|
|
|||
VIA Padlock
Well, I guess I was succesful relocating my small home server to openbsd, the board (Epia MII12000) has AES hw accel using padlock, and basically runs a nginx, php-fpm, mysql stack for some personal webservers, ssh server for outside access, exim for a few emails, netbsd-iscsi for backups, minidlna to stream music and video, a 2mbit/s gogoc tunnel for ip6. So far everything ok, it is probably faster than it was before, except sftp and scp file transfers are a lot slower than before, also nginx uses a lot more CPU than before transferring large files.
I have read that openbsd is bringing some innovation to openssl but I did not follow what is going on .... The openssl padlock engine is disabled, even if a comment in /usr/src/lib/libssl/crypto/Makefile: Code:
CFLAGS+= -DOPENSSL_NO_HW_PADLOCK # XXX enable this? openssl speed -evp shows that padlock instructions are used by evp functions, but are nginx, exim and ssh using them? openssl speed -engine cryptodev instead is ~5/6 times slower, probably not using padlock. Code:
# openssl speed aes-192-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-192 cbc 4832.23k 5069.21k 5150.03k 12997.93k 13014.90k # openssl speed -evp aes-192-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-192-cbc 26500.36k 99317.35k 268582.62k 464052.28k 589470.85k # openssl speed -engine cryptodev aes-192-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-192 cbc 4778.00k 5014.26k 5122.80k 12946.75k 13032.20k # Will nginx use padlock? should I set ssl_engine cryptodev; or not?. Last edited by ermanno; 16th July 2014 at 12:50 PM. |
|
|||
I'm not an expert on this but there are some questions regarding the integrity of some of the chips. The OpenBSD code has been audited.
Your decision may come down to whether you trust the padlock vs the performance gains. |
|
|||
IIRC the problem is with the via rng, but it is simply bugged :-) it is based on thermal effects, and when the load is high and the CPU temp high vthe via rng returns mostly 1s, it is easy to check on a board using it :-) rngd (which I used before) can detect this condition and switch to another source (I used aveged). But randomness is not the problem for me ATM (I think at least).
IIRC libressl should have supported padlock and AESNI, I have no political reason to use those CPU extensions or not, but some speed could be welcome to use iscsi over ssh tunnels and file transfers over SSL :-) And nginx using so much CPU is also requiring using more Watts of electricity and that is bad for the environment (and my wallet). Imagine how much CO2 are releasing in the atmosphere all those CPU doing AES encriptions in software |
Thread Tools | |
Display Modes | |
|
|