Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AES-NI intrinsics enabled by default?

Oracle has this to say about Java 8 with regards to AES-NI:

Hardware intrinsics were added to use Advanced Encryption Standard (AES). The UseAES and UseAESIntrinsics flags are available to enable the hardware-based AES intrinsics for Intel hardware. The hardware must be 2010 or newer Westmere hardware. For example, to enable hardware AES, use the following flags:

-XX:+UseAES -XX:+UseAESIntrinsics 

To disable hardware AES use the following flags:

-XX:-UseAES -XX:-UseAESIntrinsics 

But it does not indicate if AES intrinsics are enabled by default (for processors that support it). So the question is simple: if the processor supports AES-NI, are AES intrinsics used?

Bonus question: is there any way to test if AES-NI is being used? I guess you can guess based on performance, but that's not an optimal or sure fire way of testing.


For readerS that are not familiar with AES-NI intrinsics: it's replacing byte code with pre-compiled machine code, using the AES-NI instruction set. This happens by the JVM, so it does not show up in the API of the Java runtime or bytecode.

like image 538
Maarten Bodewes Avatar asked Apr 14 '14 10:04

Maarten Bodewes


People also ask

How do you check if AES NI is enabled?

Look in /proc/cpuinfo . If you have the aes flag then your CPU has AES support.

What does enabling AES NI do?

What Is It? Intel® AES New Instructions (Intel® AES-NI) is a new encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in the Intel® Xeon® processor family and the Intel® Core™ processor family.

Does Java use AES NI?

Java 8 and 7u40 and later include support for x86 AES intrinsics for the built-in SunJCE provider, but the feature is not enabled by default (it is).

How can AES be disabled using the Java VM options?

Add the -XX:-UseAESIntrinsics flag to the JVM - this disables AES Intrinsics (introduced in Java 8).


2 Answers

The flag has a default of true and it will be set to false if the detection fails, so you can simply use +PrintFlagsFinal to see if it is used:

My Laptop without AES-NI:

C:\>"C:\Program Files\Java\jdk1.7.0_51\bin\java" -XX:+PrintFlagsFinal -version | find "UseAES"      bool UseAES                                    = false           {product}      bool UseAESIntrinsics                          = false           {product} java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) 

Same on Desktop with AES-NI:

C:\>"C:\Program Files\Java\jdk7\bin\java" -XX:+PrintFlagsFinal -version | find "AES"      bool UseAES                                    = true            {product}      bool UseAESIntrinsics                          = true            {product}  java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)  C:\>"C:\Program Files (x86)\Java\jre7\bin\java" -XX:+PrintFlagsFinal -version | find "AES"      bool UseAES                                    = true            {product}      bool UseAESIntrinsics                          = true            {product}  java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) Client VM (build 24.51-b03, mixed mode, sharing) 

So, it works for both x64 and i686 (WOW64) with recent Java 7. The feature was introduced with https://bugs.openjdk.java.net/browse/JDK-7184394 and backported to 7u40 and 7u45.


Important: AES-NI may only be available on the server VM.

This was acknowledged by Oracle after a bug report was filed. This vital piece of information was missing when they created the featues list of Java 8 where it was introduced (it later got backported to 7 as well). The server VM can be explicitly choosen by providing the -server option on the java or javaw command line.

like image 183
6 revs, 2 users 91% Avatar answered Sep 20 '22 07:09

6 revs, 2 users 91%


Can't comment (stupid SO rules more than 50 credits required!). This mailthread from openjdk says, all AES intrinsics are enabled by default. Although I'm not certain how much of the Oracle core VM code shares with openjdk. If you read the whole thread, they also discuss about challenges on 32-bit VMs, that probably explains your problem with your second test run.

  • Regarding your test (sorry, can't comment), don't you think the differences in the CPUs make a big difference? Core i7's are quadcore and have better clock speeds in general. Wouldn't that have made a difference ? I guess that shift from 21s (core i5, 32bitVM, AES-NI off) to 8s (core i7, 64bitVM, AES-NI off) is the difference between i5 and i7.
  • The improvement from 8s to 3s, although not 7 fold, is indeed worth a 'Yipes'! :)
  • Regarding the detection mechanism - there doesn't seem to be a straightforward way. JVM throws a warning "AES intrinsics not available on this CPU" if you enabled the flags, and if it cannot find AES support - as per this bug report.
like image 42
Alavalathi Avatar answered Sep 17 '22 07:09

Alavalathi