4.4 KiB
TLS
WolfSSL
git clone https://github.com/wolfSSL/wolfssl --depth 1
cd wolfssl
sh autogen.sh
./configure --enable-all --enable-all-crypto --disable-shared --prefix=/opt/wolfssl-rs/
make
sudo make install
Reproduce
Record
On the controler machine.
Installation
Build netreplay and copy it in this folder.
Authorize netreplay to bind to ports 80 and 443:
sudo setcap CAP_NET_BIND_SERVICE=+eip netreplay
Open Firefox with a dedicated profile: (create the profile using the GUI if it doesn't exist)
firefox -P tlsbench
In settings, disable DNS security.
In about:config, set network.dns.forceResolve to 127.0.0.1.
Run the shell command:
python exp.py make debug -c
In Firefox, go to security settings, Certificates, import /dev/shm/exp/certs/prime256v1/ca.crt and trust it for identifying websites.
After installation
Stop anything running on ports 80 or 443.
Start the record proxy:
./netreplay records/mynewrecord record
Just browse. Any traffic will be recorded. Terminate netplayer with CTRL+C when finished.
Measure
Copy the tlsbench folder on the target.
Build netreplay with the wanted cryptographic backends on the target (one build per backend), and place each version in tlsbench, named netreplay-aws-lc, netreplay-boring, etc.
Install dependencies on the target:
sudo apt install acct dtach
sudo chmod +s /sbin/sa
pip install pyOpenSSL
Modify experiment parameters at the top of exp.py to suit your setup and the wanted experiments.
Run:
python exp.py make pi3 -c
python makecerts.py
python exp.py send pi3
python exp.py run pi3 --idle
It may be needed to keep an SSH connection to the target open during the experiment, and to set RemoveIPC=no in /etc/systemd/logind.conf (then systemctl restart systemd-logind).
Profile
Profile code execution on the local machine.
Install sa:
sudo apt install acct dtach python3-invoke python3-fabric
sudo chmod +s /sbin/sa
Install OpenSSL with debug symbols:
# Options from Debian build
# Debian package libssl3t64 -> Developer Information -> buildd reproducibility -> trixie rbuild
# https://tests.reproducible-builds.org/debian/rb-pkg/trixie/amd64/openssl.html
/usr/bin/perl ./Configure --release -g --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/x86_64-linux-gnu shared no-idea no-mdc2 no-rc5 no-ssl3 no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand enable-tfo enable-zstd enable-zlib enable-fips enable-ec_nistp_64_gcc_128
# Or, if OpenSSL 1.1:
/usr/bin/perl ./Configure --release -g --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/x86_64-linux-gnu shared no-idea no-mdc2 no-rc5 no-ssl3 no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand enable-zlib enable-ec_nistp_64_gcc_128 linux-x86_64
To build netreplay with this openssl:
OPENSSL_LIB_DIR=/home/pi/reps/openssl-openssl-3.6.1/ OPENSSL_DIR=/home/pi/reps/openssl-openssl-3.6.1/ cargo build --release
Authorize non-root users to use perf:
sudo sysctl kernel.perf_event_paranoid=-1
Run:
python exp.py make local -c
python exp.py run local
python plots.py prof <path/to/log>
RAPL
gcc -O3 powercap.c -o powercap
sudo chown root powercap
sudo chmod u+s powercap
Grid5000
ssh rennes.g5k
oarsub -q default -l host=2,walltime=2 -p "paradoxe AND wattmeter=YES" -I
# Check the name of the other node in https://intranet.grid5000.fr/oar/Lyon/drawgantt-svg/
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
pip3 install fabric pyOpenSSL
python exp.py make g5k -c
python exp.py send g5k
# Notes
scp /lib/x86_64-linux-gnu/libssl.so.3.6 nancy.g5k:~/
scp /lib/x86_64-linux-gnu/libcrypto.so.3.6 nancy.g5k:~/
scp records/wikipedia nancy.g5k:tlsbench/records/
Wattmetre
API timestamp at Paris time.
Plots
python plots.py summary results/g5k/summary X results/pi3/summary pi3 results/i5/summary i5 results/core2/summary C2
python plots.py log2 results/core2/impl C2 results/pi3/impls \$\\\\pi\$3 results/i5/impls i5
python plots.py stab results/pi3/stability \$\\\\pi\$3 results/core2/stability C2 results/i5/stability i5 results/g5k/stability X
The plots are output to /dev/shm/plots for use with Gnuplot. Latex tabulars and debugs are also printed to stdout.