[openssl-users] Checking for AES-NI accelration

Norm Green norm.green at gemtalksystems.com
Wed Aug 10 17:02:03 UTC 2016 

I've been wondering how and when OpenSSL decides whether it can use the 
new aes instructions?  Does it decide at build time or at run time?

If I build on a CPU that supports aes instructions but run on a cpu that 
does not, will bad things happen?  Or is OpenSSL smart enough to call 
functions implemented without aes instructions in that case?

Norm Green

On 8/10/16 06:28, Jan Just Keijser wrote:
> Hi,
>
> On 10/08/16 14:25, Nagesh shamnur wrote:
>>
>> Hi Group,
>>
>> I am running an application which transfers huge chunks of data every 
>> second (850Mbps) and the same is secured using openssl. However the 
>> CPU usage on windows is very high ( ~ 100%). So as a part of the 
>> analysis, I stumbled upon the information that, when using AES 
>> encryption, if the underlying hardware is Intel CPU, it can support 
>> AES-NI instruction set and hence make the crypto processing faster. 
>> So, I wanted to confirm if the same is enabled in my hardware.
>>
>> So, I wanted to know how to verify if the run is able to use the 
>> AES-NI instruction set available in the hardware.
>>
>> I have built openssl and have ensured enabling the asm in both linux 
>> and windows build.
>>
>> For windows, to confirm if AES-NI is enabled, support of tools 
>> available like truecrypt, CPU-Z and blackbox were used if the same 
>> was enabled in OS usage. And I found that the same is disabled. Also 
>> I found in some blogs that the same needs to be enabled in BIOS. When 
>> checked the BIOS settings, the option was not be found and a BIOS 
>> update is required to enable the same.
>>
>> However in linux I was unable to conclude if AES-NI is disabled since 
>> I didn’t had access to any such tools on linux. I checked "#cpuinfo | 
>> grep aes" and i was unable to find any line regarding AES-NI. However 
>> when i run the ./openssl speed -evp aes-128-gcm and 
>> OPENSSL_ia32cap="~0x200000200000000" ./openssl speed -elapsed -evp 
>> aes-128-gcm i am able to find the difference in speed. So i wanted to 
>> check how to confirm if my linux build has AES-NI enabled or not?
>>
>> Environment Information:
>>
>> CPU: E5-2620 0 @2.0GHz
>>
>> OS: Windows Server 2008
>>
>> Linux: Ubuntu 3.11.0-15-generic
>>
>> Openssl versoin: 1.0.2h
>>
>>
> I've got a server with that exact same CPU over here; with openssl 
> 1.0.2d I see the following results:
>
> $ ./openssl  speed -evp aes-128-gcm
> [...]
> type             16 bytes     64 bytes    256 bytes   1024 bytes 8192 
> bytes
> aes-128-gcm     184391.41k   465791.06k   689190.61k   .65k 781295.62k
>
> $ OPENSSL_ia32cap=0 ./openssl  speed -evp aes-128-gcm
> [...]
> type             16 bytes     64 bytes    256 bytes   1024 bytes 8192 
> bytes
> aes-128-gcm      43906.03k    49490.24k    51037.70k 51554.65k    
> 51699.71k
>
> i.e. with AES-NI disabled performance is about ~15 times less. On this 
> CPU turboboost is not working so your numbers maybe slightly different.
> Another good way to test whether AES-NI is working is by comparing 
> BF-CBC to AES-256-CBC: without AES-NI, BF will be faster. with AES-NI, 
> AES will be faster.
>
> HTH,
>
> JJK
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160810/b33f0b70/attachment-0001.html>

More information about the openssl-users mailing list