[openssl-users] Checking for AES-NI accelration

Jan Just Keijser janjust at nikhef.nl
Wed Aug 10 13:28:01 UTC 2016 

Hi,

On 10/08/16 14:25, Nagesh shamnur wrote:
>
> Hi Group,
>
> I am running an application which transfers huge chunks of data every 
> second (850Mbps) and the same is secured using openssl. However the 
> CPU usage on windows is very high ( ~ 100%). So as a part of the 
> analysis, I stumbled upon the information that, when using AES 
> encryption, if the underlying hardware is Intel CPU, it can support 
> AES-NI instruction set and hence make the crypto processing faster. 
> So, I wanted to confirm if the same is enabled in my hardware.
>
> So, I wanted to know how to verify if the run is able to use the 
> AES-NI instruction set available in the hardware.
>
> I have built openssl and have ensured enabling the asm in both linux 
> and windows build.
>
> For windows, to confirm if AES-NI is enabled, support of tools 
> available like truecrypt, CPU-Z and blackbox were used if the same was 
> enabled in OS usage. And I found that the same is disabled. Also I 
> found in some blogs that the same needs to be enabled in BIOS. When 
> checked the BIOS settings, the option was not be found and a BIOS 
> update is required to enable the same.
>
> However in linux I was unable to conclude if AES-NI is disabled since 
> I didn’t had access to any such tools on linux. I checked "#cpuinfo | 
> grep aes" and i was unable to find any line regarding AES-NI. However 
> when i run the ./openssl speed -evp aes-128-gcm and 
> OPENSSL_ia32cap="~0x200000200000000" ./openssl speed -elapsed -evp 
> aes-128-gcm i am able to find the difference in speed. So i wanted to 
> check how to confirm if my linux build has AES-NI enabled or not?
>
> Environment Information:
>
> CPU: E5-2620 0 @2.0GHz
>
> OS: Windows Server 2008
>
> Linux: Ubuntu 3.11.0-15-generic
>
> Openssl versoin: 1.0.2h
>
>
I've got a server with that exact same CPU over here; with openssl 
1.0.2d I see the following results:

$ ./openssl  speed -evp aes-128-gcm
[...]
type             16 bytes     64 bytes    256 bytes   1024 bytes 8192 bytes
aes-128-gcm     184391.41k   465791.06k   689190.61k   .65k 781295.62k

$ OPENSSL_ia32cap=0 ./openssl  speed -evp aes-128-gcm
[...]
type             16 bytes     64 bytes    256 bytes   1024 bytes 8192 bytes
aes-128-gcm      43906.03k    49490.24k    51037.70k    51554.65k 51699.71k

i.e. with AES-NI disabled performance is about ~15 times less. On this 
CPU turboboost is not working so your numbers maybe slightly different.
Another good way to test whether AES-NI is working is by comparing 
BF-CBC to AES-256-CBC: without AES-NI, BF will be faster. with AES-NI, 
AES will be faster.

HTH,

JJK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160810/c21a3e9f/attachment-0001.html>

More information about the openssl-users mailing list