How can I enable aes-ni in openssl on Linux

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How can I enable aes-ni in openssl on Linux

John
I recently became aware of aes-ni and found the linked articles.  My CPU supports this, but it seems (assuming the advice in the linked pages is accurate) that openssl does not have it enabled.  What am I missing?  I am running Arch Linux x86_64 and an using the repo provided package for openssl.

% openssl engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support

Links:

http://www.thinkwiki.org/wiki/AES_NI
http://datacenteroverlords.com/2011/09/07/aes-ni-pimp-your-aes

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How can I enable aes-ni in openssl on Linux

Matt Caswell (frodo@baggins.org)
On 5 December 2013 23:32, John <[hidden email]> wrote:

> I recently became aware of aes-ni and found the linked articles.  My CPU supports this, but it seems (assuming the advice in the linked pages is accurate) that openssl does not have it enabled.  What am I missing?  I am running Arch Linux x86_64 and an using the repo provided package for openssl.
>
> % openssl engine
> (rsax) RSAX engine support
> (rdrand) Intel RDRAND engine
> (dynamic) Dynamic engine loading support
>
> Links:
>
> http://www.thinkwiki.org/wiki/AES_NI
> http://datacenteroverlords.com/2011/09/07/aes-ni-pimp-your-aes
>

The information in the linked pages is out of date for the latest
versions of openssl (>= 1.0.1). For these versions AES-NI does not
work via an engine and will not show up in the openssl engine command.
You are probably already running aes ni without realising it.

See here for a discussion:
http://openssl.6102.n7.nabble.com/having-a-lot-of-troubles-trying-to-get-AES-NI-working-td44285.html

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How can I enable aes-ni in openssl on Linux

Kane Huang
In reply to this post by John
As I know ,aesni is support after openssl 1.0.1? it is not an engine, and no kernel module need. It will be enable automatically when you use evp api.

 BR
Kane

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of John
Sent: Friday, December 06, 2013 7:32 AM
To: [hidden email]
Subject: How can I enable aes-ni in openssl on Linux

I recently became aware of aes-ni and found the linked articles.  My CPU supports this, but it seems (assuming the advice in the linked pages is accurate) that openssl does not have it enabled.  What am I missing?  I am running Arch Linux x86_64 and an using the repo provided package for openssl.

% openssl engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support

Links:

http://www.thinkwiki.org/wiki/AES_NI
http://datacenteroverlords.com/2011/09/07/aes-ni-pimp-your-aes

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How can I enable aes-ni in openssl on Linux

Alan Buxey
In reply to this post by John
Hi

Likely to be already using it and you can verify this by running some benchmarks - this is on a massive host and not virtualised platform? I guess a related question is how to ensure that those functions are used by openssl whenever possible. ... eg required openssl config in software that uses openssl

alan
Reply | Threaded
Open this post in threaded view
|

Re: How can I enable aes-ni in openssl on Linux

John
In reply to this post by Matt Caswell (frodo@baggins.org)






> On Thursday, December 5, 2013 6:55 PM, Matt Caswell <[hidden email]> wrote:
> The information in the linked pages is out of date for the latest
> versions of openssl (>= 1.0.1). For these versions AES-NI does not
> work via an engine and will not show up in the openssl engine command.
> You are probably already running aes ni without realising it.
>
> See here for a discussion:
> http://openssl.6102.n7.nabble.com/having-a-lot-of-troubles-trying-to-get-AES-NI-working-td44285.html

Thanks for the link, Matt.  And also thanks to Kane and Alan who kindly replied to my post.  It does indeed seem that the info I linked is out-of-date and that aes-ni is enabled by default:

Command A = openssl speed -elapsed -evp aes-128-cbc
Command B = OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc

Results:
Command   16 bytes     64 bytes     256 bytes    1024 bytes   8192 bytes
------------------------------------------------------------------------
A         796435.32k   845155.61k   852750.59k   860752.55k   865828.86k
B         393740.06k   431465.71k   438168.23k   443452.42k   446458.54k
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

答复: How can I enable aes-ni in openssl on Linux

EasonYu
Hi John and all,
I made one OpenSSL AES-NI study notes and one demo sample before, you can refer the enclosed files.
By the way, you can also find some information from official Intel Developer Zone website for Intel AES-NI technology.
http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/
Hope it is useful for you to enable AES-NI in OpenSSL.

B.R.
Eason

-----邮件原件-----
发件人: [hidden email] [mailto:[hidden email]] 代表 John
发送时间: 2013年12月6日 19:40
收件人: [hidden email]
主题: Re: How can I enable aes-ni in openssl on Linux







> On Thursday, December 5, 2013 6:55 PM, Matt Caswell <[hidden email]> wrote:
> The information in the linked pages is out of date for the latest
> versions of openssl (>= 1.0.1). For these versions AES-NI does not
> work via an engine and will not show up in the openssl engine command.
> You are probably already running aes ni without realising it.
>
> See here for a discussion:
> http://openssl.6102.n7.nabble.com/having-a-lot-of-troubles-trying-to-g
> et-AES-NI-working-td44285.html

Thanks for the link, Matt.  And also thanks to Kane and Alan who kindly replied to my post.  It does indeed seem that the info I linked is out-of-date and that aes-ni is enabled by default:

Command A = openssl speed -elapsed -evp aes-128-cbc Command B = OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc

Results:
Command   16 bytes     64 bytes     256 bytes    1024 bytes   8192 bytes
------------------------------------------------------------------------
A         796435.32k   845155.61k   852750.59k   860752.55k   865828.86k B         393740.06k   431465.71k   438168.23k   443452.42k   446458.54k ______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

AESNI Study Notes.txt (4K) Download Attachment
OpenSSLAESNIDemo.cpp (4K) Download Attachment