- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have recently downloaded latest version of IPP "l_ipp_7.1.1.117_ia32.tgz" and installed on my linux box.
Then i have followed the instructions and downloaded latest version of crypto module for IPP "l_ccompxe_crypto_ipp_7.1.1.163.tgz"
But i am unable to find the IPP Crypto samples (openssl patch) for 7.1 update . I have tried to apply the patch "l_ipp-samples-cryptography_p_6.1.6.073.tgz" but openssl fails compilation after follwoing the instructions from here.
As I am not able to get the latest version of IPP crypto sample for 7.1 version i have downloaded 7.0 IPP but there IPP Crypto library for 7.0 is missing.
Can you please suggest me how do I proceed.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ravieeswar,
What version or functon do you hope to use? As i know, OpenSSL have new AES NI enabling in lastest verseion. the patch for OpenSSl 0.9.8j in IPP are not needed actually, so the sample was moved to legacy sample where we don't update.
So if you are interested in to the AES-NI boost, you can use OpenSSL directly.
Best Regards,
Ying
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Ying.
- That was helpful. I have downloaded the latest version of openssl "openssl-1.0.1e.tar.gz". How do I enable the AES-NI flag while building openssl ?
- I have one more question .Is IPP specific to particular version of linux ? because while installation i have seen "un-supported version" ,or it works irrespective of linux version with the IPP and crypto libraries installed on it ?
Best Regards,
Ravikanth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ying,
I have figured out how to enable AES-NI on my machine. Followed instructions from the follwing document page 23. Attached the file too just incase the file is moved for future reference. Even though AES-NI is enabled from BIOS i am not seeing the performance improvement. Is there any software flag to enable AES-NI in openssl ?
Is installation of IPP and IPP Crypto manditory for AES-NI enabled machines ?
Will IPP and IPP Crypto work on any intel Xeon machines ? If IPP Crypto is required for performance improvement why is AES-NI required ?
I need RC4 , RSA , DES & 3DES performance improvements too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to compile openssl 1.0.1e with the following config parameters on AES-NI enabled machine and installed it
- config -g -march=native --prefix=/usr/local/openssl-1.0.1e/ --openssldir=/usr/local/openssl-1.0.1e/
When I try to check
./openssl engine
(rsax) RSAX engine support
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(gost) Reference implementation of GOST engine
I got the following out put but could not find aesni engine in the list.
Can some one give a clear idea on how we test and check on open ssl ? and all my questions on my previous posts please
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ravieeswar,
I try to reply the part of IPP.
1. IPP have supported OS. Please see IPP system requirements in release notes or http://software.intel.com/en-us/articles/intel-ipp-61-library-system-requirements ,
For example, Intel 64 for Linux" Compatibility (tested with the following)
Linux systems with glibc 2.2.4, 2.2.5, 2.2.93, 2.3.2 or 2.3.3 and the 2.4.x or 2.6.x Linux kernel as represented by the following distributions:
- Red Hat Enterprise Linux* OS 3 ,4 or 5
- SUSE Linux Enterprise Server* 10 or 11
- Debian* 4.0r1 or 5
- Ubuntu* 8 or 9
- Asianux* Server 3.0
- Red Flag* 5.0
Note: not all distributions listed above have been validated and not all distributions are listed.
Generally, IPP should be worked for most of Linux version. What is your OS.?
2. Yes, IPP and IPP crypto worked on Intel Xeon machine. IPP and IPP crypto are "pure" software, which can work on all supported processors. The processor with AES-NI (hardware) is only one of them.
. The Intel IPP library contains a collection of functionally identical processor-specific optimized libraries that are “dispatched” at run-time. Please see the detials in
So if IPP find your processor have suported AES-NI , then it will distribute the binary code which include AES-NI instruction on the machine, otherwise, it may only distribute the code with SSE instruction.
3. NO, IPP and IPP Crypto is not manditory for using the procossor AES-NI.
Regaring OpenSSL, Not exactly sure , but if . AES-NI is worked, ./openssl engine should show
(ase-ni) Intel AES engine. you may ask the question in OpenSSL forum too.
Best Ragrds,
Ying
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I did more investigation about openSSL build. According to all discussions and test, it seems AES-NI is active by default in OpenSSL 1.0.1e, but not show as engine with general config like you did.
Please see http://bugs.alpinelinux.org/issues/925
I did test too on my Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz, Red Hat Enterprise Linux Server release 6.3 (Santiago) which support aes-ni
with the openssl shiped with the OS, it shows
[yhu5@snb04 ~]$ openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Tue May 15 05:55:51 EDT 2012
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: aesni dynamic
and the performance is
[yhu5@snb04 ~]$ openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 91682155 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 24374232 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 6192007 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1554266 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 194510 aes-128-cbc's in 3.00s
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Tue May 15 05:55:51 EDT 2012
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 490606.85k 519983.62k 528384.60k 530522.79k 531141.97k
and if i build the 1.0.1, the engine won't shown, but the performance is amost same.
[yhu5@snb04 openssl-1.0.1e]$ ./apps/openssl speed -evp aes-128-cbc
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Doing aes-128-cbc for 3s on 16 size blocks: 91627894 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 24374965 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 256 size blocks: 6191730 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1554151 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 194482 aes-128-cbc's in 3.00s
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Jun 25 16:15:01 CST 2013
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=native -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 488682.10k 521738.38k 528360.96k 530483.54k 531065.51k
[yhu5@snb04 openssl-1.0.1e]$ ./apps/openssl engine
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
(rsax) RSAX engine support
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(gost) Reference implementation of GOST engine
So you may go ahead to use OpenSSL directly or use IPP function in code. The integration is not needed.
Best Regards,
Ying
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We are using openssl-1.0.1e version and also AESNI is enabled in BIOS.
OpenSSL 1.0.1e 11 Feb 2013built on: Tue Jun 11 19:18:01 IST 2013platform: linux-x86_64options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -march=native -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASMOPENSSLDIR: "/usr/local/openssl-1.0.1e"
I am trying to measure the AES-256-CBC algorithm performance for decryption of 256bytes buffer size. But I am not getting the numbers matching with the 'openssl speed' tool. I have used EVP* APIs in my sample code (code snippet below).
EVP_CipherInit(&ctx, EVP_aes_256_cbc(), &key_block[40], &iv_input[0], 0);
clock_gettime(CLOCK_REALTIME, &tspec_start);
outlen1 = EVP_Cipher(&ctx, &outbuf[0], &inbuf[0], sizeof(inbuf));
clock_gettime(CLOCK_REALTIME, &tspec_end);
With this I got the number close to135000k Bytes/sec for 256bytes of buffer. But the 'openssl speed -evp ' shows around 569344.00k Bytes/sec. Could someone please advise if I am missing anything? Measuring the time taken by EVP_Ciphrer() API - is it not a valid way to calculate the performance numbers?
-Nilesh
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page