Remove cryptodev from the kernel and make it a loadable module

[oparoz]

1. The aesni.ko module does not need cryptodev.ko
2. cryptodev should not be used when aesni is loaded as it slows down OpenSSL a lot
3. cryptodev is required by some encryption hardware only

So, by removing cryptodev from the kernel, people on recent X86 hardware will benefit from better encryption speed.

1. The GUI should only add the aesni.ko module to the boot sequence when AES acceleration is selected
2. When alternative hardware is selected, cryptodev could be always loaded or a whitelist/blacklist could be built

Thoughts?

[fichtner]

Hi Olivier,

If it's not in GENERIC I'm all for it. The impact on the code base needs to be assessed, at least OpenVPN uses cryptodev.

Cheers,
Franco

[oparoz]

Hello Franco,

I've checked https://github.com/freebsd/freebsd/blob/master/sys/amd64/conf/GENERIC and only crypto is loaded, not cryptodev.

I don't think that OpenVPN requires cryptodev, it uses OpenSSL's evp engine which is capable of using the AES-NI instructions without using the aesni module. If OpenSSL finds cryptodev and aesni is loaded, then it will use cryptodev and slow things down.

Without aesni:

aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc     157046.93k   213145.60k   244910.43k   253991.94k   256548.86k

After having loaded it, along with cryptodev

aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc       5024.52k    18651.14k    60246.48k   138542.09k   218901.82k

When testing OpenVPN, I didn't notice any change in performance, only in CPU use

# /usr/bin/time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc

Without aesni

25.311 real        25.280 user         0.016 sys

With module

25.86 real        24.47 user         1.33 sys

I'm told one advantage of being able to load the aesni.ko module is for ipsec and that shouldn't require cryptodev either, at least not when using AES-NI.

[oparoz]

Some background information:
https://lists.freebsd.org/pipermail/freebsd-security/2013-August/007115.html

[fichtner]

I'm just gonna leave this here... https://redmine.pfsense.org/issues/5976

[oparoz]

Cool :). I'm not registered to access their tools, so I couldn't see if that had already been done.

[fichtner]

No, not yet. This ticket was added a couple of days after you suggested it here. :)

[fichtner]

@oparoz will you build your own kernel or do you want my test build?

[oparoz]

I build my own, but maybe post yours in the forum so that people are made aware of this change? It's quite badly documented in FreeBSD land imho.

[oparoz]

Looking at these 2 commits:

• 0cac0f4
• opnsense/core@b41fc61

I see one problem, but maybe it's solved elsewhere. You still need to load crypto along with aesni per example, just not cryptodev.

[fichtner]

I was hoping that best case it was auto-loaded, worst case to be loaded manually. As it turns out it's required by IPSEC so it stays in the kernel, see last commit.

[oparoz]

Ah, good 👍 :)