[Sysadmins] AES-NI

[Sysadmins] AES-NI

[Anton Gorlov]

А openssl у нас умеет AES-NI  или нет?

Что-то по результатам openssl speed -elapsed -evp aes-128-ecb не похоже
что бы у нас оно работало, даже после
modprobe aesni_intel


До загрузки модуля
openssl speed -elapsed -evp aes-128-ecb

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-ecb     623102.76k  2036308.78k  3618280.70k  3909694.12k
4000713.39k
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-ecb     624632.35k  2034341.67k  3634542.59k  3924656.47k
3991360.85k
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-ecb     625306.83k  2036999.85k  3604853.76k  3907455.66k
3991016.79k


После modprobe aesni_intel

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-ecb     626542.45k  2039184.02k  3532893.10k  3920360.79k
4003113.64k
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-ecb     623481.73k  2032535.42k  3589513.30k  3920703.15k
3959578.62k
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-ecb     659840.39k  2030744.58k  3636517.63k  3875957.42k
3952806.57k

grep aes /proc/cpuinfo
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe
syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl
xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor
ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic
popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat epb xsaveopt
pln pts dtherm tpr_shadow vnmi flexpriority ept vpid
....


_______________________________________________
community mailing list
community@lists.altlinux.org
https://lists.altlinux.org/mailman/listinfo/community

Re: [Sysadmins] AES-NI

[Konstantin Lepikhov]

Hi Anton!

On 01/08/15, at 09:35:19 PM you wrote:

> А openssl у нас умеет AES-NI  или нет?
> 
> Что-то по результатам openssl speed -elapsed -evp aes-128-ecb не похоже
> что бы у нас оно работало, даже после
> modprobe aesni_intel
> 
> 
Каким образом ядерная часть относится к работе userspace? AESNI либо есть,
либо нет, библиотека сама это определяет.

(вывод с fedora 21)

$ grep -m1 -o aes /proc/cpuinfo
aes

$ openssl speed aes-128-cbc
...
OpenSSL 1.0.1j-fips 15 Oct 2014
built on: Thu Oct 16 12:30:25 UTC 2014
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial)
idea(int) blowfish(idx)
...
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128 cbc     118336.07k   125923.07k   117123.93k   120369.49k
137565.53k

$ openssl speed -evp aes-128-cbc
...
OpenSSL 1.0.1j-fips 15 Oct 2014
built on: Thu Oct 16 12:30:25 UTC 2014
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial)
idea(int) blowfish(idx) 
...
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-cbc     597352.44k   663475.33k   673784.15k   681143.98k
673792.00k

Последние команды как раз показывают, что AESNI используется.

В вашем случае имеет место копипаст из интернетов с неправильным cipher
mode (ecb вместо cbc)

-- 
WBR et al.