2 Cryptographic Optimizations and Hardware Acceleration on SPARC Based Systems
This chapter describes the optimization of cryptographic functions by the Cryptographic Framework, and the hardware acceleration of these optimized functions on current SPARC based systems. Affected systems include Oracle's SPARC T4, SPARC T5, SPARC M5, SPARC M6, SPARC T7, SPARC M7, SPARC S7, and SPARC M8 Servers. The Fujitsu M10 servers and Fujitsu SPARC M12 servers provide similar hardware acceleration.
Cryptographic Framework Optimizations for SPARC Based Systems
The Cryptographic Framework supplies M-Series Servers beginning with SPARC M5, T-Series Servers beginning with SPARC T4, and SPARC S7 servers, with cryptographic mechanisms. Several mechanisms are optimized for these servers, including some symmetric key algorithms, asymmetric key algorithms, checksums, and digests.
Three cryptographic mechanisms are optimized for data at rest and in motion: AES-CBC
,
AES-CFB128
, and ARCFOUR
. The RSA and DSA cryptographic mechanisms are
optimized for OpenSSL by optimizing arbitrary-precision arithmetic (bignum). Other optimizations include small
packet performance for handshakes and data in motion.
In turn, the SPARC based systems provide hardware acceleration of these cryptographic mechanisms to both the Cryptographic Framework and OpenSSL.
SPARC Acceleration of Optimized Cryptographic Functions
Beginning with the SPARC T4 microprocessor, new instructions to perform cryptographic functions are available directly in hardware. The instructions are non-privileged. Thus, any program can use the instructions. Because cryptography is performed directly on the hardware, cryptographic operations are faster than operations on legacy systems whose SPARC processors have separate processing units for cryptography.
The following table provides a detailed comparison of cryptographic functions in SPARC T4 microprocessor units combined with specific Oracle Solaris releases.
Table 2-1 Cryptographic Performance on SPARC T4 and Later SPARC Based Systems
Feature/Software Consumer | T4 and Newer Systems Running Oracle Solaris 10 | T4 and Newer Systems Running Oracle Solaris 11.3 SRUs | T4 and Newer Systems Running Oracle Solaris 11.4 |
---|---|---|---|
Secure Shell |
Requires patch 148104-25. Disable/Enable with the |
Automatically enabled. For SunSSH, disable/enable with the |
The T4 optimizations are automatically used. |
Java/JCE |
Automatically enabled. Configure in |
Automatically enabled. Configure in |
Automatically enabled. Configure in |
ZFS Crypto |
Not available. |
HW crypto automatically enabled if dataset is encrypted. |
HW crypto automatically enabled if dataset is encrypted. |
IPsec |
Automatically enabled. |
Automatically enabled. |
Automatically enabled. |
OpenSSL |
Requires patch 151912-02 or newer. Use ‐engine pkcs11 option. |
The T4 optimization is automatically used. (Optionally use ‐engine pkcs11.) To use T4 crypto functions for RSA or DSA, use this engine. |
The T4 optimization is automatically used. (Optionally use ‐engine pkcs11.) To use T4 crypto functions for RSA or DSA, use this engine. |
Oracle TDE |
Pending patch. |
Automatically enabled with Oracle DB 11.2.0.3 and ASO. |
Automatically enabled with Oracle DB 11.2.0.3 and ASO. |
Apache SSL |
Configure with |
The T4 optimization is automatically used. |
The T4 optimization is automatically used. |
Logical Domains |
Functionality always available, no configuration required. |
Functionality always available, no configuration required. |
Functionality always available, no configuration required. |
The T4 and later microprocessors provide on-chip encryption instruction accelerators with direct nonprivileged support for 15 industry-standard cryptographic algorithms: AES, Camellia, CRC32c, DES, 3DES, DH, DSA, ECC, MD5, RSA, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512.
For AES, the instructions include the following encryption and decryption optimizations:
-
Key expansion – Expansions of the 128-bit, 192-bit, or 256-bit user-provided AES key into a key schedule. The schedule is used internally during encryption and decryption.
-
Rounds or transformations – The number of rounds used (for example 10, 12, or 14) varies according to AES key length. By using larger keys, the user indicates a desire for more robust encryption at the cost of more computation.
These hardware
cryptographic instructions are available and used automatically. The
instructions are also embedded in the OpenSSL upstream code, so beginning
with OpenSSL 1.0.1e, OpenSSL uses the instructions. To determine the version,
run the openssl version
command in a terminal
window.
Example 2-1 Determining Whether Your SPARC System Supports Cryptographic Optimizations
To determine whether the cryptographic optimizations are supported,
use the isainfo
command. The inclusion of
sparcv9
and aes
in the output
indicates that the system supports the optimizations.
$ isainfo -v
64-bit sparcv9 applications
crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi
des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc
Example 2-2 Determining Whether Your SPARC System Is Running Cryptographic Optimizations
To determine whether your system is running SPARC T4 microprocessor
optimizations, check for the aes_t4
instruction in
the OpenSSL libcrypto.so
library. If the following
command does not generate output, then your system does not use the
SPARC T4 microprocessor optimizations.
$ nm /lib/libcrypto.so.1.0.0 | grep aes_t4 | head -5
[1273] | 1840096| 52|OBJT |LOCL |0 |20 |aes_t4_128_cbc
[1344] | 1842800| 52|OBJT |LOCL |0 |20 |aes_t4_128_ccm
[1283] | 1840408| 52|OBJT |LOCL |0 |20 |aes_t4_128_cfb
[1286] | 1840512| 52|OBJT |LOCL |0 |20 |aes_t4_128_cfb1
[1289] | 1840616| 52|OBJT |LOCL |0 |20 |aes_t4_128_cfb8
For more information, refer to the following articles.