[tor-relays] Force OpenSSL AES-NI usage on a VPS without the AES CPU flag passthrough

Andy Isaacson adi at hexapodia.org
Wed Sep 6 23:27:03 UTC 2017


On Wed, Aug 23, 2017 at 11:14:54AM +1000, teor wrote:
>
>> On 22 Aug 2017, at 16:22, Roman Mamedov <rm at romanrm.net> wrote:
>>
>> Hello,
>>
>> Today I found that it is possible to force OpenSSL enable the use of CPU AES
>> acceleration even if it doesn't detect the "aes" CPU flag.
>
>This would be a great addition to tor/doc/TUNING.
>
>Does someone want to summarise it and submit a patch to:
>https://trac.torproject.org

I'd be a bit cautious about documenting this; it's arguably a hypervisor 
bug that the AESNI instructions are enabled but the AES bit is not set 
in CPUID.  If your VM gets moved to hardware that actually doesn't have 
the instructions, or if the system has AESNI turned off for a good 
reason (like a buggy encryption implementation), you're asking for more 
breakage.

According to 
https://software.intel.com/en-us/forums/intel-isa-extensions/topic/287887
there are control bits in MSR 0x13c for AESNI.

I'm not arguing that it's unreasonable to play with this force-on 
setting, or even to run it on a tor relay, but you've gotta know that 
when it breaks, you get to keep both pieces. :)

-andy
-andy


More information about the tor-relays mailing list