Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021
 
 

SPARC Acceleration of Optimized Cryptographic Functions

Beginning with the SPARC T4 microprocessor, new instructions to perform cryptographic functions are available directly in hardware. The instructions are non-privileged. Thus, any program can use the instructions. Because cryptography is performed directly on the hardware, cryptographic operations are faster than operations on legacy systems whose SPARC processors have separate processing units for cryptography.

The following table provides a detailed comparison of cryptographic functions in SPARC T4 microprocessor units combined with specific Oracle Solaris releases.

Table 2  Cryptographic Performance on SPARC T4 and Later SPARC Based Systems
Feature/Software Consumer
T4 and Newer Systems Running Oracle Solaris 10
T4 and Newer Systems Running Oracle Solaris 11.3 SRUs
T4 and Newer Systems Running Oracle Solaris 11.4
Secure Shell
Requires patch 148104-25.
Disable/Enable with the UseOpenSSLEngine option in /etc/ssh/sshd_config.
Automatically enabled.
For SunSSH, disable/enable with the UseOpenSSLEngine option in /etc/ssh/sshd_config.
The T4 optimizations are automatically used.
Java/JCE
Automatically enabled.
Configure in $JAVA_HOME/jre/lib/ security/java.security
Automatically enabled.
Configure in $JAVA_HOME/jre/lib/ security/java.security
Automatically enabled.
Configure in $JAVA_HOME/jre/lib/ security/java.security
ZFS Crypto
Not available.
HW crypto automatically enabled if dataset is encrypted.
HW crypto automatically enabled if dataset is encrypted.
IPsec
Automatically enabled.
Automatically enabled.
Automatically enabled.
OpenSSL
Requires patch 151912-02 or newer.
Use –engine pkcs11 option.
The T4 optimization is automatically used.
(Optionally use –engine pkcs11.) To use T4 crypto functions for RSA or DSA, use this engine.
The T4 optimization is automatically used.
(Optionally use –engine pkcs11.) To use T4 crypto functions for RSA or DSA, use this engine.
Oracle TDE
Pending patch.
Automatically enabled with Oracle DB 11.2.0.3 and ASO.
Automatically enabled with Oracle DB 11.2.0.3 and ASO.
Apache SSL
Configure with SSLCryptoDevice pkcs11.
The T4 optimization is automatically used.
The T4 optimization is automatically used.
Logical Domains
Functionality always available, no configuration required.
Functionality always available, no configuration required.
Functionality always available, no configuration required.

The T4 and later microprocessors provide on-chip encryption instruction accelerators with direct nonprivileged support for 15 industry-standard cryptographic algorithms: AES, Camellia, CRC32c, DES, 3DES, DH, DSA, ECC, MD5, RSA, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512.

    For AES, the instructions include the following encryption and decryption optimizations:

  • Key expansion – Expansions of the 128-bit, 192-bit, or 256-bit user-provided AES key into a key schedule. The schedule is used internally during encryption and decryption.

  • Rounds or transformations – The number of rounds used (for example 10, 12, or 14) varies according to AES key length. By using larger keys, the user indicates a desire for more robust encryption at the cost of more computation.

These hardware cryptographic instructions are available and used automatically. The instructions are also embedded in the OpenSSL upstream code, so beginning with OpenSSL 1.0.1e, OpenSSL uses the instructions. To determine the version, run the openssl version command in a terminal window.

Example 1  Determining Whether Your SPARC System Supports Cryptographic Optimizations

To determine whether the cryptographic optimizations are supported, use the isainfo command. The inclusion of sparcv9 and aes in the output indicates that the system supports the optimizations.

$ isainfo -v
64-bit sparcv9 applications
        crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi 
        des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc
Example 2  Determining Whether Your SPARC System Is Running Cryptographic Optimizations

To determine whether your system is running SPARC T4 microprocessor optimizations, check for the aes_t4 instruction in the OpenSSL libcrypto.so library. If the following command does not generate output, then your system does not use the SPARC T4 microprocessor optimizations.

$ nm /lib/libcrypto.so.1.0.0 | grep aes_t4 | head -5
[1273]  |   1840096|        52|OBJT |LOCL |0    |20     |aes_t4_128_cbc
[1344]  |   1842800|        52|OBJT |LOCL |0    |20     |aes_t4_128_ccm
[1283]  |   1840408|        52|OBJT |LOCL |0    |20     |aes_t4_128_cfb
[1286]  |   1840512|        52|OBJT |LOCL |0    |20     |aes_t4_128_cfb1
[1289]  |   1840616|        52|OBJT |LOCL |0    |20     |aes_t4_128_cfb8