Accelerating crypto

Lauri's blog | Accelerating crypto

Crypto API is generic cryptography library API introduced in Linux kernel. Kernel already contains software implementations for major symmetric ciphers. The API allows plugging in implementations which take advantage of hardware components such as Geode AES engine 2, Kirkwood CESA engine 3 that can accelerate encryption.

OpenSSL acceleration

Crypto API backend modules transparently accelerate kernelspace crypto such as IPsec. Accelerating userspace applications Apache, OpenSSH, OpenVPN and others using OpenSSL is currently possible via two methods. Note that crypto hardware that has been implemented as instructions such as VIA Padlock 4 and Intel AES-NI 5 does not need any special mechanism to be used from userspace.

OpenSSL can take of advantage of Padlock if the respective engines are present. AES-NI support seems to have been fully integrated 1:

openssl speed -elapsed -evp aes-128-cbc

Resulting following on Thinkpad T420's i5:

aes-128-cbc     501615.36k   539707.75k   549787.56k   554413.40k   554825.05k

Compared to a run where AES-NI capability was turned off explicitly:

OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc

Resulting in roughly twice less throughput:

aes-128-cbc     249055.09k   282151.70k   287307.43k   292073.13k   292874.92k

1

http://openssl.6102.n7.nabble.com/How-can-I-enable-aes-ni-in-openssl-on-Linux-td47582.html

Userspace access via Cryptodev

Cryptodev-linux module 6 has to be compiled. It's compatible with OpenBSD's cryptodev userspace API (/dev/crypto) and it's GPLv2 licensed which means that one day it could be included in the upstream kernel. It enables userspace application access to Crypto API backend modules already present in the kernel.

Since such API is not available by default on Linux distributions, the OpenSSL has to be recompiled with additional flags:

./configure -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
make
sudo make install

Note that for Ubuntu/Debian machines it is preferred to download source package, modify debian/rules and recompile the package:

apt-get source openssl
cd openssl-*/
sed -i -e "s/CONFARGS  =/CONFARGS = -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS/" debian/rules
dch -i "Enabled cryptodev support"
debuild
sudo dpkg -i ../openssl*.deb

You can test the performance by:

openssl speed -evp aes-128-cbc -engine cryptodev -elapsed

2

Using Geode's AES engine on ALIX.3D3

3

Hardware Accelerated SSL on SheevaPlug

4

VIA PadLock Security Engine

5

Intel® Advanced Encryption Standard Instructions (AES-NI)

6

Cryptodev-linux module

Userspace access via AF_ALG

AF_ALG plugin for OpenSSL 7 takes advantage of the new AF_ALG interface present in kernels since 2.6.38. It is very much like cryptodev method sans compiling special kernel module. Isnstalling the plugin is pretty easy, note that you might need to adjust engine lookup path:

git clone http://src.carnivore.it/users/common/af_alg/
cd af_alg/
make
sudo cp libaf_alg.so /usr/lib/arm-linux-gnueabi/openssl-1.0.0/engines/
sudo chmod 644 /usr/lib/arm-linux-gnueabi/openssl-1.0.0/engines/libaf_alg.so

Make sure modules are loaded:

echo af_alg >> /etc/modules
echo algif_hash >> /etc/modules
echo algif_skcipher >> /etc/modules
modprobe af_alg algif_hash algif_skcipher

You can test the performance by:

openssl speed -evp aes-128-cbc -engine af_alg -elapsed

7

OpenSSL AF_ALG plugin