Verify AES-NI use at runtime?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Verify AES-NI use at runtime?

Jeffrey Walton-3
How does one verify use of AES-NI at runtime?

I know I can get 'capability' with:

    crypto/evp/e_aes.c:#define AESNI_CAPABLE \
        (OPENSSL_ia32cap_P[1]&(1<<(57-32)))

But grepping the sources for a runtime test does not produce anything
that looks useful:

    $ grep -R -i AESNI *
  and
    $ grep -R ENGINE_* * | grep -i aes

The reason I ask is it looks like OpenSSL is not recognizing AES-NI
even though this i5 processor has both aesni and rdrand (according to
/proc/cpuinfo):

$ openssl engine -c -tt
(rdrand) Intel RDRAND engine
 [RAND]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]

And the speed test shows no speedup with and without
OPENSSL_ia32cap=~0x200000200000000.

    $ /usr/local/ssl/bin/openssl speed aes

If it matters, this is Fedora 20, and I had to jump through some hoops
to get the shared objects built correctly (namely, exporting
CFLAGS="-fPIC" and config'ing with 'shared').

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Verify AES-NI use at runtime?

Dr. Stephen Henson
On Thu, Jan 02, 2014, Jeffrey Walton wrote:

> How does one verify use of AES-NI at runtime?
>
> I know I can get 'capability' with:
>
>     crypto/evp/e_aes.c:#define AESNI_CAPABLE \
>         (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
>
> But grepping the sources for a runtime test does not produce anything
> that looks useful:
>
>     $ grep -R -i AESNI *
>   and
>     $ grep -R ENGINE_* * | grep -i aes
>
> The reason I ask is it looks like OpenSSL is not recognizing AES-NI
> even though this i5 processor has both aesni and rdrand (according to
> /proc/cpuinfo):
>
> $ openssl engine -c -tt
> (rdrand) Intel RDRAND engine
>  [RAND]
>      [ available ]
> (dynamic) Dynamic engine loading support
>      [ unavailable ]
>
> And the speed test shows no speedup with and without
> OPENSSL_ia32cap=~0x200000200000000.
>
>     $ /usr/local/ssl/bin/openssl speed aes
>
> If it matters, this is Fedora 20, and I had to jump through some hoops
> to get the shared objects built correctly (namely, exporting
> CFLAGS="-fPIC" and config'ing with 'shared').
>

Only the receommended EVP interface is supported with AES-NI, the  "aes"
option uses low level AES routines which aren't accelerated by AES-NI.
Try it with the -evp option instead, for example:

openssl speed -evp aes-128-cbc

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]