I got roughly the same performance results when I use the openssl speed test with and without a hifn 7956 cryto card Here's what I did: After the card is plugged in, kldload hifn; kldload cryptodev; I got the message: hifn0 mem 0xfc8f0000-0xfc8f7ffff, 0xfc8f0000-0xfc8f7ffff, 0xfc8f0000-0xfc8f7ffff irg 28 at device 3.0 on pci1 hifn0: Hifn 7956, rev 0, 32KB dram, pll=0x800<pci clk, 4x mult> Then I ran: Openssl speed des-cbc And got the following result: 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 43251.97k 44919.41k 45342.43k 45506.13k 45579.98k Then I did kldunload hifn; kldunload cryptodev and ran the same test again, and got 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 43108.10k 44917.96k 45460.88k 45532.15k 45566.26k Version of FreeBSD is 5.3-RELEASE. I believe both crypto and cryptodev drivers are supported since v5.0. My understanding is that openssl will detect the presence of an accelerator card and use it (via \dev\crypto) instead of the crypto library. Did I miss something here? TIA, Winston
Hi, Winston-- Winston Tsai wrote: [ ...followups set to just one group... ]> Openssl speed des-cbc > And got the following result: > 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > 43251.97k 44919.41k 45342.43k 45506.13k 45579.98k > Then I did kldunload hifn; kldunload cryptodev and ran the same test > again, and got > 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > 43108.10k 44917.96k 45460.88k 45532.15k 45566.26k > > Version of FreeBSD is 5.3-RELEASE. I believe both crypto and cryptodev > drivers are supported since v5.0.You might need to try "openssl speed des-cbc -engine cryptodev" in order to have OpenSSL actually try to use the HiFN crypto card. You might also have to fiddle with openssl itself, since the openssl binary that ships with the system seems to prefer to use the CPU even when you tell it to use hardware via the /dev/crypto interface. [1] Possibly "cd /usr/ports/security/openssl && make install" might give you another openssl binary to try that would work better. Given the domain of your email address, you might have better insight about how to improve FreeBSD's support of HiFN hardware :-), and we would be happy to adapt any such improvements. -- -Chuck [1]: I've heard rumors to the effect that the setup costs for accessing the crypto hardware acceleration are fairly high and that using hardware crypto is a win mostly only for big operations like 1024-bit RSA or DSA key operations, that ~1GHz CPUs or faster tend to handle session-level crypto (ie, your 48-/56-/128-bit DES or 3DES, or now perhaps 128/256-bit AES) faster by themselves.
Winston Tsai <wtsai@hifn.com> wrote:
> I got roughly the same performance results when I use the openssl speed
> test with and without a hifn 7956 cryto card
> [...]
> Then I ran:
> Openssl speed des-cbc
> [...]
> My understanding is that openssl will detect the presence of an
> accelerator card and use it (via \dev\crypto) instead of the crypto
> library.
> Did I miss something here?
I don't know if the openssl speed test picks up the crypto-
dev hardware automatically. But ssh/scp definitely does.
I have run several tests on my VIA C3 Nehemiah+RNG+ACE,
which accelerates AES encryption. When the padlock(4)
module is loaded (it contains the Nehemiah ACE support),
ssh/scp performance is roughly doubled. It's quite
noticeable when transfering large files.
Best regards
Oliver
PS: I can provide some benchmark numbers if interested.
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"The scanf() function is a large and complex beast that often does
something almost but not quite entirely unlike what you desired."
-- Chris Torek