ssh and friends scp, sftp say "hello crypto!"
By stw on Jun 17, 2009
Separately, the UltraSPARC® T2 processor in the T-series (CMT) has built-in cyptographic processors (one per core, or typically eight per socket) that accelerate secure one-way hashes, public key session establishment, and private key bulk data transfers. The latter is useful for long standing connections and for larger data operations, such as a file transfer.
Prior to Solaris 10 5/09, an scp or sftp file transfer operation had the encryption and decryption done the by the CPU. While usually this is not a big deal, as most CPUs do private key crypto reasonably fast, on the CMT systems these operations are relatively slow. Now with SunSSH With OpenSSL PKCS#11 Engine Support in 5/09, the SunSSH server and client will use the cryptographic framework when an UltraSPARC® T2 process nc2p cryptographic unit is available.
To demonstrate this, I used a T5120 with Logical Domains (LDoms) 1.1 configured running Solaris 10 5/09. Using LDoms helps, as I can assign or remove crypto units on a per-LDom basis. (Since the crypto units are not supported yet with dynamic reconfiguration, a reboot of the LDom instance is required. However, in general, I don't see making that kind of change very often.)
I did all the work in the 'primary' control and service LDom, where I have direct access to the network devices, and can see the LDom configuration. I am listing parts of it here, although this is about Solaris, SunSSH, and the crypto hardware.
medford# ldm list-bindings primary NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primary active -n-cv- SP 16 8G 0.1% 22h 16m MAC 00:14:4f:ac:57:c4 HOSTID 0x84ac57c4 VCPU VID PID UTIL STRAND 0 0 0.6% 100% 1 1 1.9% 100% 2 2 0.0% 100% 3 3 0.0% 100% 4 4 0.0% 100% 5 5 0.1% 100% 6 6 0.0% 100% 7 7 0.0% 100% 8 8 0.7% 100% 9 9 0.1% 100% 10 10 0.0% 100% 11 11 0.0% 100% 12 12 0.0% 100% 13 13 0.0% 100% 14 14 0.0% 100% 15 15 0.0% 100% MAU ID CPUSET 0 (0, 1, 2, 3, 4, 5, 6, 7) 1 (8, 9, 10, 11, 12, 13, 14, 15) MEMORY RA PA SIZE 0x8000000 0x8000000 8GThe 'system' has 16 CPUs (hardware strands), two MAUs (those are the crypto units), and 8 GB of memory. I am using e1000g0 for the network and the remote system is a V210 running Solaris Express Community Edition snv_113 SPARC (OK, I am a little behind). The network is 1 GbE.
The command I run is
source#/usr/bin/time scp -i /.ssh/destination /large-file destination:/tmp source# du -h /large-file 1.3G /large-fileMy results with the crypto units were
real 1:13.6 user 32.2 sys 34.5while without the crypto units
real 2:28.2 user 2:10.9 sys 26.8The transfer took one half the time and considerably less CPU processing with the crypto units in place (I have two although I think it is using only one since this is a single transfer).
So, SunSSH benefits from the built-in cryptographic hardware in the UltraSPARC® T2 process!