, which > language ? What sort of mechanisms (symmetric/asymmetric/digest/RNG) > are you interested in ? > > Here''s simple example for observing digest operations made by single > process: > > fbt:crypto:digest_init:entry > /curpsinfo->pr_pid == $target/ > { > self->t = 1; > } > > fbt:kcf:kcf_get_hardware_provider:entry > /self->t/ > { > self->new = arg2; > } > > fbt:kcf:kcf_get_hardware_provider:return > /self->new/ > { > self->p = *(kcf_provider_desc_t **)(self->new); > printf("%s", stringof(((kcf_provider_desc_t > *)(self->p))->pd_name)); > self->p = 0; > self->new = 0; > } > > This can be easily extended to check ''pd_prov_type => CRYPTO_HW_PROVIDER'' in the last probe and/or following the request > up to kcf_submit_request() to be absolutely sure this is a hardware > provider but for quick verification this is not necessary given > we''re following the ioctl() path (pkcs11_kernel.so only goes to > kernel if there is at least one HW provider capable of processing > the request and not blacklisted by cryptoadm(1M) policy configuration). > > For example on a T5120 machine (assuming /etc/password is not too big): > > # dtrace -q -s digest-kcf.d -c "/usr/bin/digest -a md5 /etc/passwd" > 092828140ffbd5f5140eea8d3098dda2 > n2cp > > Which means that in this case n2cp driver was used for submitting > the request to the hardware. > > > v. > >