[Swan] Using AES-NI doesn't improve performance in most cases

[Andreas Herz]

Hi,

as advised by Tuomo i build a test setup, one with fedora20 and one with
recent centos.

In both cases i have libreswan 3.8 active and fedora20 with 3.12 and
centos with 2.6.32 kernel. The CPU does support AES-NI and the module is
loaded, it also increases performance when i test it with cryptsetup for
example.

Now what i get is the following behaviour:

3.12/Fedora:

AES-NI loaded + NETKEY: ~280mbit/s
AES-NI unloaded + NETKEY: ~280mbit/s
AES-NI loaded + KLIPS: ~280mbit/s
AES-NI unloaded + KLIPS: ~280mbit/s


2.6.32/CentOS:

AES-NI loaded + NETKEY: ~280mbit/s
AES-NI unloaded + NETKEY: ~280mbit/s
AES-NI loaded + KLIPS: ~370mbit/s
AES-NI unloaded + KLIPS: ~280mbit/s

As you can see, the only case with increasing performance is AES-NI
loaded and KLIPS.

So i though AES-NI isn't used in the other cases although the module is
loaded. So i added debug infos into the aes-ni module, to be more
precise in arch/x86/crypto/aesni-intel_glue.c and with that i see, that
also in the other cases the module is really used but no increase.
I also can't see any difference, they all call the "aes_encrypt" and
"aes_decrypt" function. What is not called is for example
"__driver_rfc4106_encrypt" but since the working KLIPS case doesn't call
it either i guess it's not necessary.

So does anyone have an idea why AES-NI isn't working that well?
Does anyone have a working setup with AES-NI improving the performance?

My goal is to get libreswan+KLIPS+AES-NI working with a recent 3.X
kernel and to achieve the expected performance increase.

Thanks!

-- 
Andreas Herz