18 Bře
2025
18 Bře
'25
10:05
Hello!
In July 2024, in the Knot-DNS 3.3.8 release message, Daniel writes:
I would like to ask users with hardware HSMs to send us
the output of `keymgr <hsm_keystore_id> keystore-test`
This will allow us to update
https://www.knot-dns.cz/docs/latest/html/appendices.html#compatible-pkcs-11…
We're now running Knot 3.4.4 against a Thales HSM (I have no details of the
actual device/model in use at this time) and I see the following data:
$ keymgr -c etc/knot.conf thales keystore-bench
Keystore id 'thales', type PKCS #11, threads 1
Algorithm Sigs/sec
RSASHA256 33
ECDSAP256SHA256 27
ED25519 n/a
ED448 n/a
My first reaction was "hmm, that's slow".
Is there a list (above URL isn't it) of comparable results which I could show
the HSM operators and/or is anybody willing to share their data?
Thanks & regards,
-JP
18 Bře
18 Bře
11:00
Keystore id 'thales', type PKCS #11, threads 1
Algorithm Sigs/sec
RSASHA256 33
ECDSAP256SHA256 27
The person in charge of the HSM reports that the HSM 'perfcheck' utility
reports these numbers using 1 queue, numbers similar to what Knot reports:
Results: Signing
Test number: 368
Test: RSA using RSApPKCS1 with 2048-bit n.
Queue: 1
Rate (signatures/s): 21.307
Min latency (ms): 21.229
Mean latency (ms): 46.945
Max latency (ms): 83.605
CV (%): 6.0730
Min rate (tps): 20.929
Mean rate (tps): 21.307
Max rate (tps): 21.888
Reps: 1920
with a higher number of queues, there's a drastic performance increase:
Test number: 368
Test: RSA using RSApPKCS1 with 2048-bit n.
Queue: 49
Rate (signatures/s): 433.26
Min latency (ms): 47.390
Mean latency (ms): 112.80
Max latency (ms): 169.07
CV (%): 10.313
Min rate (tps): 430.80
Mean rate (tps): 433.26
Max rate (tps): 436.91
Reps: 32088
and with "signing:ECDSA using ECDSAhSHA256 over NISTP256" they measure 548
signatures/s
Are these 'queues' something which Knot uses internally but which isn't
configurable?
-JP
12:57
Hi,
Knot doesn't access an HSM directly but through GnuTLS. You can simply try
keystore-bench with more
threads to see if it scales this way.
Daniel
On 3/18/25 11:00, Jan-Piet Mens wrote:
Keystore id
'thales', type PKCS #11, threads 1
Algorithm Sigs/sec
RSASHA256 33
ECDSAP256SHA256 27
The person in charge of the HSM reports that the HSM 'perfcheck' utility
reports these numbers using 1 queue, numbers similar to what Knot reports:
Results: Signing
Test number: 368
Test: RSA using RSApPKCS1 with 2048-bit n.
Queue: 1
Rate (signatures/s): 21.307
Min latency (ms): 21.229
Mean latency (ms): 46.945
Max latency (ms): 83.605
CV (%): 6.0730
Min rate (tps): 20.929
Mean rate (tps): 21.307
Max rate (tps): 21.888
Reps: 1920
with a higher number of queues, there's a drastic performance increase:
Test number: 368
Test: RSA using RSApPKCS1 with 2048-bit n.
Queue: 49
Rate (signatures/s): 433.26
Min latency (ms): 47.390
Mean latency (ms): 112.80
Max latency (ms): 169.07
CV (%): 10.313
Min rate (tps): 430.80
Mean rate (tps): 433.26
Max rate (tps): 436.91
Reps: 32088
and with "signing:ECDSA using ECDSAhSHA256 over NISTP256" they measure 548
signatures/s
Are these 'queues' something which Knot uses internally but which isn't
configurable?
-JP
--
13:38
You can simply try keystore-bench with more threads to
see if it scales this way.
Keystore id 'thales', type PKCS #11, threads 20
Algorithm Sigs/sec
RSASHA256 571
ECDSAP256SHA256 444
Those who don't read the docs (in spite of having submitted a patch to the
documentation of exactly that command yesterday!!!) will be punished.
Thanks, Daniel.
-JP
38
days inactive
38
days old
3 comments
2 participants
participants (2)
-
Daniel Salzman -
Jan-Piet Mens