Can OpenSSL applications/utilities use SunSPARC crypto accelerators?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Can OpenSSL applications/utilities use SunSPARC crypto accelerators?

Aaron
This post was updated on .
Hello OpenSSL folks,

I noticed that the OpenSSL command line utility 'openssl' built in Solaris 11.1 does not use SunSPARC crypto accelerators.

From the change log of OpenSSL 1.0.2, I saw the following description.
Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
...
  *) Support for SPARC Architecture 2011 crypto extensions, first
     implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
     SHA256/512, MD5, GHASH and modular exponentiation.
     [Andy Polyakov, David Miller]
...

My understanding is that starting from OpenSSL 1.0.2, OpenSSL applications/utilities would use SunSPARC crypto accelerator in Solaris 11.1 which has the accelerator.

However my tests show there is no difference between the performance of 'openssl' 1.0.1p and that of its 1.0.2d counterpart.

 ksol1% ./1.0.1p/shared64bit/openssl/bin/openssl speed -evp aes-128-cbc
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Doing aes-128-cbc for 3s on 16 size blocks: 19705194 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 5257594 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 1361128 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 343333 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 43029 aes-128-cbc's in 3.00s
OpenSSL 1.0.1p-fips 9 Jul 2015
built on: Thu Jul  9 23:22:11 2015
options:bn(64,32) rc4(ptr,char) des(ptr,risc1,16,int) aes(partial) blowfish(ptr)

compiler: cc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_BUILD -KPIC -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DOPENSSL_BN_ASM_MONT -I/leo_ocsdev/qun/csi/allbuilt/main10/built/ant-generated/fips-sun_svr4/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     105094.37k   112162.01k   116149.59k   117191.00k   117497.86k

ksol1% ./1.0.2d/shared64bit/openssl/bin/openssl speed -evp aes-128-cbc
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Doing aes-128-cbc for 3s on 16 size blocks: 18777502 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 5066291 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 1317102 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 331672 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 40739 aes-128-cbc's in 3.00s
OpenSSL 1.0.2d-fips 9 Jul 2015
built on: reproducible build, date unspecified
options:bn(64,32) rc4(ptr,char) des(ptr,risc1,16,int) aes(partial) blowfish(ptr)

compiler: cc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -
DHAVE_DLFCN_H -DOPENSSL_BUILD -KPIC -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -I/leo_ocsdev/qun/csi/allbuilt/main12/built/ant-generated/fips-sun_svr4/include
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     100146.68k   108080.87k   112392.70k   113210.71k   111244.63k

I built 'openssl' on Solaris 11.1 using the following commands.
Configure no-idea no-mdc2 no-rc5 no-asm solaris64-sparcv9-cc -KPIC
make clean
make
make test
make install

When testing the default openssl installed in /usr/bin/ on Solaris 11.1, I saw a much better result below.
ksol1% /usr/bin/openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 113798920 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 48425338 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 14613535 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 3768123 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 488001 aes-128-cbc's in 3.00s
OpenSSL 1.0.0k 5 Feb 2013
built on: date not available
options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,int) aes(partial) blowf
ish(ptr)
compiler: information not available
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     608957.43k  1033073.88k  1247021.65k  1286185.98k  1332568.06k

Hence I believe OpenSSL utility 'openssl' built by me does not use the hardware crypto accelerators at all.

I wonder if anyone knows the reason.

Thanks in advance,
Aaron
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSSL applications/utilities use SunSPARC crypto accelerators?

Aaron
This post was updated on .
I checked utility 'openssl' built by me in solaris 11.1 and the default 'openssl' installed in Solaris 11.1. I noticed that my 'openssl' does NOT have SPARC T4 engine support. This may be the reason why my 'openssl' is much slower. Now the question is how to build 'openssl' to let it to have  SPARC T4 engine support. I checked the OpenSSL documents, but I found no descriptions regarding to this topic.

1) This is the 'openssl' built by me on Solaris 11.1
ksol1% ./1.0.2d/normal/openssl/bin/openssl engine
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(gost) Reference implementation of GOST engine

2) This is the default 'openssl' installed in Solaris 11.1
ksol1% /usr/bin/openssl engine
(t4) SPARC T4 engine support
(dynamic) Dynamic engine loading support
(pkcs11) PKCS #11 engine support

Anybody knows the answer please?

