Description of problem: Via CPUs have an onboard crypto engine ("padlock") that supports accelerated AES and SHA computations that are vastly faster than using the CPU. OpenSSL supports the VIA hardware, if you use its 'padlock' engine. Until recently, all Via CPUs were 32-bit only. This changed when they released their Nano CPUs, which support x86_64. Unfortunately, it seems that the OpenSSL build that Fedora 12 is using doesn't support the Nano CPU when it's running in 64-bit mode. The engine fails to initialize properly. Version-Release number of selected component (if applicable): openssl-1.0.0a-1.fc12.x86_64 How reproducible: 100% Steps to Reproduce: 1. run 'openssl engine' 2. run 'openssl speed -evp aes-256-cbc -engine padlock' Actual results: 1: [root@blackbox1 ~]# openssl engine (aesni) Intel AES-NI engine (no-aesni) (dynamic) Dynamic engine loading support 2: invalid engine "padlock" 140713656043336:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521: 140713656043336:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=padlock 140713656043336:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libpadlock.so): libpadlock.so: cannot open shared object file: No such file or directory 140713656043336:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 140713656043336:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 23494.04k 24941.34k 25798.73k 59372.87k 59826.05k Expected results: 1: [root@blackbox0 ~]# openssl engine (aesni) Intel AES-NI engine (no-aesni) (dynamic) Dynamic engine loading support (padlock) VIA PadLock (no-RNG, ACE) 2: [No error, and speed should be something like this, if not faster:] type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-ecb 96787.39k 353046.21k 950673.75k 1560331.87k 1946113.37k Additional info: The actual padlock shared library is built and is present in the OpenSSL package: /usr/lib64/openssl/engines/libpadlock.so I don't know if this is an upstream bug or not, but padlock support is definitely broken in F12's 64-bit OpenSSL build. I'll try reporting this upstream later today.
There's no reference to this in the upstream bug tracker, but to report a bug I need an account and there seems to be no way for me to do so.
Created attachment 433962 [details] Patch to enable Padlock support on x86_64 Patch extracted from upstream CVS. Code not yet pushed into a release branch.
With the above patch, we can take advantage of the VIA Padlock engine on their Nano CPUs when running in x86_64 mode. Performance isn't as improved as I'd like/expect, but it's still ~3-12x faster: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 74753.34k 250586.18k 491370.50k 646741.67k 710492.16k 'scp' speeds improved about 13% as well, with much lower CPU utilization -- from 16MB/s to 18MB/s (throughput limited by far side) I haven't verified this patch doesn't cause regressions on i686, as all of my C7/x86 boxes currently lack toolchains. If this patch is accepted and dropped into a koji build I can test it out though.
addendum -- using the same loopback ssh speed test I was using in 559655, my ssh throughput jumps from ~6.2MB/s without this patch to ~12.4MB/s with it.
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
This is still a problem in Fedora 14; This patch is currently in upstream openssl's HEAD and 1.0.1 branches, but not in the 1.0.0 branch that Fedora is currently using. Is there any chance that this could be re-visited? I'd like to not have to keep building custom openssl packages to use the hardware crypto features of the VIA Nano processors.
I'd like to add a "me too", problem still exists in Fedora 15 Beta :(