Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • November 6, 2012

Interesting articles and blogs on SPARC T4

Interesting articles and blogs on SPARC T4 processor

I have consolidated all the interesting information I could get on SPARC T4 processor and its hardware cryptographic capabilities.  Hope its useful.

1. Advantages of SPARC T4 processor

Most important points in this T4 announcement are :

"The SPARC T4 processor was designed from the ground up for high speed
security and has a cryptographic stream processing unit (SPU) integrated
directly into each processor core. These accelerators support 16
industry standard security ciphers
and enable high speed encryption at
rates 3 to 5 times that of competing processors. By integrating
encryption capabilities directly inside the instruction pipeline, the
SPARC T4 processor eliminates the performance and cost barriers
typically associated with secure computing and makes it possible to
deliver high security levels without impacting the user experience."

Data Sheet has more details on these :

"New on-chip Encryption Instruction Accelerators with direct non-privileged support for 16 industry-standard cryptographic algorithms plus random number generation in each of the eight cores: AES, Camellia, CRC32c, DES, 3DES, DH, DSA, ECC, Kasumi, MD5, RSA, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512"

I ran "isainfo -v" command on Solaris 11 Sparc T4-1 system. It shows the new instructions as expected :

$ isainfo -v
64-bit sparcv9 applications
crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc

32-bit sparc applications

  crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc v8plus div32 mul32

2. Dan Anderson's Blog have some interesting points about how these can be used :

"New T4 crypto instructions include: aes_kexpand0, aes_kexpand1, aes_kexpand2, 
aes_eround01, aes_eround23, aes_eround01_l, aes_eround_23_l,
aes_dround01, aes_dround23, aes_dround01_l, aes_dround_23_l.

Having SPARC T4 hardware crypto instructions is all well and good, but how do we access it ?

The software is available with Solaris 11 and is used automatically if you are running Solaris a SPARC T4.  It is used internally in the kernel through kernel crypto modules. It is available in user space through the PKCS#11 library."

3. Dan Anderson's Blog on Where's the Crypto Libraries?

Although this was written in 2009 but still is very useful

"Here's a brief tour of the major crypto libraries shown in the digraph:
  • The libpkcs11 library contains the PKCS#11 API (C_\*() functions, such as C_Initialize()).
  • That in turn calls library pkcs11_softtoken or pkcs11_kernel, for userland or kernel crypto providers. The latter is used mostly for hardware-assisted cryptography (such as n2cp for Niagara2 SPARC processors), as that is performed more efficiently in kernel space with the "kCF" module (Kernel Crypto Framework). Additionally, for Solaris 10, strong crypto algorithms were split off in separate libraries, pkcs11_softtoken_extra
  • libcryptoutil contains low-level utility functions to help implement cryptography.
  • libsoftcrypto (OpenSolaris and Solaris Nevada only) implements several symmetric-key crypto algorithms in software, such as
    AES, RC4, and DES3, and the bignum library (used for RSA).
  • libmd implements MD5, SHA, and SHA2 message digest algorithms"

4. Dan Anderson's Blog on  How to tell if SPARC T4 crypto is being used?

5. Difference in T3 and T4

Diagram in this blog is good and self explanatory.

Jeff's blog also highlights the differences 

"The T4 servers have improved crypto acceleration, described at
It is "just built in" so administrators no longer have to assign crypto accelerator units to domains - it "just happens".
Every physical or virtual CPU on a SPARC-T4 has full access to hardware based crypto acceleration at all times. .... For completeness sake, it's worth noting that the T4 adds more crypto algorithms, and accelerates Camellia, CRC32c, and more SHA-x."

6. About performance counters

In this blog, performance counters are explained :

  • "Note that unlike T3 and before, T4 crypto doesn't require kernel modules like ncp or n2cp, there is no visibility of crypto
    hardware with kstats or cryptoadm.
  • T4 does provide hardware counters for crypto operations. You can see these using cpustat: cpustat -c pic0=Instr_FGU_crypto 5
  • You can check the general crypto support of the hardware and OS with the command "isainfo -v".
  • Since T4 crypto's implementation now allows direct userland access, there are no "crypto units" visible to cryptoadm.  "

For more details refer Martin's blog as well.

7. How to turn off  SPARC T4 or Intel AES-NI crypto acceleration

 I found this interesting blog from Darren about how to turn off  SPARC T4 or Intel AES-NI crypto acceleration.

"One of the new Solaris 11 features of the linker/loader is the ability to have a single ELF object that has multiple different implementations of the same functions that are selected at runtime based on the capabilities of
the machine. The alternate to this is having the application coded to call getisax(2) system call and make the choice itself. We use this functionality of
the linker/loader when we build the userland libraries for the Solaris Cryptographic Framework (specifically libmd.so and libsoftcrypto.so)

The Solaris linker/loader allows control of a lot of its functionality via environment variables, we can use that to control the version of the
cryptographic functions we run. To do this we simply export the LD_HWCAP environment variable with values that tell ld.so.1 to not select the HWCAP section matching certain features even if isainfo says they are present. This will work for consumers of the Solaris Cryptographic Framework that use the Solaris
PKCS#11 libraries or use libmd.so interfaces directly. For SPARC T4 : export LD_HWCAP="-aes -des -md5 -sha256 -sha512 -mont -mpul" .. For Intel systems with AES-NI support: export LD_HWCAP="-aes""

Note that LD_HWCAP is explained in http://docs.oracle.com/cd/E23823_01/html/816-5165/ld.so.1-1.html

"LD_HWCAP, LD_HWCAP_32, and LD_HWCAP_64 -  Identifies an alternative hardware capabilities value... A “-” prefix results in the capabilities that follow being removed from the alternative capabilities."

8. Whitepaper on High Performance Security For Oracle Database and Fusion Middleware Applications using SPARC T4

This whitepaper on "High Performance Security For Oracle Database and Fusion Middleware Applications using SPARC T4 explains more details. It has DTrace scripts which may come in handy :

"To ensure the hardware-assisted cryptographic acceleration is configured to use and working with the security scenarios, it is recommended to use the following Solaris DTrace script. "





probefunc] = count();







Note that I have slightly modified the D Script to have *rsa* and to make it work for both Solaris 10 and 11  as per recommendations from Chi-Chang Lin.

For Solaris 11, the T4 optimization is implemented in libsoftcrypto.so while it is in pkcs11_softtoken_extra.so for Solaris 10. So just add these two probes for Solaris 10 :

9. References

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.