On 11/7/2013 10:30 AM, Vick Khera wrote: > On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle <[email protected] > <mailto:[email protected]>> wrote: > > The sheet could really use some more data, so anyone who has an AES-NI > capable system, feel free to run through the tests and help fill out the > sheet. :-) > > > /usr/bin/openssl speed -evp aes-128-cbc -elapsed [snip]
I added the data to the sheet. I picked one of the two runs, they were similar enough I didn't see a significant difference for now. Not being terribly scientific but going for a general idea at the moment. > If I run without -elapsed, I can see the CPU time used by the tests. The > selection of engine cryptodev makes no difference: openssl always > offloads from the CPU to the AES-NI engine once it is loaded, as the CPU > time is fraction of a second over the 3 second tests. True for both > versions of openssl. The automatic offload once loaded is expected. OpenSSL knows which ciphers are supported by the available devices and will automatically select one without being told. That's where this line helps: /usr/local/bin/openssl engine -t -c Using -elapsed uses real time rather than CPU time to calculate the results. When you engage cryptodev the CPU time gets cut waaay down so it's not quite as accurate a result to compare. Of course elapsed has its own drawbacks as well. (Not accurate unless the system is idle, doesn't account for time spent waiting on the crypto device to respond...) > So it seems that the overall speed is lower with freebsd's AES-NI > engine, but the offload from the CPU is significant. That jives with other results we have had reported. Hopefully things have improved in FreeBSD 10, but there may still be other blocking factors that Jim Thompson mentioned elsewhere in this thread. In the meantime, if you run with aesni.ko *unloaded*, you can at least get a better benefit for OpenVPN and other OpenSSL operations that tie into OpenSSL 1.0.1e. In some cases the difference between 1.0.1e and cryptodev is significant, and you can tell they greatly improved the AES-NI code between OpenSSL 0.9.x and 1.0.x. Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
