Simon Josefsson wrote: > Torsten72 <torsten.st@xxxxxxx> writes: > > # loop-aes: AES-128 > ... > > 52428800 Bytes (52 MB) kopiert, 0,93555 Sekunden, 56,0 MB/s > ... > > # loop-aes: AES-256 > ... > > 52428800 Bytes (52 MB) kopiert, 0,953818 Sekunden, 55,0 MB/s > ... > > # dm-crypt: AES-128 > ... > > 52428800 Bytes (52 MB) kopiert, 0,554618 Sekunden, 94,5 MB/s > ... > > # dm-crypt: AES-256 > ... > > 52428800 Bytes (52 MB) kopiert, 0,560215 Sekunden, 93,6 MB/s > > Interesting results! Even if people generally seems to prefer > dm-crypt over loop-aes, it is good to have statistics to back things > up. Simon, Most people have not realized that loop-AES is using disk sector number and data dependent IV computation, where data needs to be processed twice. dm-crypt is taking a shortcut and using only disk sector number dependent IV that stays same regardless of the data. If adversary is able to observe disk read/write traffic, then dm-crypt leaks location of changed data. loop-AES does not, because all cipher blocks in 512 byte disk sector CBC chain change regardless of where plaintext data change is. In padlock enabled loop version, only that AES CBC processing is using hardware implementation. loop-AES IV computation (the other crypto processing of data) is always using software. So, in padlock enabled case, loop-AES vs. dm-crypt comparison is really software+hardware implementation vs. hardware implementation for those crypto bits. In other x86/amd64 cases, loop-AES vs. dm-crypt comparison is software+software implementation vs. software implementation. torsten.st@xxxxxxx, Could you check that the VIA C7 processor was properly detected by loop-AES code? If it was properly detected, then there should be "loop: padlock hardware AES enabled" message in your kernel log. You can check that using command "dmesg | grep loop" or "grep loop /var/log/messages". Padlock enabled loop includes both software AES and padlock AES implementations. If padlock detection fails, then code uses software AES implementation. I ask this because when loop-AES padlock code was written, I only had older VIA C3 processor programming manual. loop-AES code follows older VIA C3 padlock detection instructions. When C7 was new, a VIA representative promised me C7 programming manual, but I never got it. Pinged twice, no reply. -- Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
