[Samba] Problems with OS X 10.11.5

mathias dufresne infractory at gmail.com
Fri Jun 3 12:22:08 UTC 2016 

Thank you for these information.

Searching for "OpenSSL AES hardware" I found these two links:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Encryption-OpenSSL_Intel_AES-NI_Engine.html
http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-support-use-the-intel-aes-ni

>From the second I found a test to check openssl performances with some
export to disable hardware acceleration:
# Disabling acceleration
export OPENSSL_ia32cap="~0x200000200000000"
# The test:
openssl speed -elapsed -evp aes-128-ecb

>From the first link I found how to check the CPU is able to get hardware
acceleration:

grep -m1 -o aes /proc/cpuinfo

Tests done on VMs: same performances with or without exporting, checking
into /proc/cpuinfo no AES flag into the VMs, I was missing CPU directive
into my libvirt xml files related to VMs:
  <cpu mode='host-model' />

And now AES flags is also in the VMs and "openssl speed -elapsed -evp
aes-128-ecb" runs almost as fast inside VMs as on the host.

With all that (patch + aes enabled) we should have encryption possibility
and performance...





2016-06-02 15:26 GMT+02:00 Volker Lendecke <Volker.Lendecke at sernet.de>:

> On Thu, Jun 02, 2016 at 01:59:17PM +0200, mathias dufresne wrote:
> > What would we have to do to get that hardware performance improvement?
>
> Talk to metze :-)
>
> > Just upgrade Samba to some version patched with Metze stuffs or is there
> > also some drivers to be compiled and loaded into Kernel?
>
> I believe Metze's patches require OpenSSL, but he needs to comment on
> that.
>
> > The hardware seems to be included directly in CPU:
> > https://en.wikipedia.org/wiki/Cryptographic_accelerator
> > gave me:
> > https://en.wikipedia.org/wiki/AES_instruction_set
>
> Yep. Samba does not use that directly but utilizes some crypto
> library. Given that there's dozens of "standard" crypto libraries out
> there with varying algorithm/hardware/nameit support, it's a bit
> difficult to implement for general use.... https://xkcd.com/927/
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>
> SerNet & BSI laden ein: 29. Juni 2016,
> 2. IT-Grundschutztag 2016, BPA Berlin.
> Anmeldung: https://www.sernet.de/gstag
>

More information about the samba mailing list