Hardware Crypto Poking - OpenSSH? January 03, 2025 08:30AM |
Registered: 12 years ago Posts: 60 |
sshd-session[18711]: fatal: ssh_sandbox_violation: unexpected system call (arch:0x40000028,syscall:281 @ 0x769fd18c) [preauth]
#endif
#ifdef __NR_socketcall
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
SC_DENY(__NR_socketcall, EACCES),
#endif
/* Kurlon testing alfag */
#ifdef __NR_socket
SC_ALLOW(__NR_socket),
#endif
#if defined(__NR_ioctl) && defined(__s390__)
# Turn on AF_ALG hardware crypto openssl_conf = openssl_def [openssl_def] engines = openssl_engines [openssl_engines] afalg = af_alg_engine [af_alg_engine] #default_algorithms = ALL default_algorithms = =aes-128-cbc aes-192-cbc aes-256-cbc des-cbc des-ede3-cbc
Ciphers ^aes128-cbc
root@gfn:/etc/ssh# time openssl speed -evp aes-256-cbc -engine afalg -elapsed Engine "afalg" set. You have chosen to measure elapsed time instead of user CPU time. Doing AES-256-CBC ops for 3s on 16 size blocks: 19687 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 64 size blocks: 19478 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 256 size blocks: 19197 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 1024 size blocks: 16497 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 8192 size blocks: 7417 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 16384 size blocks: 4633 AES-256-CBC ops in 3.00s version: 3.3.2 built on: Sun Oct 27 14:19:50 2024 UTC options: bn(64,32) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/reproducible-path/openssl-3.3.2=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64 -Wdate-time -D_FORTIFY_SOURCE=2 CPUINFO: OPENSSL_armcap=0x0 The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes AES-256-CBC 105.00k 415.53k 1638.14k 5630.98k 20253.35k 25302.36k real 0m18.466s user 0m0.817s sys 0m10.254s root@gfn:/etc/ssh# time openssl speed -evp aes-256-cbc -elapsed You have chosen to measure elapsed time instead of user CPU time. Doing AES-256-CBC ops for 3s on 16 size blocks: 1592995 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 64 size blocks: 549828 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 256 size blocks: 128594 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 1024 size blocks: 35895 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 8192 size blocks: 4758 AES-256-CBC ops in 3.00s Doing AES-256-CBC ops for 3s on 16384 size blocks: 2378 AES-256-CBC ops in 3.00s version: 3.3.2 built on: Sun Oct 27 14:19:50 2024 UTC options: bn(64,32) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/reproducible-path/openssl-3.3.2=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64 -Wdate-time -D_FORTIFY_SOURCE=2 CPUINFO: OPENSSL_armcap=0x0 The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes AES-256-CBC 8495.97k 11729.66k 10973.35k 12252.16k 12992.51k 12987.05k real 0m18.098s user 0m17.217s sys 0m0.079s
Re: Hardware Crypto Poking - OpenSSH? January 03, 2025 08:03PM |
Registered: 12 years ago Posts: 60 |
--- ../../openssh-orig/openssh-9.9p1/sandbox-seccomp-filter.c 2024-09-19 18:20:48.000000000 -0400 +++ sandbox-seccomp-filter.c 2025-01-03 18:20:19.803149104 -0500 @@ -402,6 +402,12 @@ SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), SC_DENY(__NR_socketcall, EACCES), #endif + + /* Kurlon testing alfag */ +#ifdef __NR_socket + SC_ALLOW_ARG(__NR_socket, 0, AF_ALG), +#endif + #if defined(__NR_ioctl) && defined(__s390__) /* Allow ioctls for ICA crypto card on s390 */ SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),