X

News, tips, partners, and perspectives for the Oracle Solaris operating system

T4 Crypto Cheat Sheet

In an earlier post, I already mentioned what's needed to make use of T4 crypto acceleration for Oracle TDE.  This hasn't changed - the patch for Solaris 10 is still under development.  However, there are of course other usecases for hardware crypto on T4.  Since the code path to this functionality has changed considerably from earlier CPUs, there have also been some changes in how it's used and observed.  Here's a short summary of these changes.

Using it:

 Feature / Software consumer
 T3 and before*
 T4 / Solaris 10
T4 / Solaris 11
 SSH

Automatically enabled with Solaris 10 5/09 and later.

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

Requires patch 147707-01

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

Automatically enabled.

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

 Java / JCE

Automatically enabled. 

Configure in $JAVA_HOME/jre/lib/security/java.security

Automatically enabled. 

Configure in $JAVA_HOME/jre/lib/security/java.security

Automatically enabled. 

Configure in $JAVA_HOME/jre/lib/security/java.security

 ZFS Crypto
Not available
Not available
HW crypto automatically enabled if dataset encrypted.
 IPsec

Automatically enabled. 

Automatically enabled. 

Automatically enabled. 

OpenSSL

Use "-engine pkcs11"

Requires patch 147707-01

Use "-engine pkcs11"


The engine "t4" is automatically used.  Optionally use "-engine pkcs11".

pkcs11 recommended for RSA/DSA at this time.

KSSL (Kernel SSL proxy)

Automatically enabled. 

Automatically enabled. 

Automatically enabled. 

Oracle TDE

Not supported

Pending patch

Automatically enabled with Oracle DB 11.2.0.3 and ASO

Apache SSL
Configure with "SSLCryptoDevice pkcs11"

Configure with "SSLCryptoDevice pkcs11"

Configure with "SSLCryptoDevice pkcs11"
Logical Domains
Assign crypto units to domains.
Functionality always available, no configuration required.
Functionality always available, no configuration required.

* T1 CPUs do not support symetric ciphers like AES.  Consumers like SSH will therefore use software crypto on T1.

Observability:
  • Note that unlike T3 and before, T4 crypto doesn't require kernel modules like ncp or n2cp, there is no visibility of crypto hardware with kstats or cryptoadm.  
  • T4 does provide hardware counters for crypto operations.  You can see these using cpustat:
    cpustat -c pic0=Instr_FGU_crypto 5
  • You can check the availability of the openssl engine with the command "openssl engine", and the general crypto support of the hardware and OS with the command "isainfo -v".
  • Since T4 crypto's implementation now allows direct userland access, there are no "crypto units" visible to cryptoadm.   For the same reason, there are no "crypto units" visible in LDoms Manager.  In LDoms, the functionality is always available and does not need to be configured separately.  Note that you should have the latest LDoms Manager Patch 147507 installed.
Additional Reading:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.