intel / intel-sgx-ssl

Intel® Software Guard Extensions SSL
Other
228 stars 76 forks source link

AES256 GCM Performance #147

Open jyizheng opened 1 year ago

jyizheng commented 1 year ago

Hi,

I am using intel-sgx-ssl to calculate ghash (256 bit key). The result shows that calculating a hash for 4096B data took 11 us inside sgx. However, when I used the openssl library outside sgx, the same computation only took 900 ns. Both SSL library versions are 1.1.1.

My code is below: ` // data, key, iv, aad : Input // tags : Output int ghash(char data, int data_len, char sig, int sig_len) { EVP_CIPHER_CTX *ctx; int outlen;

ctx = EVP_CIPHER_CTX_new(); EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL); //IV : 12 bytes (96bits) EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL); EVP_EncryptInit_ex(ctx, NULL, NULL, aes_key, aes_iv); //AAD : 16 bytes (128bits) EVP_EncryptUpdate(ctx, NULL, &outlen, (const unsigned char*)data, data_len); EVP_EncryptFinal_ex(ctx, NULL, &outlen); //tags : 16 bytes (128bits) EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, sig); EVP_CIPHER_CTX_free(ctx); return 0; }

` According to post in 2017 (https://medium.com/@danny_harnik/impressions-of-intel-sgx-performance-22442093595a), this was a known problem for AES. This post also mentioned the reason for this degradation: "The root-cause was related to the auto initiation flow of OpenSSL and it’s integration into SGX SW stack. OpenSSL didn’t receive the CPU capabilities to determine the best AES-GCM implementation for the given platform. Therefore due to the lack of platform information, OpenSSL have fallback to the basic C implementation (which is not optimized at all). Solution: To get maximum performance, enclave developers should explicitly initialize OpenSSL crypto library. The auto initiation flow will be fixed in a future releases.”

I did follow the steps in "Intel(R) Software Guard Extensions SSL Library Linux Developer Guide.pdf" by linking both libsgx_usgxssl.a (in App code) and libsgx_tsgxssl_crypto.a libsgx_tsgxssl.a libsgx_pthread.a (in Enclave code).

I am wondering why there is still a big gap in the performance b/w ghash computation inside and outside SGX.

jinghe-INTC commented 1 year ago

Have you used an explicit crypto library initialization like that in the unit test project? https://github.com/intel/intel-sgx-ssl/blob/d09faa217391be33af8843bdaab271efe6277f19/Linux/sgx/test_app/enclave/TestEnclave.cpp#L291

Not sure if it works in your project.

jinghe-INTC commented 7 months ago

Since the problem was found with the deprecated OpenSSL 1.1.1, please check it still happens with the latest version with OpenSSL 3.0.*?

jinghe-INTC commented 7 months ago

Since the problem was found with the deprecated OpenSSL 1.1.1, please check it still happens with the latest version with OpenSSL 3.0.*?

I tried putting the function you provided in an SGX sample, but I didn't see a significant performance difference between an application linked with libcrypto.a v3.0.2 from the Linux system and an enclave linked with the SGX SSL crypto library based on OpenSSL 3.0.13.

Please try it and let me know if you get different results. Thanks!