Red Hat Bugzilla – Bug 618524
Document how to enable padlock engine for openssl
Last modified: 2015-04-06 23:19:45 EDT
Description of problem:
The possibility of using HW crypto engine coming with VIA C7 CPUs should be documented. This should be documented maybe also in Installation guide (not sure).
See bug 563574
Tomas, any idea where this documentation should go? Which guide, or should be it also in man pages?
Need specific details in order to add this. I don't have this information. Have marked NEEDINFO.
After discussion this should go to security guide
To enable padlock engine in openssl edit /etc/pki/tls/openssl.cnf and add
On the begging of the config file
openssl_conf = openssl_init
Append on the end:
engines = openssl_engines
padlock = padlock_engine
default_algorithms = ALL
dynamic_path = /usr/lib/openssl/engines/libpadlock.so
init = 1
Note for 64but systems use:
dynamic_path = /usr/lib64/openssl/engines/libpadlock.so
To check if module enabled run (is should be listed)
# openssl engine -c -tt
To test openssl with padlock use:
# openssl speed aes-128-cbc
'openssl speed' without the hardware engine shows roughly 11MB/s throughput.
With padlock turned on, it jumps to 98MB/s-1.9GB/s depending on block size.
(yes, really, 1.9GB/s!)
To test openssh speed you can run a command like:
dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null
openssh without padlock engine shows throughput roughly 5MB/s, with the padlock engine it should be significantly improoved
More information on VIA padlock engine is here:
Scott is this info enough for you?
Jan, any other suggestions?
Miroslav, thank you for that information, it's appreciated. I've added details on this to the Security Guide, and changes will appear on next publish.