- by mv
Interesting articles and blogs on SPARC T4 processor
I have consolidated all the interesting information I could get on SPARC T4 processor and its hardware cryptographic capabilities. Hope its useful.
1. Advantages of SPARC T4 processor
Most important points in this T4 announcement are :
"The SPARC T4 processor was designed from the ground up for high speed
security and has a cryptographic stream processing unit (SPU) integrated
directly into each processor core. These accelerators support 16
industry standard security ciphers and enable high speed encryption at
rates 3 to 5 times that of competing processors. By integrating
encryption capabilities directly inside the instruction pipeline, the
SPARC T4 processor eliminates the performance and cost barriers
typically associated with secure computing and makes it possible to
deliver high security levels without impacting the user experience."
Data Sheet has more details on these :
"New on-chip Encryption Instruction Accelerators with direct non-privileged support for 16 industry-standard cryptographic algorithms plus random number generation in each of the eight cores: AES, Camellia, CRC32c, DES, 3DES, DH, DSA, ECC, Kasumi, MD5, RSA, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512"
I ran "isainfo -v" command on Solaris 11 Sparc T4-1 system. It shows the new instructions as expected :
$ isainfo -v
64-bit sparcv9 applications
crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi
des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc
32-bit sparc applications
crc32c cbcond pause mont mpmul sha512 sha256 sha1 md5 camellia kasumi
des aes ima hpc vis3 fmaf asi_blk_init vis2 vis popc v8plus div32 mul32
2. Dan Anderson's Blog have some interesting points about how these can be used :
"New T4 crypto instructions include: aes_kexpand0, aes_kexpand1, aes_kexpand2, aes_eround01, aes_eround23, aes_eround01_l, aes_eround_23_l,
aes_dround01, aes_dround23, aes_dround01_l, aes_dround_23_l. Having SPARC T4 hardware crypto instructions is all well and good, but how do we access it ? The software is available with Solaris 11 and is used automatically
if you are running Solaris a SPARC T4. It is used internally in the kernel through kernel crypto modules.
It is available in user space through the PKCS#11 library."
3. Dans' Blog on Where's the Crypto Libraries?
Although this was written in 2009 but still is very useful
"Here's a brief tour of the major crypto libraries shown in the digraph:
The libpkcs11 library contains the PKCS#11 API (C_\*() functions, such as C_Initialize()).
That in turn calls library pkcs11_softtoken or pkcs11_kernel,
for userland or kernel crypto providers. The latter is used mostly for
hardware-assisted cryptography (such as n2cp for Niagara2 SPARC
processors), as that is performed more efficiently in kernel space with
the "kCF" module (Kernel Crypto Framework).
Additionally, for Solaris 10, strong crypto algorithms were split off in
separate libraries, pkcs11_softtoken_extra
libcryptoutil
contains low-level utility functions to help implement cryptography.
libsoftcrypto (OpenSolaris and Solaris Nevada only)
implements several symmetric-key crypto algorithms in software, such as
AES, RC4, and DES3, and the bignum library (used for RSA).
libmd implements MD5, SHA, and SHA2 message digest algorithms"
4. Difference in T3 and T4
Diagram in this blog is good and self explanatory.
Jeff's blog also highlights the differences
"The T4 servers have improved crypto acceleration, described at
https://blogs.oracle.com/DanX/entry/sparc_t4_openssl_engine.
It is "just built in" so administrators no longer have to assign crypto accelerator units to domains - it "just happens".
Every physical or virtual CPU on a SPARC-T4 has full access to hardware based crypto acceleration at all times. .... For completeness sake, it's worth noting that the T4 adds more crypto
algorithms, and accelerates Camelia, CRC32c, and more SHA-x."
5. About performance counters
In this blog, performance counters are explained :
"Note that unlike T3 and before, T4 crypto doesn't require
kernel modules like ncp or n2cp, there is no visibility of crypto
hardware with kstats or cryptoadm.
T4 does provide hardware counters for crypto operations. You can see these using cpustat:
cpustat -c pic0=Instr_FGU_crypto 5
You can check the general crypto support of the hardware
and OS with the command "isainfo -v".
Since T4 crypto's implementation now allows direct userland
access, there are no "crypto units" visible to cryptoadm. "
For more details refer Martin's blog as well.
6. How to turn off SPARC T4 or Intel AES-NI crypto acceleration
I found this interesting blog from Darren about how to turn off SPARC T4 or Intel AES-NI crypto acceleration.
"One of the new Solaris
11 features of the linker/loader is the ability to have a single ELF
object that has multiple different implementations of the same functions
that are selected at runtime based on the capabilities of
the machine. The alternate to this is having the application coded to call getisax(2) system call and make the choice itself. We use this functionality of
the linker/loader when we build the userland libraries for the Solaris
Cryptographic Framework (specifically libmd.so and libsoftcrypto.so)
The Solaris
linker/loader allows control of a lot of its functionality via
environment variables, we can use that to control the version of the
cryptographic functions we run. To do this we simply export the
LD_HWCAP environment variable with values that tell ld.so.1 to not
select the HWCAP section matching certain features even if isainfo says
they are present. This will work for consumers of the Solaris Cryptographic Framework that use the Solaris
PKCS#11 libraries or use libmd.so interfaces directly.
For SPARC T4 : export LD_HWCAP="-aes -des -md5 -sha256 -sha512 -mont -mpul" .. For Intel systems with AES-NI support:
export LD_HWCAP="-aes""
Note that LD_HWCAP is explained in http://docs.oracle.com/cd/E23823_01/html/816-5165/ld.so.1-1.html
"LD_HWCAP, LD_HWCAP_32, and LD_HWCAP_64 - Identifies an alternative hardware capabilities value... A “-” prefix results in the capabilities that
follow being removed from the alternative capabilities."
7. Whitepaper on SPARC T4 Servers—Optimized for End-to-End Data Center Computing
This Whitepaper on SPARC T4 Servers—Optimized for End-to-End Data Center Computing explains more details. It has DTrace scripts which may come in handy :
"To ensure the hardware-assisted cryptographic acceleration is configured to use and working with the security scenarios, it is recommended to use the following Solaris DTrace script.
#!/usr/sbin/dtrace -s
pid$1:libsoftcrypto:yf*:entry,
pid$target:libsoftcrypto:rsa*:entry,
pid$1:libmd:yf*:entry
{
@[probefunc] = count();
}
tick-1sec
{
printa(@ops);
trunc(@ops);
}"
Note that I have slightly modified the D Script to have RSA "libsoftcrypto:rsa*:entry" as well as per recommendations from Chi-Chang Lin.
8. References
http://www.oracle.com/us/corporate/features/sparc-t4-announcement-494846.html
http://www.oracle.com/us/products/servers-storage/servers/sparc-enterprise/t-series/sparc-t4-1-ds-487858.pdf
https://blogs.oracle.com/DanX/entry/sparc_t4_openssl_engine
https://blogs.oracle.com/DanX/entry/where_s_the_crypto_libraries
https://blogs.oracle.com/darren/entry/howto_turn_off_sparc_t4
http://docs.oracle.com/cd/E23823_01/html/816-5165/ld.so.1-1.html
https://blogs.oracle.com/hardware/entry/unleash_the_power_of_cryptography
https://blogs.oracle.com/cmt/entry/t4_crypto_cheat_sheet
https://blogs.oracle.com/martinm/entry/t4_performance_counters_explained
https://blogs.oracle.com/jsavit/entry/no_mau_required_on_a
http://www.oracle.com/us/products/servers-storage/servers/sparc-enterprise/t-series/sparc-t4-business-wp-524472.pdf
