OpenSSL & AES-NI

alphazo · 2010-08-09 12:52:41

I'm trying to enable AES-NI support in OpenSSL in order to take advantage of Intel i5/i7 built-in hardware AES engine. This can be very useful for stuff like encFS which relies on OpenSSL.

I found the following instructions and modified my /etc/ssl/openssl.cnf accordingly on my stock 64-bit Archlinux install.

http://www.listware.net/201006/openssl- … tmere.html

If you are using code from cvs HEAD and your applications call OPENSSL-config(), then it is just a matter of setting up a suitable openssl.cnf file. A minimalistic file would look something like this:

openssl-conf = openssl-init
[openssl-init]
engines = engine-section
[engine-section]
aesni = aesni-engine
[aesni-engine]
default-algorithms = ALL

Note also that with the recent creation of the 1.0.1 branch, there will hopefully be a release version that includes the AES-NI support in the near future. However, the support hasn't been backported yet.

Then I ran "speed" from the OpenSSL console but AES-NI didn't seem to be enabled.

Does anyone know how to enable AES-NI on OpenSSL (ABS, dev branch...) ?

Thanks
Alphazo

karol · 2010-08-09 13:04:24

I've read there's a bug http://bugs.archlinux.org/task/20412

Last edited by karol (2010-08-09 13:08:21)

alphazo · 2010-08-09 13:12:58

The bug report is related to TrueCrypt that I'm not really sure relies on OpenSSL for encryption/decryption routines. I'm interested in AES-NI support in OpenSSL because encFS relies on it.

Alphazo

karol · 2010-08-09 13:15:59

From that report: "on a i5-520M laptop TC's benchmark test showed that HW acc. AES was not used."
Your problem seems similar.

I think that backporting means more that just flipping a switch, so I wouldn't count on ABS.

Last edited by karol (2010-08-09 13:17:39)

alphazo · 2010-08-09 13:22:07

The only difference would be that I run a i5 540M whereas the bug report talks about a i5 520M which is not listed on Truecrypt AES-NI page.
Now maybe it just a question of time before it hits OpenSSL stable branch.

wilson · 2010-09-18 00:45:35

I'm having the same problem. On my 620M (which is listed in http://ark.intel.com/MySearch.aspx?AESTech=true, and works with Truecrypt in windows); in arch, using truecrypt and looking th the AES Hardware acceleration setting where it lists if the processor is supported, it says N/A. The aesni kerel module does get auto modprobed though.

Last edited by wilson (2010-09-19 23:19:40)

Arch Linux

#1 2010-08-09 12:52:41

OpenSSL & AES-NI

#2 2010-08-09 13:04:24

Re: OpenSSL & AES-NI

#3 2010-08-09 13:12:58

Re: OpenSSL & AES-NI

#4 2010-08-09 13:15:59

Re: OpenSSL & AES-NI

#5 2010-08-09 13:22:07

Re: OpenSSL & AES-NI

#6 2010-09-18 00:45:35

Re: OpenSSL & AES-NI

Board footer