Re: [dtrace-discuss] Monitoring Sun Crypto Engine On T2's

Fri, 26 Mar 2010 01:49:07 -0700 

On 03/26/10 01:15 AM, Tony MacDoodle wrote:

It's an IBM Apache webserver running on T5140's in an LDom
configuration...... Our CPU's are saturated...


<attachment omitted>


My knowledge of any IBM webserver is exactly zero. Anyhow, for apache 
shipped with Solaris, OpenSSL PKCS#11 engine is enabled by default so it 
can leverage HW crypto (if there's any).



With the example dtrace script in hand you should be able to tweak 
it/rewrite it so that it answers your question, that is 'is my app using 
n2cp/ncp/n2rng ?' (using execname instead of curpsinfo to get the data 
for the whole process group or by looking at pgid) or 'how much is my 
app using n2cp/ncp/n2rng ?' (using aggregations)



v.






On Thu, Mar 25, 2010 at 8:31 PM, Vladimir Kotal <vladimir.ko...@sun.com
<mailto:vladimir.ko...@sun.com>> wrote:

    Tony MacDoodle wrote:

        I would like to know if a web application is using the onboard
        crypto units or not in some sort of script......


    Is the app single process or group of processes ? Also, which
    language ? What sort of mechanisms (symmetric/asymmetric/digest/RNG)
    are you interested in ?

    Here's simple example for observing digest operations made by single
    process:

    fbt:crypto:digest_init:entry
    /curpsinfo->pr_pid == $target/
    {
            self->t = 1;
    }

    fbt:kcf:kcf_get_hardware_provider:entry
    /self->t/
    {
            self->new = arg2;
    }

    fbt:kcf:kcf_get_hardware_provider:return
    /self->new/
    {
            self->p = *(kcf_provider_desc_t **)(self->new);
            printf("%s", stringof(((kcf_provider_desc_t
    *)(self->p))->pd_name));
            self->p = 0;
            self->new = 0;
    }

    This can be easily extended to check 'pd_prov_type ==
    CRYPTO_HW_PROVIDER' in the last probe and/or following the request
    up to kcf_submit_request() to be absolutely sure this is a hardware
    provider but for quick verification this is not necessary given
    we're following the ioctl() path (pkcs11_kernel.so only goes to
    kernel if there is at least one HW provider capable of processing
    the request and not blacklisted by cryptoadm(1M) policy configuration).

    For example on a T5120 machine (assuming /etc/password is not too big):

    # dtrace -q -s digest-kcf.d -c "/usr/bin/digest -a md5 /etc/passwd"
    092828140ffbd5f5140eea8d3098dda2
    n2cp

    Which means that in this case n2cp driver was used for submitting
    the request to the hardware.


    v.




_______________________________________________
dtrace-discuss mailing list
dtrace-discuss@opensolaris.org






















					Reply via email to