FreeBSD 9.0 AES NI support

[lalit]

Hi all,
I am using intel E5640 Xeon processor which support AESNI features. I have come to know from internet that FreeBSD 9.0 support AESNI. I enable the feature in kernel by adding following lines.

options IPSEC
device crypto
device aesni

I tried to run IPSEC using ipsec-tools 0.7.3 but I did not notice any performance gain.

Here are the results:

* without IPSEC throughput over gbps link: 922 Mbps
* with IPSEC (without aesni) AES128 encryption 360-372 Mbps
* with IPSEC (with aesni) AES128 encryption 366-372 Mbps

dmesg command show that processor has the feature of aesni enabled.

Am I missing something? Please guide.

 

[aragon]

I think you might need to add this to your kernel config too:

device cryptodev

 

[lalit]

Re. FreeBSD 9.0 AES NI support

Thanks Aragon for you suggestion.
I tried that but it did not solve my problem. Please tell me how to know that AESNI driver has successfully loaded? Is there there some other way to specify it in racoon.conf file to let the kernel use it ? Thanks

 

[aragon]

Please tell me how to know that AESNI driver has successfully loaded? Is there there some other way to specify it in racoon.conf file to let the kernel use it ? Thanks

Do you have a /dev/crypto? If so, I think you can try the tools in /usr/src/tools/tools/crypto. If not, your crypto device is probably not being recognised.

On one of my systems I also have this in boot time dmesg:

glxsb0: <AMD Geode LX Security Block (AES-128-CBC, RNG)> mem 0xa0000000-0xa0003fff irq 10 at device 1.2 on pci0

 

[lalit]

Do you have a /dev/crypto? If so, I think you can try the tools in /usr/src/tools/tools/crypto. If not, your crypto device is probably not being recognised.

Hi Aragon,

Here is output of [CMD=]cryptotest -va aes256[/CMD]

session = 0x0
device = aesni0
count = 1024, size = 2048
iv:
0000: 38 6e 33 35 61 37 36 33 74 30 32 6f 36 6f 6a 34
cleartext:
0000: 75 33 6a 62 69 6f 68 65 6e 74 32 21 6e 62 39 69
0010: 6f 61 6f 73 39 38 74 30 68 38 35 39 35 34 75 6a
0020: 37 68 74 37 75 61 39 32 6a 68 6f 74 74 34 73 39
0030: 62 75 30 61 31 74 68 62 34 74 6a 6e 31 34 74 35
cleartext:
0000: 75 33 6a 62 69 6f 68 65 6e 74 32 21 6e 62 39 69
0010: 6f 61 6f 73 39 38 74 30 68 38 35 39 35 34 75 6a
0020: 37 68 74 37 75 61 39 32 6a 68 6f 74 74 34 73 39
0030: 62 75 30 61 31 74 68 62 34 74 6a 6e 31 34 74 35
   0.015 sec,    2048 aes256 crypts,    2048 bytes, 287143424 byte/sec,  2190.7 Mb/sec

In device is showing aesni0. It means aesni driver is successfully loaded and being used by encryption algorithm. Then what is reasons for small throughput over IPSEC ?
Please guide if still I am missing something

 

[sub_mesa]

I think you should get at least 2GiB/s or 2048MiB/s; not 2000 megabit which is ~274MiB/s. To me this looks like speeds achieved with software AES; not using the AES-NI available in newer Intel CPUs; some benchmarks on these:

URL: http://www.tomshardware.com/reviews/clarkdale-aes-ni-encryption,2538-5.html