.jpg)
圖片來源:GRT (不管怎樣都要找張圖來就對了~XD)
什麼是Intel AES-NI
Intel® 進階加密指令集 (Intel® Advanced Encryption Standard New Instructions,Intel® AES-NI) 是Intel在2008年3月提出的在x86 CPU 上的擴充指令集,主要是想透過硬體來幫忙加速AES的加密解密,根據官方說法比起單純用軟體軟體加解密還要快上3~10x倍,下圖是datacenteroverlords的實測結果。
那在虛擬機器上呢?
AES-NI 主要是由特殊的CPU指令集來支援加解密的加速功能,那問題來了那如果Host的CPU有提供AES-NI,那隔了一層Hypervisor在虛擬機上仍然可以享受到到種加速嘛?根據Intel® Advanced Encryption Standard New Instructions(AES-NI) Ecosystem March 2013 Update 這份文件,答案是肯定的,目前大部分主流的hypervisor 都有支援transparent AES-NI的功能,下圖是列表:
如何得知你的硬體是否有支援?
在Linux 上有兩種方法,最簡單的方法就是,打以下指令:#grep aes /proc/cpuinfo flags : fpu de tsc msr pae cx8 sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc up rep_good nopl nonstop_tsc pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes avx hypervisor lahf_lm
如果有看到aes就代表你的cpu有支援aes-ni指令集
然後可以透過 openssl 來測試aes-ni的效果,在使用之前要先檢查一下是否支援aes-ni
# openssl engine -c -tt
(dynamic) Dynamic engine loading support
[ unavailable ]
如果出現這樣的訊息,但是上面的grep 卻是有,那可能代表你的oepnssl 版本太舊了 (aesni is support after openssl 1.0.1)。根據openssl mail list 的討論串裡面提到:
The use of OPENSSL_ia32cap environment variable allows you to alter the CPUID result (only inside OpenSSL), and alter its behaviour. It's not resistant to a reboot, it's only process dependant.
Compare the following results:
- OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc
- openssl speed -elapsed -evp aes-128-cbc
How About Cloud?
其實這研究這個的最終目的就是為了要了解,我是否可以在AWS 或是 GCP上測試Hadoop Encryption with AES-NI 的功能,目前測試結果:
AWS:m1.micro Yes
GCP:f1.micro Yes
Azure: 有人要贊助機器嘛?XD
如果把Hadoop 上的資料都加密,每次要作MapReduce 才解開來運算,對於Performacne 一定會有不少的影響,但是有多少?這都需要作實驗....因此下一步就是要來測試加解密的速度和產生Benchmark.....
[Update] GCP f1.micro /proc/cpuinfo 資訊如下
processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU @ 2.60GHz stepping : 7 cpu MHz : 2600.000 cache size : 20480 KB physical id : 1 siblings : 1 core id : 5 cpu cores : 1 apicid : 42 initial apicid : 42 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc up xtopology unfair_spinlock pni pclmulqdq ssse3 cx16 sse4_1 sse4_2 x2apic popcnt aes hypervisor lahf_lm xsaveopt bogomips : 5200.00 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management:[Update2] 安裝cpuid 可以看到以下資訊
CPU 0:
vendor_id = "GenuineIntel"
version information (1/eax):
processor type = primary processor (0)
family = Intel Pentium Pro/II/III/Celeron/Core/Core 2/Atom, AMD Athlon/Duron, Cyrix M2, VIA C3 (6)
model = 0xd (13)
stepping id = 0x6 (6)
extended family = 0x0 (0)
extended model = 0x2 (2)
(simple synth) = Intel Core i7-3800/3900 (Sandy Bridge-E C1) / Xeon E5-1600/2600 (Sandy Bridge-E C1), 32nm
miscellaneous (1/ebx):
process local APIC physical ID = 0x0 (0)
cpu count = 0x20 (32)
CLFLUSH line size = 0x8 (8)
brand index = 0x0 (0)
brand id = 0x00 (0): unknown
feature information (1/edx):
x87 FPU on chip = true
virtual-8086 mode enhancement = true
debugging extensions = true
page size extensions = true
time stamp counter = true
RDMSR and WRMSR support = true
physical address extensions = true
machine check exception = true
CMPXCHG8B inst. = true
APIC on chip = true
SYSENTER and SYSEXIT = true
memory type range registers = true
PTE global bit = true
machine check architecture = true
conditional move/compare instruction = true
page attribute table = true
page size extension = true
processor serial number = false
CLFLUSH instruction = true
debug store = false
thermal monitor and clock ctrl = false
MMX Technology = true
FXSAVE/FXRSTOR = true
SSE extensions = true
SSE2 extensions = true
self snoop = true
hyper-threading / multi-core supported = false
therm. monitor = false
IA64 = false
pending break event = false
feature information (1/ecx):
PNI/SSE3: Prescott New Instructions = true
PCLMULDQ instruction = true
64-bit debug store = false
MONITOR/MWAIT = false
CPL-qualified debug store = false
VMX: virtual machine extensions = false
SMX: safer mode extensions = false
Enhanced Intel SpeedStep Technology = false
thermal monitor 2 = false
SSSE3 extensions = true
context ID: adaptive or shared L1 data = false
FMA instruction = false
CMPXCHG16B instruction = true
xTPR disable = false
perfmon and debug = false
process context identifiers = false
direct cache access = false
SSE4.1 extensions = true
SSE4.2 extensions = true
extended xAPIC support = true
MOVBE instruction = false
POPCNT instruction = true
time stamp counter deadline = false
AES instruction = true
XSAVE/XSTOR states = false
OS-enabled XSAVE/XSTOR = false
AVX: advanced vector extensions = false
F16C half-precision convert instruction = false
RDRAND instruction = false
hypervisor guest status = true
延伸閱讀:
沒有留言:
張貼留言