Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

No RSA Performance Gains After KAE Is Invoked Through OpenSSL Command

Symptom

Environment:

  • OS: openEuler 20.03 LTS for Arm
  • Processor: 2 x Kunpeng 920 7260 processor (64 cores, 2.6 GHz)
  • Memory: 8 x 32 GB

After the following OpenSSL command is executed to invoke KAE to test the RSA performance, it is found that the performance is not improved.

1
./openssl speed -elapsed -engine kae rsa2048

Key Process and Cause Analysis

Perform the following steps:

  1. KAE supports only the Kunpeng processor and requires a license. Check whether it is a Kunpeng hardware environment and whether the license has been loaded.
  2. Check the KAE installation mode.
  3. Check whether the OpenSSL environment variables are configured.
  4. Check whether KAE is installed.
  5. Check whether KAE is enabled after running the test command.

Conclusion and Solution

  1. KAE supports only the Kunpeng processor and requires a license. Check whether it is a Kunpeng hardware environment and whether the license has been loaded.
    • Kunpeng K series servers have built-in licenses. You can run the lspci | grep HPRE and lspci | grep ZIP commands to check whether the license has been loaded.
    • For non-Kunpeng K series servers, you need to apply for and import a license. For details, see How Do I Obtain a License. After the license is installed, run the lspci | grep HPRE and lspci | grep ZIP commands to check whether the license has been loaded. If the following information is displayed, the license has been loaded.

      Contact the local Huawei sales personnel or engineers to learn about the license charging policy.

  2. Check the KAE installation mode.

    Currently, only the openEuler 4.19 kernel allows KAE installation using an RPM or DEB package. For other kernel versions, you need to compile and install KAE using the source code (the KAE 1 branch for kernel 4.19 and the KAE 2 branch for kernel 5.1x). Select the KAE installation method as required. For details, see Installing KAE Using RPM Packages, Installing KAE Using DEB Packages, Installing KAE Using Source Code.

  3. Check whether the OpenSSL environment variables are configured.

    The KAE encryption and decryption module is based on OpenSSL, and the OpenSSL version must be 1.1.1a or later.

  4. Check whether KAE is installed. For details, see the "Verifying the Installation" part in the KAE installation section.
  5. Check whether KAE is enabled after running the test command. The method is as follows:
    • If KAE hardware encryption is used, you can check acceleration queue usage when programs are running in encrypted zones. Run cat /sys/class/uacce/hisi_sec-1/attrs/available_instances to check whether any instances are consumed. If yes, KAE is enabled.
    • If software encryption (OpenSSL) is used, you can check whether there are related hotspot functions when programs are running in encrypted zones. Run the perf top command and check whether libcrypto.so.1.1 exists in the command output. If yes, software encryption is enabled. If KAE hardware encryption is required, you are advised to recompile and install KAE using source code, and then enable KAE to perform a test again.
Parent topic: Software