[PATCH] Use Intel AES instruction set if it exists - v3

Jeremy Allison jra at samba.org
Tue Sep 5 21:08:45 UTC 2017

Hi all,

Off-list Justin @ Netgear has been doing
some performance measurements between native
Samba AES, the libnettle crypto library and
Intel AES instructions.

Whilst doing that he discovered that on Debian 9,
and Ubuntu 17.04 and before, libnettle has been
built without AES instruction support and is thus
much *slower* than our native crypto. On Fedora
and SuSE it's correctly built and so provides better
performance, although the native Intel AES code is
still the fastest.

I don't have permission to publish his absolute numbers,
but have a work-around here of publishing comparative
results (hope that's OK Justin, but it's easier to
ask for forgiveness than wait for permission:-).
Consider native Samba as performance 1.000. We have:

Native Samba AES code:			1.000
Intel AES code:				2.386
libnettle --enable-fat (Fedora|SuSE):	1.704
libnettle (Debian|Ubuntu):		0.818

As you can see, Intel AES code gives a significant

Given that, after discussions offline with Andreas
(who has to support FIPS certification for Fedora)
and Metze, here is a patchset that allows configure
time selection of AES crypto.

--accel-aes=none (default - use Samba native crypto)

--accel-aes=nettle|libnettle (Use libnettle)

--accel-aes=intelaesni (Use third_party code)

Part of this is a WHATSNEW that specifies that
the --accel-aes=intelaesni and supporting code
is a temporary fix and WILL be removed from Samba
once libnettle reaches performance parity.

Andreas, let me know if this meets your requirements.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: aes.patch
Type: text/x-diff
Size: 113925 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170905/a126de83/aes.diff>

More information about the samba-technical mailing list