How can I enable aes-ni in openssl on Linux
John
% openssl engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
Links:
http://www.thinkwiki.org/wiki/AES_NI
http://datacenteroverlords.com/2011/09/07/aes-ni-pimp-your-aes
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Matt Caswell
> I recently became aware of aes-ni and found the linked articles. My CPU supports this, but it seems (assuming the advice in the linked pages is accurate) that openssl does not have it enabled. What am I missing? I am running Arch Linux x86_64 and an using the repo provided package for openssl.
>
> % openssl engine
> (rsax) RSAX engine support
> (rdrand) Intel RDRAND engine
> (dynamic) Dynamic engine loading support
>
> Links:
>
> http://www.thinkwiki.org/wiki/AES_NI
> http://datacenteroverlords.com/2011/09/07/aes-ni-pimp-your-aes
>
versions of openssl (>= 1.0.1). For these versions AES-NI does not
work via an engine and will not show up in the openssl engine command.
You are probably already running aes ni without realising it.
See here for a discussion:
http://openssl.6102.n7.nabble.com/having-a-lot-of-troubles-trying-to-get-AES-NI-working-td44285.html
Matt
Kane Huang
BR
Kane
-----Original Message-----
From: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] On Behalf Of John
Sent: Friday, December 06, 2013 7:32 AM
To: openss...@openssl.org
Subject: How can I enable aes-ni in openssl on Linux
I recently became aware of aes-ni and found the linked articles. My CPU supports this, but it seems (assuming the advice in the linked pages is accurate) that openssl does not have it enabled. What am I missing? I am running Arch Linux x86_64 and an using the repo provided package for openssl.
% openssl engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
Links:
http://www.thinkwiki.org/wiki/AES_NI
http://datacenteroverlords.com/2011/09/07/aes-ni-pimp-your-aes
Alan Buxey
Likely to be already using it and you can verify this by running some benchmarks - this is on a massive host and not virtualised platform? I guess a related question is how to ensure that those functions are used by openssl whenever possible. ... eg required openssl config in software that uses openssl
alan
John
> On Thursday, December 5, 2013 6:55 PM, Matt Caswell <fr...@baggins.org> wrote:
> The information in the linked pages is out of date for the latest
> versions of openssl (>= 1.0.1). For these versions AES-NI does not
> work via an engine and will not show up in the openssl engine command.
> You are probably already running aes ni without realising it.
>
> See here for a discussion:
> http://openssl.6102.n7.nabble.com/having-a-lot-of-troubles-trying-to-get-AES-NI-working-td44285.html
Thanks for the link, Matt. And also thanks to Kane and Alan who kindly replied to my post. It does indeed seem that the info I linked is out-of-date and that aes-ni is enabled by default:
Command A = openssl speed -elapsed -evp aes-128-cbc
Command B = OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc
Results:
Command 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
------------------------------------------------------------------------
A 796435.32k 845155.61k 852750.59k 860752.55k 865828.86k
B 393740.06k 431465.71k 438168.23k 443452.42k 446458.54k
daniel.li...@gmail.com
I come across a nginx coredump that as follows:
Core was generated by `nginx: worker process '.
Program terminated with signal 4, Illegal instruction.
#0 aesni_cbc_sha1_enc_avx () at aesni-sha1-x86_64.s:1779
1779 aesni-sha1-x86_64.s: No such file or directory.
in aesni-sha1-x86_64.s
After confirm, our cpu support aesni, and > Command A ( openssl speed -elapsed -evp aes-128-cbc) and Command B( OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp) work well in my test。
Could you provide some useful info?
