Bug 617539

Summary: VIA Padlock engine does not work on x86_64 build
Product: [Fedora] Fedora Reporter: Solomon Peachy <pizza>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: stadtkind2, tmraz
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-1.0.0d-3.fc16 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-28 20:13:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to enable Padlock support on x86_64 none

Description Solomon Peachy 2010-07-23 11:56:10 UTC 
Description of problem:

Via CPUs have an onboard crypto engine ("padlock") that supports accelerated AES and SHA computations that are vastly faster than using the CPU.

OpenSSL supports the VIA hardware, if you use its 'padlock' engine.

Until recently, all Via CPUs were 32-bit only.  This changed when they released their Nano CPUs, which support x86_64.  

Unfortunately, it seems that the OpenSSL build that Fedora 12 is using doesn't support the Nano CPU when it's running in 64-bit mode.  The engine fails to initialize properly.

Version-Release number of selected component (if applicable):

openssl-1.0.0a-1.fc12.x86_64


How reproducible:

100%

Steps to Reproduce:
1.  run 'openssl engine'
2.  run 'openssl speed -evp aes-256-cbc -engine padlock'
  
Actual results:

1:  [root@blackbox1 ~]# openssl engine 
    (aesni) Intel AES-NI engine (no-aesni)
    (dynamic) Dynamic engine loading support

2:   invalid engine "padlock"
140713656043336:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521:
140713656043336:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=padlock
140713656043336:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libpadlock.so): libpadlock.so: cannot open shared object file: No such file or directory
140713656043336:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
140713656043336:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
...
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      23494.04k    24941.34k    25798.73k    59372.87k    59826.05k

Expected results:

1:  [root@blackbox0 ~]# openssl engine
    (aesni) Intel AES-NI engine (no-aesni)
    (dynamic) Dynamic engine loading support
    (padlock) VIA PadLock (no-RNG, ACE)

2:  [No error, and speed should be something like this, if not faster:]
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-ecb      96787.39k   353046.21k   950673.75k  1560331.87k  1946113.37k

Additional info:

The actual padlock shared library is built and is present in the OpenSSL package:

  /usr/lib64/openssl/engines/libpadlock.so

I don't know if this is an upstream bug or not, but padlock support is definitely broken in F12's 64-bit OpenSSL build.  I'll try reporting this upstream later today.
Comment 1 Solomon Peachy 2010-07-23 12:06:13 UTC 
There's no reference to this in the upstream bug tracker, but to report a bug I need an account and there seems to be no way for me to do so.
Comment 2 Solomon Peachy 2010-07-23 14:05:08 UTC 
Created attachment 433962 [details]
Patch to enable Padlock support on x86_64

Patch extracted from upstream CVS.  Code not yet pushed into a release branch.
Comment 3 Solomon Peachy 2010-07-23 14:14:04 UTC 
With the above patch, we can take advantage of the VIA Padlock engine on their Nano CPUs when running in x86_64 mode.

Performance isn't as improved as I'd like/expect, but it's still ~3-12x faster:

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      74753.34k   250586.18k   491370.50k   646741.67k   710492.16k

'scp' speeds improved about 13% as well, with much lower CPU utilization -- from 16MB/s to 18MB/s (throughput limited by far side)

I haven't verified this patch doesn't cause regressions on i686, as all of my C7/x86 boxes currently lack toolchains.  If this patch is accepted and dropped into a koji build I can test it out though.
Comment 4 Solomon Peachy 2010-07-23 14:52:39 UTC 
addendum -- using the same loopback ssh speed test I was using in 559655, my ssh throughput jumps from ~6.2MB/s without this patch to ~12.4MB/s with it.
Comment 5 Bug Zapper 2010-11-03 11:38:17 UTC 
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Bug Zapper 2010-12-03 13:06:14 UTC 
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 7 Solomon Peachy 2011-01-31 20:03:47 UTC 
This is still a problem in Fedora 14; This patch is currently in upstream openssl's HEAD and 1.0.1 branches, but not in the 1.0.0 branch that Fedora is currently using.

Is there any chance that this could be re-visited?  I'd like to not have to keep building custom openssl packages to use the hardware crypto features of the VIA Nano processors.
Comment 8 Stefan Krüger 2011-04-26 18:32:37 UTC 
I'd like to add a "me too", problem still exists in Fedora 15 Beta :(