PfSense test results of the padlock kernel driver on a VIA C7

From Docunext Technology Wiki

I will clean these up... promise!

The Test Results

openssl speed -evp aes128 -elapsed
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      12241.60k    12929.27k    13161.13k    13200.54k    13233.67k

openssl speed -evp aes128 -elapsed -engine cryptodev
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      12231.10k    12947.85k    13145.52k    13218.19k    13216.50k

openssl speed -evp aes128 -elapsed -engine padlock
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      71551.16k   241646.47k   570026.96k   871202.79k   966474.22k


kldload padlock


openssl speed -elapsed -evp aes128
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc       4773.50k    18605.12k    68176.98k   205305.97k   313640.08k

openssl speed -elapsed -evp aes128 -engine cryptodev
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc       4751.87k    18204.16k    63384.51k   201368.95k   314852.77k


openssl speed -elapsed -evp aes128 -engine padlock
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      71569.26k   241626.88k   568895.62k   872310.67k  1030496.28k



RUNNING THEM AGAIN: 


pfSense:~#  openssl speed -elapsed -evp aes128
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 2300439 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 608913 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 154766 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 38855 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 4527 aes-128-cbc's in 3.01s
OpenSSL 0.9.7e-p1 25 Oct 2004
built on: Fri Jun  8 15:18:24 EDT 2007
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      12249.28k    12948.72k    13164.20k    13219.70k    12319.73k





pfSense:~#  openssl speed -elapsed -evp aes128 -engine cryptodev
engine "cryptodev" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 2221736 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 608872 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 151156 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 30059 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 3957 aes-128-cbc's in 3.01s
OpenSSL 0.9.7e-p1 25 Oct 2004
built on: Fri Jun  8 15:18:24 EDT 2007
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      11846.49k    12947.99k    12857.54k    10227.05k    10770.41k




pfSense:~#  openssl speed -elapsed -evp aes128 -engine dynamic
engine "dynamic" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 2297327 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 594138 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 154508 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 38422 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 4795 aes-128-cbc's in 3.01s
OpenSSL 0.9.7e-p1 25 Oct 2004
built on: Fri Jun  8 15:18:24 EDT 2007
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      12231.42k    12634.92k    13142.96k    13072.82k    13050.19k






kldload padlock


pfSense:~#  openssl speed -elapsed -evp aes128
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 896499 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 872149 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 640667 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 564515 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 115435 aes-128-cbc's in 3.01s
OpenSSL 0.9.7e-p1 25 Oct 2004
built on: Fri Jun  8 15:18:24 EDT 2007
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc       4778.10k    18547.62k    54498.29k   192081.83k   314223.13k





pfSense:~#  openssl speed -elapsed -evp aes128 -engine cryptodev
engine "cryptodev" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 856652 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 853573 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 719167 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 593948 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 112315 aes-128-cbc's in 3.01s
OpenSSL 0.9.7e-p1 25 Oct 2004
built on: Fri Jun  8 15:18:24 EDT 2007
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc       4557.84k    18152.47k    61176.19k   202097.78k   305734.41k



pfSense:~#  openssl speed -elapsed -evp aes128 -engine dynamic
engine "dynamic" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 884673 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 873123 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 792669 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 604693 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 112715 aes-128-cbc's in 3.01s
OpenSSL 0.9.7e-p1 25 Oct 2004
built on: Fri Jun  8 15:18:24 EDT 2007
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc       4712.38k    18539.07k    67535.84k   205753.27k   306816.53k


pfSense:~#  openssl speed -elapsed -evp aes128 -engine padlock
engine "padlock" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 13254265 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 11378797 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 6536461 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 2560891 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 369726 aes-128-cbc's in 3.01s
OpenSSL 0.9.7e-p1 25 Oct 2004
built on: Fri Jun  8 15:18:24 EDT 2007
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      70471.61k   241983.89k   555999.92k   871352.37k  1006405.14k

My Take on the Test Results

These results are somewhat positive, but somewhat frustrating. First off, its great to see how big of an improvement using the padlock engine with ssl makes. And its good to see and improvement when the padlock driver is loaded, but frankly I expected a much bigger improvement. My guess is that although the cryptodev uses the padlock driver, there is something funky going on causing some major overhead. I haven't checked out the CPU usage but my guess is that it will be quite large.

Thanks to the pfSense folks for their terrific product which made testing this relatively easy.

Related Pages

• OpenSSL
• Via Padlock
• pfSense