On Wed, Aug 23, 2017 at 11:14:54AM +1000, teor wrote:
On 22 Aug 2017, at 16:22, Roman Mamedov rm@romanrm.net wrote:
Hello,
Today I found that it is possible to force OpenSSL enable the use of CPU AES acceleration even if it doesn't detect the "aes" CPU flag.
This would be a great addition to tor/doc/TUNING.
Does someone want to summarise it and submit a patch to: https://trac.torproject.org
I'd be a bit cautious about documenting this; it's arguably a hypervisor bug that the AESNI instructions are enabled but the AES bit is not set in CPUID. If your VM gets moved to hardware that actually doesn't have the instructions, or if the system has AESNI turned off for a good reason (like a buggy encryption implementation), you're asking for more breakage.
According to https://software.intel.com/en-us/forums/intel-isa-extensions/topic/287887 there are control bits in MSR 0x13c for AESNI.
I'm not arguing that it's unreasonable to play with this force-on setting, or even to run it on a tor relay, but you've gotta know that when it breaks, you get to keep both pieces. :)
-andy -andy