Checking for AES-NI accelration

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Checking for AES-NI accelration

Nagesh shamnur

Hi Group,

            I am running an application which transfers huge chunks of data every second (850Mbps) and the same is secured using openssl. However the CPU usage on windows is very high ( ~ 100%). So as a part of the analysis, I stumbled upon the information that, when using AES encryption, if the underlying hardware is Intel CPU, it can support AES-NI instruction set and hence make the crypto processing faster. So, I wanted to confirm if the same is enabled in my hardware.

            So, I wanted to know how to verify if the run is able to use the AES-NI instruction set available in the hardware.

            I have built openssl and have ensured enabling the asm in both linux and windows build.

 

            For windows, to confirm if AES-NI is enabled, support of tools available like truecrypt, CPU-Z and blackbox were used if the same was enabled in OS usage. And I found that the same is disabled. Also I found in some blogs that the same needs to be enabled in BIOS. When checked the BIOS settings, the option was not be found and a BIOS update is required to enable the same.

 

However in linux I was unable to conclude if AES-NI is disabled since I didn’t had access to any such tools on linux. I checked "#cpuinfo | grep aes" and i was unable to find any line regarding AES-NI. However when i run the ./openssl speed -evp aes-128-gcm and OPENSSL_ia32cap="~0x200000200000000" ./openssl speed -elapsed -evp aes-128-gcm i am able to find the difference in speed. So i wanted to check how to confirm if my linux build has AES-NI enabled or not?

 

 

Environment Information:

CPU: E5-2620 0 @2.0GHz

OS: Windows Server 2008

Linux: Ubuntu 3.11.0-15-generic

Openssl versoin: 1.0.2h

Mainboard: Manufacturer Huawei Technologies Co. Ltd., Model: BC11SRSH1 V100R002

BIOS: Brand: INsyde Corp, RMISV061, 06/20/2013

 

Regards,

Nagesh.

 



华为技术有限公司 Huawei Technologies Co., Ltd.
Company_logo

Phone:
Fax:
Mobile:
Email:
地址:深圳市龙岗区坂田华为基地 邮编:518129
Huawei Technologies Co., Ltd.
Bantian, Longgang District,Shenzhen 518129, P.R.China
http://www.huawei.com


本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁
止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中
的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
This e-mail and its attachments contain confidential information from HUAWEI, which
is intended only for the person or entity whose address is listed above. Any use of the
information contained herein in any way (including, but not limited to, total or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Checking for AES-NI accelration

Jan Just Keijser-2
Hi,

On 10/08/16 14:25, Nagesh shamnur wrote:

Hi Group,

            I am running an application which transfers huge chunks of data every second (850Mbps) and the same is secured using openssl. However the CPU usage on windows is very high ( ~ 100%). So as a part of the analysis, I stumbled upon the information that, when using AES encryption, if the underlying hardware is Intel CPU, it can support AES-NI instruction set and hence make the crypto processing faster. So, I wanted to confirm if the same is enabled in my hardware.

            So, I wanted to know how to verify if the run is able to use the AES-NI instruction set available in the hardware.

            I have built openssl and have ensured enabling the asm in both linux and windows build.

 

            For windows, to confirm if AES-NI is enabled, support of tools available like truecrypt, CPU-Z and blackbox were used if the same was enabled in OS usage. And I found that the same is disabled. Also I found in some blogs that the same needs to be enabled in BIOS. When checked the BIOS settings, the option was not be found and a BIOS update is required to enable the same.

 

However in linux I was unable to conclude if AES-NI is disabled since I didn’t had access to any such tools on linux. I checked "#cpuinfo | grep aes" and i was unable to find any line regarding AES-NI. However when i run the ./openssl speed -evp aes-128-gcm and OPENSSL_ia32cap="~0x200000200000000" ./openssl speed -elapsed -evp aes-128-gcm i am able to find the difference in speed. So i wanted to check how to confirm if my linux build has AES-NI enabled or not?

