[tor-relays] Force OpenSSL AES-NI usage on a VPS without the AES CPU flag passthrough
Andy Isaacson
adi at hexapodia.org
Wed Sep 6 23:27:03 UTC 2017
On Wed, Aug 23, 2017 at 11:14:54AM +1000, teor wrote:
>
>> On 22 Aug 2017, at 16:22, Roman Mamedov <rm at romanrm.net> wrote:
>>
>> Hello,
>>
>> Today I found that it is possible to force OpenSSL enable the use of CPU AES
>> acceleration even if it doesn't detect the "aes" CPU flag.
>
>This would be a great addition to tor/doc/TUNING.
>
>Does someone want to summarise it and submit a patch to:
>https://trac.torproject.org
I'd be a bit cautious about documenting this; it's arguably a hypervisor
bug that the AESNI instructions are enabled but the AES bit is not set
in CPUID. If your VM gets moved to hardware that actually doesn't have
the instructions, or if the system has AESNI turned off for a good
reason (like a buggy encryption implementation), you're asking for more
breakage.
According to
https://software.intel.com/en-us/forums/intel-isa-extensions/topic/287887
there are control bits in MSR 0x13c for AESNI.
I'm not arguing that it's unreasonable to play with this force-on
setting, or even to run it on a tor relay, but you've gotta know that
when it breaks, you get to keep both pieces. :)
-andy
-andy
More information about the tor-relays
mailing list