Bug 1022002 – AESNI broken in openssl-1.0.1e-15.el6.x86_64

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1022002 - AESNI broken in openssl-1.0.1e-15.el6.x86_64

Summary:	AESNI broken in openssl-1.0.1e-15.el6.x86_64

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	doc-Technical_Notes (Show other bugs)
Sub Component:
Version:	6.5
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Eliska Slobodova
QA Contact:	QE Internationalization Bugs
Docs Contact:

URL:
Whiteboard:
Keywords:	Documentation

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-10-22 09:14 EDT by James Findley
Modified:	2014-10-04 12:40 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-11-22 06:20:54 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description James Findley 2013-10-22 09:14:37 EDT

Description of problem:

The new version of openssl shipped in RHEL 6.5 breaks aesni hardware accelleration.

There are two problems, firstly that the engine .so is missing (although I believe this is probably deliberate it should be documented as attempting to specify this engine now results in an error)

The second problem is that the accelleration isn't enabled in core.

This means that on a modern intel CPU, aes-128-cbc speed (as tested by openssl speed -evp aes-128-cbc) drops from around 691902.42k to 22027.95k (1024 keysize) between RHEL 6.4 and RHEL 6.5 - which obviously isn't acceptable.

Disabling the disable-aesni patch (patch number 67) fixes the problem, but as the patch looks like it's there to provide an optional (and disabled by default) way to turn off aesni at build time, it's unclear why this is.

Version-Release number of selected component (if applicable):

openssl-1.0.1e-15.el6.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Start with RHEL 6.4.  Run openssl speed -evp aes-128-cbc
2. Update to RHEL 6.5
3. Run openssl speed -evp aes-128-cbc again

Actual results:

roughly 30x slowdown

Expected results:

no slowdown at all.

Additional info:

Comment 2 James Findley 2013-10-22 09:52:22 EDT

Apologies for the noise - this was actually caused by buggy power management on the test server that only showed up once updated.

It might be worth mentioning in the docs that the external engine for aesni has gone away, and that it no longer needs to be manually enabled, though.

Comment 3 Tomas Mraz 2013-10-22 10:04:07 EDT

We will document it in the errata text. Reassigning to release notes for further documentation consideration.

Comment 4 Eliska Slobodova 2013-10-24 09:06:52 EDT

The following text has been added in the Technical Notes book as agreed with Tomas:

The external Advanced Encryption Standard (AES) New Instructions (AES-NI) engine is no longer available in openssl; the engine is now built-in and therefore no longer needs to be manually enabled.

Comment 5 Eliska Slobodova 2013-11-22 06:20:54 EST

Closing; the book is available online:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.5_Technical_Notes/index.html

Note You need to log in before you can comment on or make changes to this bug.