kernel hw cypto in openssl / others

[jlm]

HI,

I activated ktls in openssl, and wanted to test if openssl use kernel crypto api
so I run

Code: Select all

openssl speed -evp aes-128-cbc -engine cryptodev

but I got the following errors

Code: Select all

Invalid engine "cryptodev"
808B99864C7F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../openssl-3.5.5/crypto/dso/dso_dlfcn.c:115:filename(/usr/lib64/engines-3/cryptodev.so): /usr/lib64/engines-3/cryptodev.so: cannot open shared object file: No such file or directory
808B99864C7F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../openssl-3.5.5/crypto/dso/dso_lib.c:147:
808B99864C7F0000:error:13000084:engine routines:dynamic_load:dso not found:../openssl-3.5.5/crypto/engine/eng_dyn.c:429:
808B99864C7F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:../openssl-3.5.5/crypto/engine/eng_list.c:470:id=cryptodev
808B99864C7F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../openssl-3.5.5/crypto/dso/dso_dlfcn.c:115:filename(libcryptodev.so): libcryptodev.so: cannot open shared object file: No such file or directory
808B99864C7F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../openssl-3.5.5/crypto/dso/dso_lib.c:147:
808B99864C7F0000:error:13000084:engine routines:dynamic_load:dso not found:../openssl-3.5.5/crypto/engine/eng_dyn.c:429:

and I have no difference between

Code: Select all

openssl speed -evp aes-128-cbc 

Code: Select all

openssl speed -evp aes-128-cbc -engine cryptodev

in term of performance

Code: Select all

cat /proc/crypto
name         : ccm(aes)
driver       : ccm_base(ctr-aes-vaes-avx2,cbcmac(aes-aesni))
module       : kernel
priority     : 450
refcnt       : 3
selftest     : passed
internal     : no
type         : aead
async        : no
blocksize    : 1
ivsize       : 16
maxauthsize  : 16
geniv        : <none>

name         : cbcmac(aes)
driver       : cbcmac(aes-aesni)
module       : kernel
priority     : 300
refcnt       : 5
selftest     : passed
internal     : no
type         : shash
blocksize    : 16
digestsize   : 16

<... lot of entries ...> 

so kermel crypto api is on....

gcrypt don't have any use flag to use kernel crypto api, all (openssl, gcrypt, veracrypt) have only use flags for sse* and asm..... but I would like to use hardware as much as possible...
thanks and regards

[sam_]

What makes you believe -engine cryptodev should work? I can't find any modern documentation talking about it. There is https://github.com/cryptodev-linux/cryptodev-linux (out-of-tree kernel module, sys-kernel/cryptodev) and OpenSSL can be built with enable-devcryptoeng (would need to edit the ebuild) but it's marked as a deprecated option.

[jlm]

Hi!
nothing makes me believe it should work, this is why I ask how to verify if hardware is used...
deprecated? where did you see that?

https://github.com/openssl/openssl/blob ... vcryptoeng

enable-devcryptoeng

Build the /dev/crypto engine.

This option is automatically selected on the BSD platform, in which case it can be disabled with no-devcryptoeng.

I'm just wondering if kernel has some better performance than the software "asm" optimisations. On embedded the hw accelarator is by far faster than the asm optimisations.

[sam_]

I was going off https://github.com/openssl/openssl/blob ... igure#L587 (it is in deprecated_disablables and very little documents it). It may be referring to something else though.

Anyway, I'd try using sys-kernel/cryptodev and then modify the ebuild to pass enable-devcryptoeng, and see what happens. I think that should work.

[jlm]

nice, thanks

yes, there is few documentation on it, I don't even know if there is a openssl configuration file to set the default engine (in case the kernel perf are better than the asm optimisations)

same for GnuTLS.... it has the option but at this time not activated on gentoo, don't know either if there is a conf file....

best regards