[firefoxPL]

Hi, I am playing around with enabling hardware acceleration for crypto operations (AES-128, SHA1) on Pogo V2 (Kirkwood), I've found this arcticle and I'm willing to give cryptodev-linux a try, but I'll need to build OpenSSL with support for cryptodev-linux, hence my question: I can't seem to find any PKGBUILD for OpenSSL on Arch Linux web pages, should I simply download sources from http://www.openssl.org and simply execute make and make install?
While I'm confortable with Linux and used makepkg in the past to build some packages with custom compile options, I didn't really build so big modules like OpenSSL (especially from generic source - not with a PKGBUILD). Any suggestions how to compile OpenSSL much appreciated.

[pepedog]

The easiest way to get the PKGBUILD is via abs
pacman -S abs
abs
cd /var/abs/core/openssl

[firefoxPL]

Great thank You, didn't know about that - I'm still new to Arch (used Ubuntu for several years)

[firefoxPL]

While looking into PKGBUILD for openssl I've found out that configure options are more complicated than simply adding 'arm' to arch=(), since there is this:

Code: Select all

if [ "${CARCH}" == 'x86_64' ]; then
  openssltarget='linux-x86_64'
elif [ "${CARCH}" == 'i686' ]; then
  openssltarget='linux-elf'
fi


I've googled some information regarding this, but unfortunately I didn't found anything solid (some suggestions of using linux-elf-arm), in openssl 1.0.0g sources I've found this fragment (in config):

Code: Select all

armv[1-3]*-*-linux2) OUT="linux-generic32" ;;
arm*-*-linux2) OUT="linux-armv4" ;;


while in openssl 0.9.8t this:

Code: Select all

arm*b-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
arm*l-*-linux2) OUT="linux-generic32"; options="$options -DL_ENDIAN" ;;


which seems rather confusing, I would appreciate a suggestion from someone, who has some experience with building openssl for kirkwood platform

[firefoxPL]

I'm thinking about using this modifications in PKGBUILD:

Code: Select all

...
arch=('i686' 'x86_64' 'arm')
...
openssltarget='linux-armv4'
...
./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
 -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DHASH_MAX_LEN=64 shared threads zlib enable-md2 \
 "${openssltarget}" \
 -Wa,--noexecstack "${CFLAGS}" "${LDFLAGS}"


any thoughts?

[firefoxPL]

I already have cryptodev module build and loaded (at least that's what I believe )

Code: Select all

[root@pink ~]# lsmod
Module                  Size  Used by
cryptodev              16585  0
appletalk              23739  0
psnap                   1651  1 appletalk
llc                     3190  1 psnap
ipv6                  254083  12
mv_cesa                 9021  0


should I remove CESA module, after I sort out the openssl build (still waiting for some confirmation before building it)?

[pepedog]

Ahh,
Most things build in arm from the abs system, but stuff needing changes are in GitHub
https://github.com/archlinuxarm/PKGBUIL ... re/openssl

[firefoxPL]

Thank You again, openssl is building, if everything works I should be able to testdrive cryptodev with openssl speed test

[firefoxPL]

Full success!!
Cryptodev-linux is up and running and openssl takes advantage of hardware crypto modules, offloading cpu to dedicated resources, comparison below:
without cryptodev:

Code: Select all

# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 2546082 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 774861 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 205121 aes-128-cbc's in 2.98s
Doing aes-128-cbc for 3s on 1024 size blocks: 52065 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 6534 aes-128-cbc's in 3.00s
...
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      13579.10k    16530.37k    17621.13k    17771.52k    17842.18k


with cryptodev module loaded

Code: Select all

openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 88028 aes-128-cbc's in 0.08s
Doing aes-128-cbc for 3s on 64 size blocks: 85282 aes-128-cbc's in 0.07s
Doing aes-128-cbc for 3s on 256 size blocks: 62230 aes-128-cbc's in 0.09s
Doing aes-128-cbc for 3s on 1024 size blocks: 41032 aes-128-cbc's in 0.03s
Doing aes-128-cbc for 3s on 8192 size blocks: 8222 aes-128-cbc's in 0.03s
...
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      17605.60k    77972.11k   177009.78k  1400558.93k  2245154.13k


interesting thing is that with hardware support only at 8k block size openssl does more blocks per second (and at 16 it's really sluggish ~ 3% of software implementation), but more importantly openssl doesn't take cpu time, I will try and test this for some real life performance (probably iperf, after I create some VPN, or scp with 1gb file)

edit:
as a follow-up, here are benchmarks for AES-256 (with CBC scheme)
no cryptodev:

Code: Select all

# openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 2027681 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 590559 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 154199 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 38982 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 4887 aes-256-cbc's in 3.00s


with cryptodev:

Code: Select all

# openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 87841 aes-256-cbc's in 0.08s
Doing aes-256-cbc for 3s on 64 size blocks: 85206 aes-256-cbc's in 0.09s
Doing aes-256-cbc for 3s on 256 size blocks: 56386 aes-256-cbc's in 0.06s
Doing aes-256-cbc for 3s on 1024 size blocks: 39468 aes-256-cbc's in 0.01s
Doing aes-256-cbc for 3s on 8192 size blocks: 7778 aes-256-cbc's in 0.01s


only 1% increase at 1k, but at 8k 60% increase (both using only fraction of CPU time ~ 0.33% comparing to software implementation)

edit2:
another follow-up, I did a simple scp test copying 512MB file over ssh, the speed diference was almost unnoticeable (2m19s with cryptodev vs 2m21s without - approx. 3.7MBps vs 3.6MBps) but I was also monitoring cpu usage and cpu time:
- with cryptodev cpu never got to 100% and cpu time of complete transfer was about 27s
- without cryptodev cpu often was at 100% and total cpu time was about 54s
I'm wondering if the very slight speed bump is related to not big enough data blocks processed by openssl or simply due to file I/O limits

[WarheadsSE]

Nice turn around time