On Wed, Nov 6, 2013 at 8:29 AM, Jim Thompson <[email protected]> wrote:
> There are reports that FreeBSD doesn't support AES-NI very well. > I'm thinking it is either zero gain, or negative gain. On pfSense 2.1-RELEASE (aka FreeBSD 8.3 with OpenSSL 1.0.1e) we see: % /usr/local/bin/openssl speed aes-256-cbc Doing aes-256 cbc for 3s on 16 size blocks: 9065243 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 64 size blocks: 2411846 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 256 size blocks: 610745 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 1024 size blocks: 151191 aes-256 cbc's in 2.99s Doing aes-256 cbc for 3s on 8192 size blocks: 19202 aes-256 cbc's in 3.00s OpenSSL 1.0.1e 11 Feb 2013 built on: Mon Aug 26 08:47:16 EDT 2013 options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall -O2 -pipe -fno-strict-aliasing -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256 cbc 48347.96k 51452.71k 52116.91k 51741.27k 52434.26k % /usr/local/bin/openssl speed aes-256-cbc -engine cryptodev engine "cryptodev" set. Doing aes-256 cbc for 3s on 16 size blocks: 9070243 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 64 size blocks: 2412033 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 256 size blocks: 610660 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 1024 size blocks: 153469 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 8192 size blocks: 19207 aes-256 cbc's in 2.99s OpenSSL 1.0.1e 11 Feb 2013 built on: Mon Aug 26 08:47:16 EDT 2013 options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall -O2 -pipe -fno-strict-aliasing -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256 cbc 48374.63k 51456.70k 52109.65k 52384.09k 52584.85k We know the cryptodev device supports aes256 by this: % cryptotest -v -a aes256 512 2048 session = 0x0 device = aesni0 count = 512, size = 2048 iv: 0000: 35 32 21 69 36 62 65 61 6e 39 69 31 33 6f 30 69 cleartext: 0000: 6f 38 32 75 74 74 6a 34 62 62 62 21 69 74 6e 6f 0010: 61 38 32 39 6a 6f 6f 73 6e 31 65 74 73 62 6f 75 0020: 69 37 39 73 74 37 35 75 6f 73 6e 75 31 6f 68 6e 0030: 33 30 35 31 6f 30 68 61 31 33 35 35 6f 30 6a 65 cleartext: 0000: 6f 38 32 75 74 74 6a 34 62 62 62 21 69 74 6e 6f 0010: 61 38 32 39 6a 6f 6f 73 6e 31 65 74 73 62 6f 75 0020: 69 37 39 73 74 37 35 75 6f 73 6e 75 31 6f 68 6e 0030: 33 30 35 31 6f 30 68 61 31 33 35 35 6f 30 6a 65 0.007 sec, 1024 aes256 crypts, 2048 bytes, 313991915 byte/sec, 2395.6 Mb/sec
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
