<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Gordon, thanks for the response.<br>
<br>
<div class="moz-cite-prefix">On 08/11/2017 08:42 AM, Gordan Bobic
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMx4oe1bxTj4EkMueAJtWts7K6z0TY93MVr+eCaBjRLOmX_K4A@mail.gmail.com">
<div dir="ltr"><span style="font-size:12.8px">Most ARMs have
hardware crypto.</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">IIRC, aarch64 chips have AES
inline instruction like modern x86 CPUs. OpenSSL that ships
with CentOS aarch64 already takes advantage of this.</div>
</div>
</blockquote>
<br>
Maybe when I retire (could be as early as start of '19, but by start
of '21), I will move to aarch64 SoC. :)<br>
<br>
<blockquote type="cite"
cite="mid:CAMx4oe1bxTj4EkMueAJtWts7K6z0TY93MVr+eCaBjRLOmX_K4A@mail.gmail.com">
<div dir="ltr">
<div style="font-size:12.8px">On armv7hl and earlier, they
typically come with an asynchronous crypto coprocessor. What
this does is allows the application to provide a source data
pointer, key, and target data pointer, and waits for the
co-processor to do it's thing.</div>
<div style="font-size:12.8px">The upshot of this is what while
the process is iowaiting for the response, the kernel can
schedule other things requiring CPU time to run, so the main
CPU can be productively busy while something else is doing the
crypto. On a Marvell Kirkwood, the crypto throughput of this
co-processor is approximately the same as what the main CPU
can produce, but does so while consuming less power and
leaving the CPU free to do other things, potentially doubling
the throughput.</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">To use this, you will need to:</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">1) build and install this kernel
module:</div>
<div style="font-size:12.8px"><a
href="http://cryptodev-linux.org/" target="_blank"
moz-do-not-send="true">http://cryptodev-linux.org/</a><br>
</div>
<div style="font-size:12.8px">2) Recompile your openssl package
with a modified ./configure line to enable cryptodev offload</div>
</div>
</blockquote>
<br>
I would like to think this is in the C7-armv7hl we are working
with...<br>
<br>
<blockquote type="cite"
cite="mid:CAMx4oe1bxTj4EkMueAJtWts7K6z0TY93MVr+eCaBjRLOmX_K4A@mail.gmail.com">
<div dir="ltr">
<div style="font-size:12.8px">3) Rebuild openssh package to back
out RedHat's audit patch because it breaks things horribly.
IIRC (it's been a while since I worked on this), RH's audit
patch adds functionality to store the session crypto keys used
in the audit log for debugging. Unfortunately, once you have
passed the crypto keys to the crypto coprocessor, you cannot
get to them, so the code attempts the equivalent of
use-after-free, which (thankfully) fails and crashes sshd. In
reality what you are much better off doing is creating a SRPM
of a clean vanilla latest upstream openssh source and just
using that, without any broken distro patches getting in the
way.</div>
</div>
</blockquote>
<br>
I don't care so much about SSH. This is used occasionally for admin
work. https would be very frequent (and imaps, and ...). <br>
<br>
<blockquote type="cite"
cite="mid:CAMx4oe1bxTj4EkMueAJtWts7K6z0TY93MVr+eCaBjRLOmX_K4A@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug 11, 2017 at 1:08 PM, Robert
Moskowitz <span dir="ltr"><<a
href="mailto:rgm@htt-consult.com" target="_blank"
moz-do-not-send="true">rgm@htt-consult.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> How does OpenSSL work
on ARM?<br>
<br>
Do any arms have hardware crypto?<br>
<br>
thanks<br>
<div class="m_9161673883200790723moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table
class="m_9161673883200790723moz-email-headers-table"
border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Subject: </th>
<td>Re: [openssl-users] Does openssl pick low
level interface or high level interface to do
encrypt?</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Date: </th>
<td>Thu, 10 Aug 2017 15:16:09 +0000</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">From: </th>
<td>Salz, Rich via openssl-users <a
class="m_9161673883200790723moz-txt-link-rfc2396E"
href="mailto:openssl-users@openssl.org"
target="_blank" moz-do-not-send="true"><openssl-users@openssl.org></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Reply-To: </th>
<td>Salz, Rich <a
class="m_9161673883200790723moz-txt-link-rfc2396E"
href="mailto:rsalz@akamai.com" target="_blank"
moz-do-not-send="true"><rsalz@akamai.com></a>,
