[Pkg-auth-maintainers] Bug#983925: ykcs11: signing is 3 times as slow with ykcs11 as with opensc-pkcs11
Julien Cristau
jcristau at debian.org
Wed Mar 3 15:13:53 GMT 2021
Package: ykcs11
Version: 2.2.0-1
Severity: normal
X-Debbugs-Cc: ansgar at debian.org
Hi,
we recently switched from opensc-pkcs11 to ykcs11 for UEFI and kernel
module signing on ftp-master.debian.org. Since then, average time to
sign a single object went from less than 0.3s to almost 0.9s.
I'll try and repro locally, but here's recent data from ftp-master:
date | count | min | avg | max
------------+-------+-----------------+-----------------+-----------------
2021-03-03 | 20003 | 00:00:00.807406 | 00:00:00.847015 | 00:00:01.53756
2021-03-02 | 8664 | 00:00:00.814485 | 00:00:00.847531 | 00:00:01.366951
2021-02-25 | 4 | 00:00:00.877825 | 00:00:00.891082 | 00:00:00.904295
2021-02-20 | 4 | 00:00:00.232599 | 00:00:00.430692 | 00:00:00.691046
2021-02-12 | 20858 | 00:00:00.269229 | 00:00:00.282815 | 00:00:00.808497
2021-02-08 | 2873 | 00:00:00.272162 | 00:00:00.283422 | 00:00:00.333223
2021-02-07 | 25765 | 00:00:00.265427 | 00:00:00.282683 | 00:00:00.781303
2021-02-02 | 21255 | 00:00:00.270709 | 00:00:00.284015 | 00:00:00.73951
2021-02-01 | 7368 | 00:00:00.272812 | 00:00:00.28461 | 00:00:00.891317
2021-01-30 | 36132 | 00:00:00.269188 | 00:00:00.283878 | 00:00:00.808352
Feb 25 is when we switched PKCS#11 modules.
It seems like it should be possible to do better here, since the hw
clearly can do it.
Cheers,
Julien
More information about the Pkg-auth-maintainers
mailing list