2016-06-02 8:48 GMT+02:00 Volker Lendecke <Volker.Lendecke at sernet.de>:> On Wed, Jun 01, 2016 at 07:44:26PM +0000, Seth Goldin wrote: > > I disabled client signing from the client side, via OS X's global > nsmb.conf > > file: https://discussions.apple.com/message/30282470#30282470 > > > > The performance was back to over 600 MB/s, as compared to 60 MB/s with > > signing. > > > > It just seems a bit weird to me that Apple, in response to the Badlock > bug, > > would have changed the OS X client default to something with such drastic > > performance implications, without much notice. My contact at Apple said > > that the engineers were able to replicate the slow performance on OS X > > Server as well, so even if they didn't test it with Samba on Linux or > > FreeBSD servers, they might have just been too hasty in their response to > > Badlock. I wonder if they had only tested OS X clients with Windows > Server. > > I wonder what that performance looks like, but I don't have access to > > Windows Server. > > What protocol is this? Metze has patches to use hardware-accellerated > AES so that latest 3.11 will have much less impact on performance. > > I'm not sure those patches have already landed, but I want to counter > the impression that signing is sooo bad for performance. It can be > good, given the right protocol and CPU support. >What would we have to do to get that hardware performance improvement? Just upgrade Samba to some version patched with Metze stuffs or is there also some drivers to be compiled and loaded into Kernel? The hardware seems to be included directly in CPU: https://en.wikipedia.org/wiki/Cryptographic_accelerator gave me: https://en.wikipedia.org/wiki/AES_instruction_set Then looking for my own desktop CPU I found that page from Intel where there is a line for "Intel® AES New Instructions" near the bottom: http://ark.intel.com/products/63697/Intel-Core-i7-3930K-Processor-12M-Cache-up-to-3_80-GHz Cheers, mathias> > Volker > > -- > SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen > phone: +49-551-370000-0, fax: +49-551-370000-9 > AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen > http://www.sernet.de, mailto:kontakt at sernet.de > > SerNet & BSI laden ein: 29. Juni 2016, > 2. IT-Grundschutztag 2016, BPA Berlin. > Anmeldung: https://www.sernet.de/gstag > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, Jun 02, 2016 at 01:59:17PM +0200, mathias dufresne wrote:> What would we have to do to get that hardware performance improvement?Talk to metze :-)> Just upgrade Samba to some version patched with Metze stuffs or is there > also some drivers to be compiled and loaded into Kernel?I believe Metze's patches require OpenSSL, but he needs to comment on that.> The hardware seems to be included directly in CPU: > https://en.wikipedia.org/wiki/Cryptographic_accelerator > gave me: > https://en.wikipedia.org/wiki/AES_instruction_setYep. Samba does not use that directly but utilizes some crypto library. Given that there's dozens of "standard" crypto libraries out there with varying algorithm/hardware/nameit support, it's a bit difficult to implement for general use.... https://xkcd.com/927/ Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de SerNet & BSI laden ein: 29. Juni 2016, 2. IT-Grundschutztag 2016, BPA Berlin. Anmeldung: https://www.sernet.de/gstag
Thank you for these information. Searching for "OpenSSL AES hardware" I found these two links: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Encryption-OpenSSL_Intel_AES-NI_Engine.html http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-support-use-the-intel-aes-ni>From the second I found a test to check openssl performances with someexport to disable hardware acceleration: # Disabling acceleration export OPENSSL_ia32cap="~0x200000200000000" # The test: openssl speed -elapsed -evp aes-128-ecb>From the first link I found how to check the CPU is able to get hardwareacceleration: grep -m1 -o aes /proc/cpuinfo Tests done on VMs: same performances with or without exporting, checking into /proc/cpuinfo no AES flag into the VMs, I was missing CPU directive into my libvirt xml files related to VMs: <cpu mode='host-model' /> And now AES flags is also in the VMs and "openssl speed -elapsed -evp aes-128-ecb" runs almost as fast inside VMs as on the host. With all that (patch + aes enabled) we should have encryption possibility and performance... 2016-06-02 15:26 GMT+02:00 Volker Lendecke <Volker.Lendecke at sernet.de>:> On Thu, Jun 02, 2016 at 01:59:17PM +0200, mathias dufresne wrote: > > What would we have to do to get that hardware performance improvement? > > Talk to metze :-) > > > Just upgrade Samba to some version patched with Metze stuffs or is there > > also some drivers to be compiled and loaded into Kernel? > > I believe Metze's patches require OpenSSL, but he needs to comment on > that. > > > The hardware seems to be included directly in CPU: > > https://en.wikipedia.org/wiki/Cryptographic_accelerator > > gave me: > > https://en.wikipedia.org/wiki/AES_instruction_set > > Yep. Samba does not use that directly but utilizes some crypto > library. Given that there's dozens of "standard" crypto libraries out > there with varying algorithm/hardware/nameit support, it's a bit > difficult to implement for general use.... https://xkcd.com/927/ > > Volker > > -- > SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen > phone: +49-551-370000-0, fax: +49-551-370000-9 > AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen > http://www.sernet.de, mailto:kontakt at sernet.de > > SerNet & BSI laden ein: 29. Juni 2016, > 2. IT-Grundschutztag 2016, BPA Berlin. > Anmeldung: https://www.sernet.de/gstag >