Ubuntu
openssl package

  1. Bug #2030784
  2. Comment #4

Comment 4 for bug 2030784

Revision history for this message
Bun K Tan (bktan1) wrote :

Hi @schopin,

Recommended way to test the relevant code paths would be to use OpenSSL’s Capability Bits Environment variable. Notes below:

Ubuntu - OpenSSL OPENSSL_ia32cap Environment Variable
OpenSSL Environment variable processor feature bit disable combos for testing.
https://www.openssl.org/docs/manmaster/man3/OPENSSL_ia32cap.html

* AES-GCM Relevant Feature Disable

   Disable VAES-NI
   $ export OPENSSL_ia32cap=:~0x20000000000

   Disable VPCLMULQDQ
   $ export OPENSSL_ia32cap=:~0x40000000000

   Disable AES-NI
   $ export OPENSSL_ia32cap=~0x200000000000000

   Disable AESNI + VAESNI
   $ export OPENSSL_ia32cap=~0x200000000000000:~0x20000000000

* RSA 2K/3K/4K Sign Relevant Feature Disable

   Disable AVX512F
   $ export OPENSSL_ia32cap=:~0x10000

   Disable AVX512VL
   $ export OPENSSL_ia32cap=:~0x80000000

   Disable AVX512DQ
   $ export OPENSSL_ia32cap=:~0x20000

   Disable AVX512IFMA
   $ export OPENSSL_ia32cap=:~0x200000

* Unset any previous caps
$ unset OPENSSL_ia32cap

Examples:
   * AES-128-GCM | AES-256-GCM
      - Baseline - Requires VAES and VPCMULQDQ features present on ICX or newer platform. This should be the most performant flow.
        $ taskset -c 0 openssl speed -evp aes-128-gcm

      - Individual VAES Disabled and VPCLMULQDQ Disabled should fallback to AVX AESNI flow and should have equivalent performance
        $ OPENSSL_ia32cap=:~0x20000000000 taskset -c 0 openssl speed -evp aes-128-gcm
        $ OPENSSL_ia32cap=:~0x40000000000 taskset -c 0 openssl speed -evp aes-128-gcm

      - AESNI and VAESNI Disabled should fallback to 'C code' performance
        $ OPENSSL_ia32cap=~0x200000000000000:~0x20000000000 taskset -c 0 openssl speed -evp aes-128-gcm

   * RSA 2K/3K/4K Sign Performance
      - Baseline - Requires AVX512F, AVX512VL, AVX512DQ, and AVX512IFMA features on ICX or newer platform. This should be the most performant flow.
        $ taskset -c 0 openssl speed rsa2048 rsa3072 rsa4096

      - Individual AVX512F, AVX512VL, and AVX512IFMA features should yield equivalent performance. This flow will use the ADOX/ADCX/MULX RSA flow.
        $ OPENSSL_ia32cap=:~0x10000 taskset -c 0 openssl speed rsa2048 rsa3072 rsa4096
        $ OPENSSL_ia32cap=:~0x80000000 taskset -c 0 openssl speed rsa2048 rsa3072 rsa4096
        $ OPENSSL_ia32cap=:~0x20000 taskset -c 0 openssl speed rsa2048 rsa3072 rsa4096
        $ OPENSSL_ia32cap=:~0x200000 taskset -c 0 openssl speed rsa2048 rsa3072 rsa4096