Interesting articles and blogs on SPARC T4

Posted by mv on Oracle Blogs See other posts from Oracle Blogs or by mv
Published on Tue, 6 Nov 2012 10:40:55 +0000 Indexed on 2012/11/06 17:13 UTC
Read the original article Hit count: 825

Filed under:

Interesting articles and blogs on SPARC T4 processor

  I have consolidated all the interesting information I could get on SPARC T4 processor and its hardware cryptographic capabilities.  Hope its useful.

1. Advantages of SPARC T4 processor 

Most important points in this T4 announcement are :

"The SPARC T4 processor was designed from the ground up for high speed security and has a cryptographic stream processing unit (SPU) integrated directly into each processor core. These accelerators support 16 industry standard security ciphers and enable high speed encryption at rates 3 to 5 times that of competing processors. By integrating encryption capabilities directly inside the instruction pipeline, the SPARC T4 processor eliminates the performance and cost barriers typically associated with secure computing and makes it possible to deliver high security levels without impacting the user experience."

Data Sheet has more details on these  :

"New on-chip Encryption Instruction Accelerators with direct non-privileged support for 16 industry-standard cryptographic algorithms plus random number generation in each of the eight cores: AES, Camellia, CRC32c, DES, 3DES, DH, DSA, ECC, Kasumi, MD5, RSA, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512"

I ran "isainfo -v" command on Solaris 11 Sparc T4-1 system. It shows the new instructions as expected  :

$ isainfo -v
64-bit sparcv9 applications
crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi 
des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc 
32-bit sparc applications
crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi 
des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc v8plus div32 mul32 

2.  Dan Anderson's Blog have some interesting points about how these can be used :

"New T4 crypto instructions include: aes_kexpand0, aes_kexpand1, aes_kexpand2, 
       aes_eround01, aes_eround23, aes_eround01_l, aes_eround_23_l, aes_dround01, aes_dround23, aes_dround01_l, aes_dround_23_l.

      Having SPARC T4 hardware crypto instructions is all well and good, but how do we access it ?

      The software is available with Solaris 11 and is used automatically if you are running Solaris a SPARC T4.  It is used internally in the kernel through kernel crypto modules.  It is available in user space through the PKCS#11 library."

3.   Dans' Blog on Where's the Crypto Libraries?

Although this was written in 2009 but still is very useful 

"Here's a brief tour of the major crypto libraries shown in the digraph:  
  • The libpkcs11 library contains the PKCS#11 API (C_\*() functions, such as C_Initialize()).
  • That in turn calls library pkcs11_softtoken or pkcs11_kernel, for userland or kernel crypto providers. The latter is used mostly for hardware-assisted cryptography (such as n2cp for Niagara2 SPARC processors), as that is performed more efficiently in kernel space with the "kCF" module (Kernel Crypto Framework). Additionally, for Solaris 10, strong crypto algorithms were split off in separate libraries, pkcs11_softtoken_extra
  • libcryptoutil contains low-level utility functions to help implement cryptography.
  • libsoftcrypto (OpenSolaris and Solaris Nevada only) implements several symmetric-key crypto algorithms in software, such as AES, RC4, and DES3, and the bignum library (used for RSA).
  • libmd implements MD5, SHA, and SHA2 message digest algorithms"

4. Difference in T3 and T4

Diagram in this blog is good and self explanatory.

Jeff's blog also highlights the differences 

"The T4 servers have improved crypto acceleration, described at https://blogs.oracle.com/DanX/entry/sparc_t4_openssl_engine. It is "just built in" so administrators no longer have to assign crypto accelerator units to domains - it "just happens". Every physical or virtual CPU on a SPARC-T4 has full access to hardware based crypto acceleration at all times. .... For completeness sake, it's worth noting that the T4 adds more crypto algorithms, and accelerates Camelia, CRC32c, and more SHA-x."

5. About performance counters

In this blog, performance counters are explained :

  • "Note that unlike T3 and before, T4 crypto doesn't require kernel modules like ncp or n2cp, there is no visibility of crypto hardware with kstats or cryptoadm.
  • T4 does provide hardware counters for crypto operations.  You can see these using cpustat:
    cpustat -c pic0=Instr_FGU_crypto 5
  • You can check the general crypto support of the hardware and OS with the command "isainfo -v".
  • Since T4 crypto's implementation now allows direct userland access, there are no "crypto units" visible to cryptoadm.  "

For more details refer Martin's blog as well.

6. How to turn off  SPARC T4 or Intel AES-NI crypto acceleration

 I found this interesting blog from Darren about how to turn off  SPARC T4 or Intel AES-NI crypto acceleration.

"One of the new Solaris 11 features of the linker/loader is the ability to have a single ELF object that has multiple different implementations of the same functions that are selected at runtime based on the capabilities of the machine.   The alternate to this is having the application coded to call getisax(2) system call and make the choice itself.  We use this functionality of the linker/loader when we build the userland libraries for the Solaris Cryptographic Framework (specifically libmd.so and libsoftcrypto.so)

The Solaris linker/loader allows control of a lot of its functionality via environment variables, we can use that to control the version of the cryptographic functions we run.  To do this we simply export the LD_HWCAP environment variable with values that tell ld.so.1 to not select the HWCAP section matching certain features even if isainfo says they are present.  This will work for consumers of the Solaris Cryptographic Framework that use the Solaris PKCS#11 libraries or use libmd.so interfaces directly.  For SPARC T4 : export LD_HWCAP="-aes -des -md5 -sha256 -sha512 -mont -mpul" .. For Intel systems with AES-NI support: export LD_HWCAP="-aes""

Note that LD_HWCAP is explained in  http://docs.oracle.com/cd/E23823_01/html/816-5165/ld.so.1-1.html

"LD_HWCAP, LD_HWCAP_32, and LD_HWCAP_64 -  Identifies an alternative hardware capabilities value... A “-” prefix results in the capabilities that follow being removed from the alternative capabilities."

7. Whitepaper on SPARC T4 Servers—Optimized for End-to-End Data Center Computing

This Whitepaper on SPARC T4 Servers—Optimized for End-to-End Data Center Computing explains more details.  It has DTrace scripts which may come in handy :

"To ensure the hardware-assisted cryptographic acceleration is configured to use and working with the security scenarios, it is recommended to use the following Solaris DTrace script.
#!/usr/sbin/dtrace -s 

pid$1:libsoftcrypto:yf*:entry, 
pid$target:libsoftcrypto:rsa*:entry,
pid$1:libmd:yf*:entry
{
@[probefunc] = count();
}
 
tick-1sec 
{
printa(@ops); 
trunc(@ops);
}"

Note that I have slightly modified the D Script to have RSA "libsoftcrypto:rsa*:entry" as well as per recommendations from Chi-Chang Lin.

8. References

© Oracle Blogs or respective owner

Related posts about /Security