'-engine zymkey_ssl' of openssl works?

HSM4
1

Hi,

I want to compare crypto processing speed between offloaded using HSM4 and not offloaded on RPi4.
I’ve expected:

  • CPU usage of openssl with ‘-engine zymkey_ssl’ is lower
  • There is something difficult between a result of ‘openssl speed rsa2048’ and ‘openssl -engine zymkey_ssl rsa2048’.
    But such diffecences cannot be seen.

Does anyone know the reason? Can I offload openssl?

$ openssl speed -engine zymkey_ssl rsa2048
engine "zymkey_ssl" set.
Doing 2048 bits private rsa's for 10s: 1754 2048 bits private RSA's in 9.99s
Doing 2048 bits public rsa's for 10s: 79198 2048 bits public RSA's in 10.00s
OpenSSL 1.1.1w  11 Sep 2023
built on: Tue Sep 19 12:09:02 2023 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr) 
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -D__ARM_MAX_ARCH__=7 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-OTDapk/openssl-1.1.1w=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Wdate-time -D_FORTIFY_SOURCE=2
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.005696s 0.000126s    175.6   7919.8

$ openssl speed rsa2048
Doing 2048 bits private rsa's for 10s: 1739 2048 bits private RSA's in 9.94s
Doing 2048 bits public rsa's for 10s: 79153 2048 bits public RSA's in 10.00s
OpenSSL 1.1.1w  11 Sep 2023
built on: Tue Sep 19 12:09:02 2023 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr) 
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -D__ARM_MAX_ARCH__=7 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-OTDapk/openssl-1.1.1w=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Wdate-time -D_FORTIFY_SOURCE=2
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.005716s 0.000126s    174.9   7915.3

Best regards,
Goki

2

@gok - Our modules are not encryption/hashing accelerators. Our products provide ECC based signing using private keys that are securely stored in the module instead of in software. The engine provides access to the keys secured in hardware.

We do not support RSA. To be honest, I’m not sure what happens when you include our openssl engine for a speed check and then specify RSA which we don’t support.

Bob