Remove cryptodev from the kernel and make it a loadable module about tools HOT 11 CLOSED

Hi Olivier,

If it's not in GENERIC I'm all for it. The impact on the code base needs to be assessed, at least OpenVPN uses cryptodev.

Cheers,
Franco

from tools.

Hello Franco,

I've checked https://github.com/freebsd/freebsd/blob/master/sys/amd64/conf/GENERIC and only crypto is loaded, not cryptodev.

I don't think that OpenVPN requires cryptodev, it uses OpenSSL's evp engine which is capable of using the AES-NI instructions without using the aesni module. If OpenSSL finds cryptodev and aesni is loaded, then it will use cryptodev and slow things down.

Without aesni:

aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc     157046.93k   213145.60k   244910.43k   253991.94k   256548.86k

After having loaded it, along with cryptodev

aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc       5024.52k    18651.14k    60246.48k   138542.09k   218901.82k

When testing OpenVPN, I didn't notice any change in performance, only in CPU use

# /usr/bin/time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc

Without aesni

25.311 real        25.280 user         0.016 sys

With module

25.86 real        24.47 user         1.33 sys

I'm told one advantage of being able to load the aesni.ko module is for ipsec and that shouldn't require cryptodev either, at least not when using AES-NI.

from tools.

Some background information:
https://lists.freebsd.org/pipermail/freebsd-security/2013-August/007115.html

from tools.

I'm just gonna leave this here... https://redmine.pfsense.org/issues/5976

from tools.

Cool :). I'm not registered to access their tools, so I couldn't see if that had already been done.

from tools.

No, not yet. This ticket was added a couple of days after you suggested it here. :)

from tools.

@oparoz will you build your own kernel or do you want my test build?

from tools.

I build my own, but maybe post yours in the forum so that people are made aware of this change? It's quite badly documented in FreeBSD land imho.

from tools.

Looking at these 2 commits:

• 0cac0f4
• opnsense/core@b41fc61

I see one problem, but maybe it's solved elsewhere. You still need to load crypto along with aesni per example, just not cryptodev.

from tools.

I was hoping that best case it was auto-loaded, worst case to be loaded manually. As it turns out it's required by IPSEC so it stays in the kernel, see last commit.

from tools.

Ah, good 👍 :)

from tools.