 

 

Environment Information:

CPU: E5-2620 0 @2.0GHz

OS: Windows Server 2008

Linux: Ubuntu 3.11.0-15-generic

Openssl versoin: 1.0.2h


I've got a server with that exact same CPU over here; with openssl 1.0.2d I see the following results:

$ ./openssl  speed -evp aes-128-gcm
[...]
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm     184391.41k   465791.06k   689190.61k   .65k   781295.62k

$ OPENSSL_ia32cap=0 ./openssl  speed -evp aes-128-gcm
[...]
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm      43906.03k    49490.24k    51037.70k    51554.65k    51699.71k

i.e. with AES-NI disabled performance is about ~15 times less. On this CPU turboboost is not working so your numbers maybe slightly different.
Another good way to test whether AES-NI is working is by comparing BF-CBC to AES-256-CBC: without AES-NI, BF will be faster. with AES-NI, AES will be faster.

HTH,

JJK


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Checking for AES-NI accelration

Norm Green
I've been wondering how and when OpenSSL decides whether it can use the new aes instructions?  Does it decide at build time or at run time? 

If I build on a CPU that supports aes instructions but run on a cpu that does not, will bad things happen?  Or is OpenSSL smart enough to call functions implemented without aes instructions in that case?

Norm Green

On 8/10/16 06:28, Jan Just Keijser wrote:
Hi,

On 10/08/16 14:25, Nagesh shamnur wrote:

Hi Group,

            I am running an application which transfers huge chunks of data every second (850Mbps) and the same is secured using openssl. However the CPU usage on windows is very high ( ~ 100%). So as a part of the analysis, I stumbled upon the information that, when using AES encryption, if the underlying hardware is Intel CPU, it can support AES-NI instruction set and hence make the crypto processing faster. So, I wanted to confirm if the same is enabled in my hardware.

            So, I wanted to know how to verify if the run is able to use the AES-NI instruction set available in the hardware.

            I have built openssl and have ensured enabling the asm in both linux and windows build.

 

            For windows, to confirm if AES-NI is enabled, support of tools available like truecrypt, CPU-Z and blackbox were used if the same was enabled in OS usage. And I found that the same is disabled. Also I found in some blogs that the same needs to be enabled in BIOS. When checked the BIOS settings, the option was not be found and a BIOS update is required to enable the same.

 

However in linux I was unable to conclude if AES-NI is disabled since I didn’t had access to any such tools on linux. I checked "#cpuinfo | grep aes" and i was unable to find any line regarding AES-NI. However when i run the ./openssl speed -evp aes-128-gcm and OPENSSL_ia32cap="~0x200000200000000" ./openssl speed -elapsed -evp aes-128-gcm i am able to find the difference in speed. So i wanted to check how to confirm if my linux build has AES-NI enabled or not?

 

 

Environment Information:

CPU: E5-2620 0 @2.0GHz

OS: Windows Server 2008

Linux: Ubuntu 3.11.0-15-generic

Openssl versoin: 1.0.2h


I've got a server with that exact same CPU over here; with openssl 1.0.2d I see the following results:

$ ./openssl  speed -evp aes-128-gcm
[...]
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm     184391.41k   465791.06k   689190.61k   .65k   781295.62k

$ OPENSSL_ia32cap=0 ./openssl  speed -evp aes-128-gcm
[...]
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm      43906.03k    49490.24k    51037.70k    51554.65k    51699.71k

i.e. with AES-NI disabled performance is about ~15 times less. On this CPU turboboost is not working so your numbers maybe slightly different.
Another good way to test whether AES-NI is working is by comparing BF-CBC to AES-256-CBC: without AES-NI, BF will be faster. with AES-NI, AES will be faster.

HTH,

JJK





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Checking for AES-NI accelration

Jakob Bohm-7
On 10/08/2016 19:02, Norm Green wrote:
> I've been wondering how and when OpenSSL decides whether it can use
> the new aes instructions?  Does it decide at build time or at run time?
>
> If I build on a CPU that supports aes instructions but run on a cpu
> that does not, will bad things happen?  Or is OpenSSL smart enough to
> call functions implemented without aes instructions in that case?
>
>
Runtime.  See the file crypto/x86cpuid.pl which gets
converted to compiler-specific assembler source code.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users