You are not logged in.
I recently became aware of aes_ni and found the linked article. My machine supports this, but it seems (assuming the advise in the linked page is accurate) that openssl from our repo does not have it enabled. What am I missing
% openssl engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
http://www.thinkwiki.org/wiki/AES_NI
http://datacenteroverlords.com/2011/09/ … -your-aes/
Last edited by graysky (2013-12-06 11:55:11)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Turns out both links I found contain out-dated info about this command. It is active by default on supported hardware; AES-NI does not work via an engine and will not show up in the openssl engine command.
Proof on my system:
Command A = openssl speed -elapsed -evp aes-128-cbc
Command B = OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc
Results:
Command 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
------------------------------------------------------------------------
A 796435.32k 845155.61k 852750.59k 860752.55k 865828.86k
B 393740.06k 431465.71k 438168.23k 443452.42k 446458.54k
Reference: http://openssl.6102.n7.nabble.com/How-c … 47582.html
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
I see you have already figured out that it is working, but you can also see if the feature is recognized by checking to see if the aes_intel module is loaded.
Offline
Actually, no. The module is not needed for the functionality in OpenSSL... That is my understanding.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
The openssl aes-ni implementation seems to contain errors. When I use irssi on a specific server, it drops the connection regularly when receiving messages of certain length. Disabling aes-ni fixes this. Not sure if this is still the case, but it annoyed me a lot.
Offline
@brain0 - No idea about dropped connections... did you report upstream?
Last edited by graysky (2013-12-06 17:21:51)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Actually, no. The module is not needed for the functionality in OpenSSL... That is my understanding.
Interesting... shows you how much I know about openssl
Offline
Interesting... shows you how much I know about openssl
I base my statement on the linked conversation; didn't care enough to verify myself.
EDIT: The statement is true: the module is not needed.
Proof:
Command A = openssl speed -elapsed -evp aes-128-cbc
Command B = OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc
% lsmod | grep aesni
aesni_intel 45677 0
aes_x86_64 7407 1 aesni_intel
ablk_helper 1980 1 aesni_intel
cryptd 8481 3 ghash_clmulni_intel,aesni_intel,ablk_helper
lrw 3573 1 aesni_intel
glue_helper 4585 1 aesni_intel
# rmmod aesni_intel
% lsmod | grep aesni
Command 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
------------------------------------------------------------------------
A 790382.16k 849457.86k 863795.63k 866829.99k 868545.88k
B 380687.45k 429566.83k 440107.18k 373385.90k 447681.88k
% lsmod | grep aesni
Last edited by graysky (2013-12-06 17:38:55)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
@brain0 - No idea about dropped connections... did you report upstream?
I never took the time to reliably reproduce the issue.
Offline