<a
class="m_9161673883200790723moz-txt-link-abbreviated"
href="mailto:openssl-users@openssl.org"
target="_blank" moz-do-not-send="true">openssl-users@openssl.org</a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">To: </th>
<td><a
class="m_9161673883200790723moz-txt-link-abbreviated"
href="mailto:openssl-users@openssl.org"
target="_blank" moz-do-not-send="true">openssl-users@openssl.org</a>
<a
class="m_9161673883200790723moz-txt-link-rfc2396E"
href="mailto:openssl-users@openssl.org"
target="_blank" moz-do-not-send="true"><openssl-users@openssl.org></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<div class="m_9161673883200790723WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">What
OpenSSL does is not necessarily obvious. The
INSTALL document talks about the no-asm
configuration option. Details about what the
assembler code does in terms of optimization are
only available by reading the source code comments
in the various Perl files that generate the
assembler, mostly.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">On
x86, the assembly code uses the CPUID instruction
(see the OPENSSL_ia32cap.pod manpage) to determine
if various instructions (AES, SSE, MMX, etc) are
available and will use them if so. For other
processors, similar tests are performed if at all
possible.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">I
have added this to the FAQ</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">--
</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Senior
Architect, Akamai Technologies</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Member,
OpenSSL Dev Team</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">IM:
<a
class="m_9161673883200790723moz-txt-link-abbreviated"
href="mailto:richsalz@jabber.at"
target="_blank" moz-do-not-send="true">richsalz@jabber.at</a>
Twitter: RichSalz</span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> -
JinsongJi [<a
class="m_9161673883200790723moz-txt-link-freetext"
href="mailto:jjsbear@hotmail.com"
target="_blank" moz-do-not-send="true">mailto:jjsbear@hotmail.com</a>]
<br>
<b>Sent:</b> Wednesday, August 09, 2017 9:09
AM<br>
<b>To:</b> <a
class="m_9161673883200790723moz-txt-link-abbreviated"
href="mailto:openssl-users@openssl.org"
target="_blank" moz-do-not-send="true">openssl-users@openssl.org</a><br>
<b>Subject:</b> [openssl-users] Does openssl
pick low level interface or high level
interface to do encrypt?</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div id="m_9161673883200790723divtagdefaultwrapper">
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black">Hi,</span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black"> </span></p>
<pre><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">For one simple operation: </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#778596">openssl enc -aes-256-cbc -salt -in foo.txt -out foo.enc</span><span style="color:black"></span></pre>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black">Does
openssl pick classic implementation or AES-NI
implementation to do this encrypt? </span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black"> </span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black">Does
any user/application always pick classic
implementation for AES operation regardless of
AES-NI improves speed much?</span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black"> </span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black">Is
there any document about this
interface selection?</span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black"> </span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri",sans-serif;color:black">Thanks,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Jinsong</span><span
style="font-family:"Calibri",sans-serif;color:black"> </span></p>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Arm-dev mailing list<br>
<a href="mailto:Arm-dev@centos.org" moz-do-not-send="true">Arm-dev@centos.org</a><br>
<a href="https://lists.centos.org/mailman/listinfo/arm-dev"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.centos.org/<wbr>mailman/listinfo/arm-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Arm-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Arm-dev@centos.org">Arm-dev@centos.org</a>
<a class="moz-txt-link-freetext" href="https://lists.centos.org/mailman/listinfo/arm-dev">https://lists.centos.org/mailman/listinfo/arm-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>