Thanks,
Aaron
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSSL applications/utilities use SunSPARC crypto accelerators?

Misaki Miyashita
Hi Aaron,

SPARC T4 engine is an engine developed and provided by Oracle Solaris,
and therefore, it is available through Oracle Solaris.

If you would like to take advantage of the SPARC T4 processors and you
would like to build your own OpenSSL, OpenSSL 1.0.2 will have an inlined
SPARC T4 processor support assuming you have a T4/T4+ system.

Hope that answers your question.

Regards.

-- misaki

On 7/15/2015 8:43 PM, Aaron wrote:

> I checked utility 'openssl' built by my in solaris 11.1 and the default
> 'openssl' installed in Solaris 11.1. I noticed that my 'openssl' does NOT
> have SPARC T4 engine support. This may be the reason why my 'openssl' is
> much slower. Now the question is how to build 'openssl' to let it to have
> SPARC T4 engine support. I checked the OpenSSL documents, but seems there
> are no descriptions regarding to this topic.
>
> 1) This is the 'openssl' built by me on Solaris 11.1
> ksol1% ./1.0.2d/normal/openssl/bin/openssl engine
> (dynamic) Dynamic engine loading support
> (4758cca) IBM 4758 CCA hardware engine support
> (aep) Aep hardware engine support
> (atalla) Atalla hardware engine support
> (cswift) CryptoSwift hardware engine support
> (chil) CHIL hardware engine support
> (nuron) Nuron hardware engine support
> (sureware) SureWare hardware engine support
> (ubsec) UBSEC hardware engine support
> (gost) Reference implementation of GOST engine
>
> 2) This is the default 'openssl' installed in Solaris 11.1
> ksol1% /usr/bin/openssl engine
> (t4) SPARC T4 engine support
> (dynamic) Dynamic engine loading support
> (pkcs11) PKCS #11 engine support
>
> Anybody knows the answer please?
>
> Thanks,
> Aaron
>
>
>
>
> --
> View this message in context: http://openssl.6102.n7.nabble.com/Can-OpenSSL-applications-utilities-use-SunSPARC-crypto-accelerators-tp59163p59179.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSSL applications/utilities use SunSPARC crypto accelerators?

Aaron
Hello Misaki,

Thanks for your response. What you pointed out is exactly what I thought previously.

However my test showed that OpenSSL command utility 'openssl' built by my from OpenSSL 1.0.2d source code does NOT utilize the crypto accelerator provided in Sun SPARC Solaris 11.1. I tested the default 'openssl' installed in Solaris 11.1 to verify that the machine on which I run my 'openssl' does have the accelerator. I listed my test results in my previous messages.

Now my question is if I need build utility 'openssl' with some special option to utilize the crypto accelerator?

Thanks again,
Aaron  
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSSL applications/utilities use SunSPARC crypto accelerators?

Aaron
I read the following description from Oracle Solaris website (https://blogs.oracle.com/DanX/entry/how_to_tell_if_sparc)

OpenSSL T4 engine Availability
The OpenSSL t4 engine is available with Solaris 11 and 11.1. For Solaris 10 08/11 (U10), you need to use the OpenSSL pkcs11 engine. The OpenSSL t4 engine is distributed only with the version of OpenSSL distributed with Solaris (and not third-party or self-compiled versions of OpenSSL).
 
The following announcement is from OpenSSL.
Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
...
  *) Support for SPARC Architecture 2011 crypto extensions, first
     implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
     SHA256/512, MD5, GHASH and modular exponentiation.
     [Andy Polyakov, David Miller]
...

I am confused. I don't know which one is right.

I thought the announcement from OpenSSL was right and the description in Oracle website was obsolete. But my test results could not verify my idea.  

Thanks,
Aaron
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSSL applications/utilities use SunSPARC crypto accelerators?

Aaron
Hello Andy and David,

As the feature owners, would you please give me some tips for how to use the functionality of the feature?

Thanks,
Aaron



The Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
...
  *) Support for SPARC Architecture 2011 crypto extensions, first
     implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
     SHA256/512, MD5, GHASH and modular exponentiation.
     [Andy Polyakov, David Miller]
...