You are not logged in.

Pages: 1

#1 2013-12-05 20:42:39

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

OpenSSL Intel AES-NI Engine [SOLVED]

I recently became aware of aes_ni and found the linked article.  My machine supports this, but it seems (assuming the advise in the linked page is accurate) that openssl from our repo does not have it enabled.  What am I missing smile

 % openssl engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support

http://www.thinkwiki.org/wiki/AES_NI
http://datacenteroverlords.com/2011/09/ … -your-aes/

Last edited by graysky (2013-12-06 11:55:11)

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2013-12-06 11:57:51

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Re: OpenSSL Intel AES-NI Engine [SOLVED]

Turns out both links I found contain out-dated info about this command.  It is active by default on supported hardware; AES-NI does not work via an engine and will not show up in the openssl engine command.

Proof on my system:

Command A = openssl speed -elapsed -evp aes-128-cbc 
Command B = OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc 

Results: 
Command   16 bytes     64 bytes     256 bytes    1024 bytes   8192 bytes 
------------------------------------------------------------------------ 
A         796435.32k   845155.61k   852750.59k   860752.55k   865828.86k 
B         393740.06k   431465.71k   438168.23k   443452.42k   446458.54k

Reference: http://openssl.6102.n7.nabble.com/How-c … 47582.html

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#3 2013-12-06 15:32:15

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: OpenSSL Intel AES-NI Engine [SOLVED]

I see you have already figured out that it is working, but you can also see if the feature is recognized by checking to see if the aes_intel module is loaded.

Offline

#4 2013-12-06 16:28:55

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Re: OpenSSL Intel AES-NI Engine [SOLVED]

Actually, no. The module is not needed for the functionality in OpenSSL... That is my understanding.

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#5 2013-12-06 17:13:39

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: OpenSSL Intel AES-NI Engine [SOLVED]

The openssl aes-ni implementation seems to contain errors. When I use irssi on a specific server, it drops the connection regularly when receiving messages of certain length. Disabling aes-ni fixes this. Not sure if this is still the case, but it annoyed me a lot.

Offline

#6 2013-12-06 17:18:27

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Re: OpenSSL Intel AES-NI Engine [SOLVED]

@brain0 - No idea about dropped connections... did you report upstream?

Last edited by graysky (2013-12-06 17:21:51)

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#7 2013-12-06 17:32:20

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: OpenSSL Intel AES-NI Engine [SOLVED]

graysky wrote:

Actually, no. The module is not needed for the functionality in OpenSSL... That is my understanding.

Interesting... shows you how much I know about openssl wink

Offline

#8 2013-12-06 17:34:19

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Re: OpenSSL Intel AES-NI Engine [SOLVED]

WonderWoofy wrote:

Interesting... shows you how much I know about openssl wink

I base my statement on the linked conversation; didn't care enough to verify myself.

EDIT:  The statement is true: the module is not needed. 

Proof:
Command A = openssl speed -elapsed -evp aes-128-cbc
Command B = OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc 

% lsmod | grep aesni
aesni_intel            45677  0 
aes_x86_64              7407  1 aesni_intel
ablk_helper             1980  1 aesni_intel
cryptd                  8481  3 ghash_clmulni_intel,aesni_intel,ablk_helper
lrw                     3573  1 aesni_intel
glue_helper             4585  1 aesni_intel

# rmmod aesni_intel
% lsmod | grep aesni


Command   16 bytes     64 bytes     256 bytes    1024 bytes   8192 bytes 
------------------------------------------------------------------------ 
A         790382.16k   849457.86k   863795.63k   866829.99k   868545.88k
B         380687.45k   429566.83k   440107.18k   373385.90k   447681.88k

% lsmod | grep aesni

Last edited by graysky (2013-12-06 17:38:55)

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#9 2013-12-07 18:05:19

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: OpenSSL Intel AES-NI Engine [SOLVED]

graysky wrote:

@brain0 - No idea about dropped connections... did you report upstream?

I never took the time to reliably reproduce the issue.

Offline

Pages: 1

Board footer

Powered by FluxBB