Hello,
I intend to use
openssl speed des -engine ibmca
and
openssl speed aes -engine ibmca
to show the influence of hardware accelaration on a mainframe, by comparing
the results with
openssl speed des and with openssl speed aes
Unfortunately
openssl speed des -engine ibmca and openssl speed des
as well as
openssl speed aes -engine and openssl speed aes
are showing identical results (see my test results below). It seams, that
for "des" as well as for "aes" the option "-engine ibmca" to use
the IBM provided engine is ignored.
(Good news is that the "-engine" is used for "rsa1024" and also for "sha1".
Using these two algorithms, you can clearly see the improvement
of hardware acceleration.)
I know, that in the underlying library (libica) and the crypto-device
driver (z90crypt) which are used if the ibmca engine is used, there is
support implemented for des, aes, sha1 and rsa.
When using openssl speed with rsa or with sha1, then I can prove, that the
library or/and crypto driver is used.
I was told for des and aes:
...I can find nowhere where changing the engine
causes calls to be handled any differently...
MAIN in openssl/apps/speed.c calls
DES_ncbc_encrypt in openssl/crypto/des/ncbc_enc.c calls
DES_encrypt1 in openssl/crypto/des/des_enc.c calls the macro
D_ENCRYPT in openssl/crypto/des/des_locl.h
I don't see where the ibmca engine is even being attempted.
and
... the openssl speed test doesn't involve the engine code for
DES or 3DES. For some reason the openssl speed test has hard-coded calls
to the
software routines in this test.
This means, that the option to use the "-engine ibmca" is ignored for des
and for aes.
I really would appriciate to get the openssl speed with the "-engine"
option to work as expected. This option allows
to have a really nice test tool to indicate the influence of hardware vs.
software encryption/decryption. Thanks.
Here are some details about my test environment:
Software environment:
Working on a System z9 with SuSE Linux SLES 9 SP3.
Linux is running under z/VM 5.2
[EMAIL PROTECTED]:~> uname -a
Linux tmcc-123-183 2.6.5-7.243-s390x #1 SMP Mon Dec 5 21:08:42
UTC
2005 s390x s390x s390x GNU/Linux
[EMAIL PROTECTED]:~> rpm -q openssl
openssl-0.9.7d-15.21
[EMAIL PROTECTED]:~> rpm -q openCryptoki
openCryptoki-2.1.6-0.6
[EMAIL PROTECTED]:~> rpm -q libica
libica-1.3.6rc2-0.5
Hardware Environment:
Machine type: 2094 IBM System z9-109
Cpu type: z9
Feature 3863 for enabling CPACF is installed. (This means des, aes,
sha-1
acceleration is available)
In addition, CEX2C is also installed. (this means rsa1024, rsa2048
coprocessor
is used for off-loading)
Here are my test results:
AES without engine:
tmcc-123-183:~ # openssl speed aes
Doing aes-128 cbc for 3s on 16 size blocks: 3979394 aes-128 cbc's in 3.00s
*** some lines remoded from output ***
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128 cbc 21223.43k 22482.71k 22810.11k 22897.66k
22921.22k
aes-192 cbc 18726.66k 19423.00k 19663.70k 19724.29k
19745.45k
aes-256 cbc 16450.83k 17042.65k 17215.57k 17259.52k
17255.08k
AES with IBM engine:
tmcc-123-183:~ # openssl speed aes -engine ibmca
*** some lines remoded from output ***
engine "ibmca" set.
Doing aes-128 cbc for 3s on 16 size blocks: 3960246 aes-128 cbc's in 3.00s
*** some lines remoded from output ***
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128 cbc 21121.31k 22458.47k 22752.17k 22826.33k
22852.95k
aes-192 cbc 18865.22k 19388.69k 19605.67k 19677.18k
19690.84k
aes-256 cbc 16237.79k 16898.03k 17056.85k 17103.87k
17115.82k
---> At least for aes with 128 bit key, there should be an improvement, as
there is
hardware acceleration available on the used System z9 processor)
DES without engine:
[EMAIL PROTECTED]:~> openssl speed des
*** some lines remoded from output ***
OpenSSL 0.9.7d 17 Mar 2004
built on: Mon Nov 21 21:09:37 UTC 2005
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) aes(partial)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H
-DOPENSSL_NO_KRB5 -DB_ENDIAN -DNO_ASM -DMD32_REG_T=int -DOPENSSL_NO_RC5
-DOPENSSL_NO_IDEA -O2 -fsigned-char -fmessage-length=0 -Wall
-fomit-frame-pointer -fno-strict-aliasing -DTERMIO -Wall
-fbranch-probabilities
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
des cbc 18868.46k 20336.77k 20734.04k 20846.93k
20889.60k
des ede3 7039.82k 7259.37k 7318.61k 7331.50k
7337.30k
DES with IBM engine:
[EMAIL PROTECTED]:~> openssl speed des -engine ibmca
engine "ibmca" set.
*** some lines remoded from output ***
OpenSSL 0.9.7d 17 Mar 2004
built on: Mon Nov 21 21:09:37 UTC 2005
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) aes(partial)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H
-DOPENSSL_NO_KRB5 -DB_ENDIAN -DNO_ASM -DMD32_REG_T=int -DOPENSSL_NO_RC5
-DOPENSSL_NO_IDEA -O2 -fsigned-char -fmessage-length=0 -Wall
-fomit-frame-pointer -fno-strict-aliasing -DTERMIO -Wall
-fbranch-probabilities
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
des cbc 18763.89k 20296.43k 20699.31k 20824.75k
20862.29k
des ede3 7038.69k 7260.78k 7319.98k 7335.25k
7340.03k
(---> For des, there should be an improvement, as there is
hardware acceleration available on the used System z9 processor)
Kind regards,
Manfred Gnirss,
TMCC Technical Sales Support,
eMail: [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
