Abysmal performance of OpenSSL on pfSense under KVM
-
Running the OpenSSL speedtest for aes-256-cbc on a host system with dual Xeon E5-2620 v4 CPU's, I get ~300m 16-byte blocks a second: https://paste.c-net.org/SnuckBloods
In a Linux VM, with 8 cores allocated to it, I get ~290m blocks: https://paste.c-net.org/SewageRonna
On a pfSense VM, with 8 cores allocated to it, I get 1/10th of that performance: https://paste.c-net.org/DarlingWallet
KVM is set up for host CPU pass-through, so AES-NI is visible and loaded on pfSense:
https://paste.c-net.org/GoaliePicklesWhy is OpenSSL performing so poorly on my virtualized pfSense machine?
-
I reproduced the problem with the LiveCD. The speed of OpenSSL is comparable to the native speed of the machine, until cryptodev is loaded: https://paste.c-net.org/DiddlyPhilly
What gives?
-
OpenSSL has built-in code to "talk" to hardware crypto device.
So it's not a good idea to enable kernel crypto module (aesni.ko) as that will lead to more context switching (userland to kernel and back). -
I thought AES-NI was going to be required from pfSense 2.5 onwards? At least it doesn't seem to be discouraged...
I confirmed my LiveCD findings, however, by disabling cryptodev in the "Advanced" section of the KVM virtualized pfSense instance, leaving only AES-NI. OpenSSL runs at host-comparable speeds now. Use of the cryptodev module is what makes it slow.
