I have consolidated all the interesting information I could get on SPARC T4 processor and its hardware cryptographic capabilities. Hope its useful.
Most important points in this T4 announcement are :
"The SPARC T4 processor was designed from the ground up for high speed
security and has a cryptographic stream processing unit (SPU) integrated
directly into each processor core. These accelerators support 16
industry standard security ciphers and enable high speed encryption at
rates 3 to 5 times that of competing processors. By integrating
encryption capabilities directly inside the instruction pipeline, the
SPARC T4 processor eliminates the performance and cost barriers
typically associated with secure computing and makes it possible to
deliver high security levels without impacting the user experience."
Data Sheet has more details on these :
"New on-chip Encryption Instruction Accelerators with direct non-privileged support for 16 industry-standard cryptographic algorithms plus random number generation in each of the eight cores: AES, Camellia, CRC32c, DES, 3DES, DH, DSA, ECC, Kasumi, MD5, RSA, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512"
I ran "isainfo -v" command on Solaris 11 Sparc T4-1 system. It shows the new instructions as expected :
$ isainfo -v
64-bit sparcv9 applications
crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc
32-bit sparc applications
crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc v8plus div32 mul32
"New T4 crypto instructions include: aes_kexpand0, aes_kexpand1, aes_kexpand2,
aes_eround01, aes_eround23, aes_eround01_l, aes_eround_23_l,
aes_dround01, aes_dround23, aes_dround01_l, aes_dround_23_l.
Having SPARC T4 hardware crypto instructions is all well and good, but how do we access it ?
The software is available with Solaris 11 and is used automatically if you are running Solaris a SPARC T4. It is used internally in the kernel through kernel crypto modules. It is available in user space through the PKCS#11 library."
Although this was written in 2009 but still is very useful
"Here's a brief tour of the major crypto libraries shown in the digraph:
- The libpkcs11 library contains the PKCS#11 API (C_\*() functions, such as C_Initialize()).
- That in turn calls library pkcs11_softtoken or pkcs11_kernel, for userland or kernel crypto providers. The latter is used mostly for hardware-assisted cryptography (such as n2cp for Niagara2 SPARC processors), as that is performed more efficiently in kernel space with the "kCF" module (Kernel Crypto Framework). Additionally, for Solaris 10, strong crypto algorithms were split off in separate libraries, pkcs11_softtoken_extra
- libcryptoutil contains low-level utility functions to help implement cryptography.
- libsoftcrypto (OpenSolaris and Solaris Nevada only) implements several symmetric-key crypto algorithms in software, such as
AES, RC4, and DES3, and the bignum library (used for RSA).
- libmd implements MD5, SHA, and SHA2 message digest algorithms"
Diagram in this blog is good and self explanatory.
Jeff's blog also highlights the differences
"The T4 servers have improved crypto acceleration, described at
It is "just built in" so administrators no longer have to assign crypto accelerator units to domains - it "just happens".
Every physical or virtual CPU on a SPARC-T4 has full access to hardware based crypto acceleration at all times. .... For completeness sake, it's worth noting that the T4 adds more crypto algorithms, and accelerates Camellia, CRC32c, and more SHA-x."
In this blog, performance counters are explained :
For more details refer Martin's blog as well.
I found this interesting blog from Darren about how to turn off SPARC T4 or Intel AES-NI crypto acceleration.
"One of the new Solaris 11 features of the linker/loader is the ability to have a single ELF object that has multiple different implementations of the same functions that are selected at runtime based on the capabilities of
the machine. The alternate to this is having the application coded to call getisax(2) system call and make the choice itself. We use this functionality of
the linker/loader when we build the userland libraries for the Solaris Cryptographic Framework (specifically libmd.so and libsoftcrypto.so)
The Solaris linker/loader allows control of a lot of its functionality via environment variables, we can use that to control the version of the
cryptographic functions we run. To do this we simply export the LD_HWCAP environment variable with values that tell ld.so.1 to not select the HWCAP section matching certain features even if isainfo says they are present. This will work for consumers of the Solaris Cryptographic Framework that use the Solaris
PKCS#11 libraries or use libmd.so interfaces directly. For SPARC T4 : export LD_HWCAP="-aes -des -md5 -sha256 -sha512 -mont -mpul" .. For Intel systems with AES-NI support: export LD_HWCAP="-aes""
Note that LD_HWCAP is explained in http://docs.oracle.com/cd/E23823_01/html/816-5165/ld.so.1-1.html
"LD_HWCAP, LD_HWCAP_32, and LD_HWCAP_64 - Identifies an alternative hardware capabilities value... A “-” prefix results in the capabilities that follow being removed from the alternative capabilities."
This whitepaper on "High Performance Security For Oracle Database and Fusion Middleware Applications using SPARC T4 explains more details. It has DTrace scripts which may come in handy :
"To ensure the hardware-assisted cryptographic acceleration is configured to use and working with the security scenarios, it is recommended to use the following Solaris DTrace script. "
probefunc] = count();
Note that I have slightly modified the D Script to have *rsa* and to make it work for both Solaris 10 and 11 as per recommendations from Chi-Chang Lin.
For Solaris 11, the T4 optimization is implemented in libsoftcrypto.so while it is in pkcs11_softtoken_extra.so for Solaris 10. So just add these two probes for Solaris 10 :
- SPARC T4 OpenSSL Engine https://blogs.oracle.com/DanX/entry/sparc_t4_openssl_engine
- Where's the Crypto Libraries? https://blogs.oracle.com/DanX/entry/where_s_the_crypto_libraries
- How to tell if SPARC T4 crypto is being used? https://blogs.oracle.com/DanX/entry/how_to_tell_if_sparc