Managing Encryption and Certificates in Oracle^® Solaris 11.3

SPARC Acceleration of Optimized Cryptographic Functions

Beginning with the SPARC T4 microprocessor, new instructions to perform cryptographic functions are available directly in hardware. The instructions are non-privileged. Thus, any program can use the instructions. Because cryptography is performed directly on the hardware, cryptographic operations are faster than operations on legacy systems whose SPARC processors have separate processing units for cryptography.

The following comparison shows the differences in the data flow between SPARC T3 systems and SPARC T4 systems with cryptographic acceleration.

Figure 2  Data Flow Comparison Between SPARC T3 and SPARC T4 Servers

The following table provides a detailed comparison of cryptographic functions in SPARC T4 microprocessor units combined with specific Oracle Solaris releases.

Table 1  Cryptographic Performance on SPARC T4 and Later SPARC Based Systems

Feature/Software Consumer T3 and Previous Systems T4 Systems Running Oracle Solaris 10 T4 Systems and Later Running Oracle Solaris 11 Secure Shell Automatically enabled with Solaris 10 5/09 and later. Disable/Enable with the UseOpenSSLEngine option in /etc/ssh/sshd_config. Requires patch 147707-01. Disable/enable with the UseOpenSSLEngine option in /etc/ssh/sshd_config. Automatically enabled. For SunSSH, disable/enable with the UseOpenSSLEngine option in /etc/ssh/sshd_config. Java/JCE Automatically enabled. Configure in $JAVA_HOME/jre/lib/security/java.security Automatically enabled. Configure in $JAVA_HOME/jre/lib/security/java.security Automatically enabled. Configure in $JAVA_HOME/jre/lib/security/java.security ZFS Crypto Not available. Not available. HW crypto automatically enabled if dataset is encrypted. IPsec Automatically enabled. Automatically enabled. Automatically enabled. OpenSSL Use –engine pkcs11 option. Requires patch 151912-02 or newer. Use –engine pkcs11 option. The T4 optimization is automatically used. (Optionally use –engine pkcs11.) To use T4 crypto functions such as RSA or DSA, use this engine. KSSL (Kernel SSL proxy) Automatically enabled. Automatically enabled. Automatically enabled. Oracle TDE Not supported. Pending patch. Automatically enabled with Oracle DB 11.2.0.3 and ASO. Apache SSL Configure with SSLCryptoDevice pkcs11 Configure with SSLCryptoDevice pkcs11 Configure with SSLCryptoDevice pkcs11 Logical Domains Assign crypto units to domains. Functionality always available, no configuration required. Functionality always available, no configuration required.

The T4 and later microprocessors provide on-chip encryption instruction accelerators with direct nonprivileged support for 15 industry-standard cryptographic algorithms: AES, Camellia, CRC32c, DES, 3DES, DH, DSA, ECC, MD5, RSA, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512.

For AES, the instructions include the following encryption and decryption optimizations:

• Key expansion – Expansions of the 128-bit, 192-bit, or 256-bit user-provided AES key into a key schedule. The schedule is used internally during encryption and decryption.

• Rounds or transformations – The number of rounds used (for example 10, 12, or 14) varies according to AES key length. By using larger keys, the user indicates a desire for more robust encryption at the cost of more computation.

These hardware cryptographic instructions are available and used automatically. The instructions are also embedded in the OpenSSL upstream code, so beginning with OpenSSL 1.0.1e, OpenSSL uses the instructions. To determine the version, run the openssl version command in a terminal window.

Example 1  Determining Whether Your SPARC System Supports Cryptographic Optimizations

To determine whether the cryptographic optimizations are supported, use the isainfo command. The inclusion of sparcv9 and aes in the output indicates that the system supports the optimizations.

$ isainfo -v
64-bit sparcv9 applications
        crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi 
        des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc

Example 2  Determining Whether Your SPARC System Is Running Cryptographic Optimizations

To determine whether your system is running SPARC T4 microprocessor optimizations, check for the aes_t4 instruction in the OpenSSL libcrypto.so library. If the following command does not generate output, then your system does not use the SPARC T4 microprocessor optimizations.

$ nm /lib/libcrypto.so.1.0.0 | grep aes_t4 | head -5
[1273]  |   1840096|        52|OBJT |LOCL |0    |20     |aes_t4_128_cbc
[1344]  |   1842800|        52|OBJT |LOCL |0    |20     |aes_t4_128_ccm
[1283]  |   1840408|        52|OBJT |LOCL |0    |20     |aes_t4_128_cfb
[1286]  |   1840512|        52|OBJT |LOCL |0    |20     |aes_t4_128_cfb1
[1289]  |   1840616|        52|OBJT |LOCL |0    |20     |aes_t4_128_cfb8

For more information, refer to the following articles.

• "SPARC T4 OpenSSL Engine" (https://blogs.oracle.com/DanX/entry/sparc_t4_openssl_engine)

• "How to tell if SPARC T4 crypto is being used?" (https://blogs.oracle.com/DanX/entry/how_to_tell_if_sparc)

• "Exciting Crypto Advances with the T4 processor and Oracle Solaris 11" (http://bubbva.blogspot.com/2011/11/exciting-crypto-advances-with-t4.html)

• "SPARC T4 Digest and Crypto Optimizations in Solaris 11.1" (https://blogs.oracle.com/danx/sparc-t4-digest-and-crypto-optimizations-in-solaris-111)

• Oracle SPARC T7-1 Data Sheet (http://www.oracle.com/us/products/servers-storage/sparc-t7-1-server-ds-2687047.pdf)