You may’ve seen in another post that I bought a Cavium Nitrox PX Series CN1620 Encryption offload board. It speeds up cryptographic operations commonly used in SSL and IPSec and offloads them to dedicated hardware. Linux developers have developed packages that allow us to take advantage of that. I was looking to get it working in Debian Linux with OpenSSL.
btw – when you see my make commands they sometimes have -j8 on them. That just says use X number of threads/jobs for the build process. It makes builds go quicker if you split up the work.(thank you Michael Lawler for that tip).
This is the process.
# install some tools, you may already have these
sudo apt-get install make
sudo apt-get install gcc
sudo apt-get install dpkg-dev debhelper
# install linux kernel headers
sudo apt-get install linux-headers-$(uname -r)
# compiling and installing cryptodev-linux
wget http://nwl.cc/pub/cryptodev-linux/cryptodev-linux-1.9.tar.gz
tar -xzvf cryptodev-linux-1.9.tar.gz
cd cryptodev-linux-1.9/
make - j8
sudo make install
# install the cryptodev module
sudo vi /etc/modules
add the following line
cryptodev
:wq
cp /lib/modules/4.9.0-4-amd64/extra/cryptodev.ko/ /lib/modules/4.9.0-4-amd64/
sudo modprobe cryptodev
if you get any errors look at
sudo dmesg
to see what the problem might be.
To see if the Module is loaded, check out
sudo lsmod | grep cryptodev
# Complie and Install OpenSSL
sudo apt-get source openssl
tar -xf openssl_1.1.0f.orig.tar.gz
cd openssl-1.1.0f
./Configure -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/x86_64-linux-gnu enable-rfc3779 enable-cms linux-x86_64
sudo make -j8
sudo make install
Now you probably want to look at a nice pretty benchmark to tell you that you’ve actually accomplished something. Issue following command and behold its glory.
black@Synapse:~$ openssl speed -engine cryptodev -evp aes-256-cbc
engine "cryptodev" set.
Doing aes-256-cbc for 3s on 16 size blocks: 4315578 aes-256-cbc's in 0.45s
Doing aes-256-cbc for 3s on 64 size blocks: 4007253 aes-256-cbc's in 0.28s
Doing aes-256-cbc for 3s on 256 size blocks: 2601910 aes-256-cbc's in 0.33s
Doing aes-256-cbc for 3s on 1024 size blocks: 1082564 aes-256-cbc's in 0.10s
Doing aes-256-cbc for 3s on 8192 size blocks: 165412 aes-256-cbc's in 0.01s
Doing aes-256-cbc for 3s on 16384 size blocks: 84105 aes-256-cbc's in 0.01s
OpenSSL 1.1.0f 25 May 2017
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-1.1\""
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-256-cbc 153442.77k 915943.54k 2018451.39k 11085455.36k 135505510.40k 137797632.00k