Re: Via Eden C7 padlock benchmarks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Simon Josefsson wrote:
> Torsten72 <> writes:
> > # loop-aes: AES-128
> ...
> > 52428800 Bytes (52 MB) kopiert, 0,93555 Sekunden, 56,0 MB/s
> ...
> > # loop-aes: AES-256
> ...
> > 52428800 Bytes (52 MB) kopiert, 0,953818 Sekunden, 55,0 MB/s
> ...
> > # dm-crypt: AES-128
> ...
> > 52428800 Bytes (52 MB) kopiert, 0,554618 Sekunden, 94,5 MB/s
> ...
> > # dm-crypt: AES-256
> ...
> > 52428800 Bytes (52 MB) kopiert, 0,560215 Sekunden, 93,6 MB/s
> Interesting results!  Even if people generally seems to prefer
> dm-crypt over loop-aes, it is good to have statistics to back things
> up.


Most people have not realized that loop-AES is using disk sector number and
data dependent IV computation, where data needs to be processed twice.
dm-crypt is taking a shortcut and using only disk sector number dependent IV
that stays same regardless of the data. If adversary is able to observe disk
read/write traffic, then dm-crypt leaks location of changed data. loop-AES
does not, because all cipher blocks in 512 byte disk sector CBC chain change
regardless of where plaintext data change is.

In padlock enabled loop version, only that AES CBC processing is using
hardware implementation. loop-AES IV computation (the other crypto
processing of data) is always using software. So, in padlock enabled case,
loop-AES vs. dm-crypt comparison is really software+hardware implementation
vs. hardware implementation for those crypto bits. In other x86/amd64 cases,
loop-AES vs. dm-crypt comparison is software+software implementation vs.
software implementation.,

Could you check that the VIA C7 processor was properly detected by loop-AES
code? If it was properly detected, then there should be "loop: padlock
hardware AES enabled" message in your kernel log. You can check that using
command "dmesg | grep loop" or "grep loop /var/log/messages". Padlock
enabled loop includes both software AES and padlock AES implementations. If
padlock detection fails, then code uses software AES implementation.

I ask this because when loop-AES padlock code was written, I only had older
VIA C3 processor programming manual. loop-AES code follows older VIA C3
padlock detection instructions. When C7 was new, a VIA representative
promised me C7 programming manual, but I never got it. Pinged twice, no

Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

Linux-crypto:  cryptography in and on the Linux system

[Home]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]     [Network Security Reading]

Add to Google