[PATCH] Use Intel AES instruction set if it exists - v3

Stefan Metzmacher metze at samba.org
Wed Sep 6 13:38:20 UTC 2017

Hi Jeremy,

can you please check the indentation in various wscript files,
they're python scripts and should not use tabs, 4 spaces.

Also running "git show eb1f476657c" in a recent kernel checkout,
gives a failure.

Can you please make sure we important a well defined state
of arch/x86/crypto/aesni-intel_asm.S from the kernel,
including the exact full commit hash of the checkout
you used in our commit message.

git show $commit:arch/x86/crypto/aesni-intel_asm.S should
should exactly what we import.

This will make it much easier to track what state we have.

There have been some changes this year regarding AES-GCM
(which we don't use yet, but may want to experiment with).
So I think it would be good to import the recent version from the

> Off-list Justin @ Netgear has been doing
> some performance measurements between native
> Samba AES, the libnettle crypto library and
> Intel AES instructions.
> Whilst doing that he discovered that on Debian 9,
> and Ubuntu 17.04 and before, libnettle has been
> built without AES instruction support and is thus
> much *slower* than our native crypto. On Fedora
> and SuSE it's correctly built and so provides better
> performance, although the native Intel AES code is
> still the fastest.
> I don't have permission to publish his absolute numbers,
> but have a work-around here of publishing comparative
> results (hope that's OK Justin, but it's easier to
> ask for forgiveness than wait for permission:-).
> Consider native Samba as performance 1.000. We have:
> Native Samba AES code:			1.000
> Intel AES code:				2.386
> libnettle --enable-fat (Fedora|SuSE):	1.704
> libnettle (Debian|Ubuntu):		0.818
> As you can see, Intel AES code gives a significant
> advantage.
> Given that, after discussions offline with Andreas
> (who has to support FIPS certification for Fedora)
> and Metze, here is a patchset that allows configure
> time selection of AES crypto.
> --accel-aes=none (default - use Samba native crypto)
> --accel-aes=nettle|libnettle (Use libnettle)
> --accel-aes=intelaesni (Use third_party code)
> Part of this is a WHATSNEW that specifies that
> the --accel-aes=intelaesni and supporting code
> is a temporary fix and WILL be removed from Samba
> once libnettle reaches performance parity.
> Andreas, let me know if this meets your requirements.

Otherwise it looks ok.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170906/4b3876ae/signature.sig>

More information about the samba-technical mailing list