vpn1401 not probing

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

vpn1401 not probing

Travis H.
I'm running 3.8.  I bought a Soekris vpn1401, which uses the Hifn 7955 chip.

http://www.openbsd.org/crypto.html says:

After 3.4 shipped, support was added for the 7955 and 7956 chips. In
addition to all the features of the previous 7951 chip, these add AES.

and then:

OpenSSL
Years ago, we had a grand scheme to support crypto cards that can do
RSA/DH/DSA automatically via OpenSSL calls. As of OpenBSD 3.2, that
support works, and any card that is supported with such functionality
will automatically use the hardware, including OpenSSH and httpd in
SSL mode. No application changes are required.

However, my timing results show no net change in the speed of openssl calls.

Here's the autoprobe printf:
hifn0 at pci0 dev 9 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES
ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 9

How do I make it go?
Is this no longer supported due to code atrophy, like the AHA-1542?

Sample test run (results virtually identical pre- and post-install)
$ openssl speed sha1
To get the most accurate results, try to run this
program when this computer is idle.
Doing sha1 for 3s on 16 size blocks: 92168 sha1's in 2.98s
Doing sha1 for 3s on 64 size blocks: 72913 sha1's in 2.96s
Doing sha1 for 3s on 256 size blocks: 43489 sha1's in 2.96s
Doing sha1 for 3s on 1024 size blocks: 16636 sha1's in 2.96s
Doing sha1 for 3s on 8192 size blocks: 2453 sha1's in 2.98s
OpenSSL 0.9.7g 11 Apr 2005
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
aes(partial) blowfish(idx)
compiler: information not available
available timing options: USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha1               495.43k     1576.00k     3760.02k     5753.33k     6733.40k

Yes, it's a slow computer.  That's why I bought the card.
--
"Cryptography is nothing more than a mathematical framework for discussing
various paranoid delusions." -- Don Alvarez
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Reply | Threaded
Open this post in threaded view
|

Re: vpn1401 not probing

Stuart Henderson
misc@ is probably more appropriate...

On 2006/02/13 15:55, Travis H. wrote:
> However, my timing results show no net change in the speed of openssl calls.

look at 'systat vmstat' output and you'll see interrupts on hifk
if it's working.

compare sysctl kern.usercrypto=0 and =1.

> Yes, it's a slow computer.  That's why I bought the card.

You might be shifting crpyto-slowness to io-slowness.

Reply | Threaded
Open this post in threaded view
|

Re: vpn1401 not probing

Otto Moerbeek
In reply to this post by Travis H.
On Mon, 13 Feb 2006, Travis H. wrote:

> I'm running 3.8.  I bought a Soekris vpn1401, which uses the Hifn 7955 chip.
>
> http://www.openbsd.org/crypto.html says:
>
> After 3.4 shipped, support was added for the 7955 and 7956 chips. In
> addition to all the features of the previous 7951 chip, these add AES.
>
> and then:
>
> OpenSSL
> Years ago, we had a grand scheme to support crypto cards that can do
> RSA/DH/DSA automatically via OpenSSL calls. As of OpenBSD 3.2, that
> support works, and any card that is supported with such functionality
> will automatically use the hardware, including OpenSSH and httpd in
> SSL mode. No application changes are required.
>
> However, my timing results show no net change in the speed of openssl calls.
>
> Here's the autoprobe printf:
> hifn0 at pci0 dev 9 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES
> ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 9
>
> How do I make it go?
> Is this no longer supported due to code atrophy, like the AHA-1542?
>
> Sample test run (results virtually identical pre- and post-install)
> $ openssl speed sha1
> To get the most accurate results, try to run this
> program when this computer is idle.
> Doing sha1 for 3s on 16 size blocks: 92168 sha1's in 2.98s

Something in my memory is saying you have to use -evp sha1 to get hw
accelerations for digests.

        -Otto


> Doing sha1 for 3s on 64 size blocks: 72913 sha1's in 2.96s
> Doing sha1 for 3s on 256 size blocks: 43489 sha1's in 2.96s
> Doing sha1 for 3s on 1024 size blocks: 16636 sha1's in 2.96s
> Doing sha1 for 3s on 8192 size blocks: 2453 sha1's in 2.98s
> OpenSSL 0.9.7g 11 Apr 2005
> built on: date not available
> options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
> aes(partial) blowfish(idx)
> compiler: information not available
> available timing options: USE_TOD HZ=100 [sysconf value]
> timing function used: getrusage
> The 'numbers' are in 1000s of bytes per second processed.
> type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
> sha1               495.43k     1576.00k     3760.02k     5753.33k     6733.40k
>
> Yes, it's a slow computer.  That's why I bought the card.
> --
> "Cryptography is nothing more than a mathematical framework for discussing
> various paranoid delusions." -- Don Alvarez
> http://www.lightconsulting.com/~travis/ -><-
> GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Reply | Threaded
Open this post in threaded view
|

Re: vpn1401 not probing

Damien Miller
In reply to this post by Travis H.
On Mon, 13 Feb 2006, Travis H. wrote:

> Sample test run (results virtually identical pre- and post-install)
> $ openssl speed sha1

That doesn't go by the hardware. Try:

openssl speed -elapsed -evp des-ede3

and toggle sysctl kern.usercrypto. Note that userland use of hardware
crypto is usually not much of a win, as there are large costs in getting
data to/from the coprocessor via the kernel. Kernel use (e.g. IPsec) is
better as it doesn't have to context swicth, crypto CPU instructions like
those in the Via Padlock set are better by far.

-d