OpenSSH AESNI support

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSH AESNI support

Hugo Osvaldo Barrera-2
Hi,

I've a smallish system which does a lot of SFTP work, and CPU seems to be the
bottleneck constantly (this was discussed on a previous thread over a year
ago).

I've finally decided to replace that CPU, but I'm wondering: Does OpenSSH
support/use the AESNI instruction set if available? The documentation
indicates
that access to crypto(9) is disabled for userland by default, but I'm not
sure
if AESNI access is done via crypto(9) or some other means.

Also, if it does support it, should a patch for the man page to indicate this
(for other in my scenario) be acceptable?

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSH AESNI support

Christian Weisgerber
On 2015-05-07, Hugo Osvaldo Barrera <[hidden email]> wrote:

> I've finally decided to replace that CPU, but I'm wondering: Does OpenSSH
> support/use the AESNI instruction set if available?

Yes, by way of OpenSSL/LibreSSL, which make use of AESNI if available.

> if AESNI access is done via crypto(9) or some other means.

The crypto(9) interface was designed for crypto accelerators that
appear as devices separate from the CPU and require a kernel driver.
By contrast, AESNI instructions can be directly used in userland
code.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSH AESNI support

Hugo Osvaldo Barrera-2
On 2015-05-07 10:57, Christian Weisgerber wrote:

> On 2015-05-07, Hugo Osvaldo Barrera <[hidden email]> wrote:
>
> > I've finally decided to replace that CPU, but I'm wondering: Does OpenSSH
> > support/use the AESNI instruction set if available?
>
> Yes, by way of OpenSSL/LibreSSL, which make use of AESNI if available.
>
> > if AESNI access is done via crypto(9) or some other means.
>
> The crypto(9) interface was designed for crypto accelerators that
> appear as devices separate from the CPU and require a kernel driver.
> By contrast, AESNI instructions can be directly used in userland
> code.
>
> --
> Christian "naddy" Weisgerber                          [hidden email]
>

Couldn't have been clearer. Thanks.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]