Up To 162% Faster AES-GCM Encryption/Decryption For Intel & AMD CPUs On Linux
([Linux Kernel] 5 Hours Ago
AES-GCM With AVX-512/AVX10 + VAES)
- Reference: 0001468423
- News link: https://www.phoronix.com/news/AES-GCM-Faster-AVX-VAES
- Source link:
With the in-development Linux 6.10 kernel Eric Biggers of Google landed [1]new AES-XTS implementations for much faster performance for Intel/AMD processors via new AES-NI + AVX, VAES + AVX2, VAES + AVX10/256, and VAES + AVX10/512 code paths. Biggers has since begun tackling even better AES-GCM encryption/decryption performance by leveraging a new code path to utilize AVX-512/AVX10 and/or VAES.
Eric Biggers on Sunday posted the latest iteration of his patches providing for greater AES-GCM improvements. Similar to the massive gains seen with his AES-XTS work, the AES Galois/Counter Mode improvements are also extremely beneficial. At the top-end, the new AES-GCM code can yield up to a 162% improvement!
This new AES-NI GCM code replaces prior code written by Intel and also addresses problems with the former code. Biggers explained in [2]the patch series :
"This patchset adds a VAES and AVX512 / AVX10 implementation of AES-GCM (Galois/Counter Mode), which improves AES-GCM performance by up to 162%. In addition, it replaces the old AES-NI GCM code from Intel with new code that is slightly faster and fixes a number of issues including the massive binary size of over 250 KB. See the patches for details.
The end state of the x86_64 AES-GCM assembly code is that we end up with two assembly files, one that generates AES-NI code with or without AVX, and one that generates VAES code with AVX512 / AVX10 with 256-bit or 512-bit vectors. There's no support for VAES alone (without AVX512 / AVX10). This differs slightly from what I did with AES-XTS where one file generates both AVX and AVX512 / AVX10 code including code using VAES alone (without AVX512 / AVX10), and another file generates non-AVX code only. For now this seems like the right choice for each particular algorithm, though, based on how much being limited to 16 SIMD registers and 128-bit vectors resulted in some significantly different design choices for AES-GCM, but not quite as much for AES-XTS. CPUs shipping with VAES alone also seems to be a temporary thing, so we perhaps shouldn't go too much out of our way to support that combination."
The performance improvements for AES-GCM from this new code are very apparent:
Recent Intel and AMD processors are showing very nice gains across the board in the AES-GCM encryption/decryption speed. Hopefully this new code will be tidied up in time for the Linux v6.11 cycle later this year.
[1] https://www.phoronix.com/news/Linux-6.10-Crypto
[2] https://lore.kernel.org/lkml/20240602222221.176625-1-ebiggers@kernel.org/
Eric Biggers on Sunday posted the latest iteration of his patches providing for greater AES-GCM improvements. Similar to the massive gains seen with his AES-XTS work, the AES Galois/Counter Mode improvements are also extremely beneficial. At the top-end, the new AES-GCM code can yield up to a 162% improvement!
This new AES-NI GCM code replaces prior code written by Intel and also addresses problems with the former code. Biggers explained in [2]the patch series :
"This patchset adds a VAES and AVX512 / AVX10 implementation of AES-GCM (Galois/Counter Mode), which improves AES-GCM performance by up to 162%. In addition, it replaces the old AES-NI GCM code from Intel with new code that is slightly faster and fixes a number of issues including the massive binary size of over 250 KB. See the patches for details.
The end state of the x86_64 AES-GCM assembly code is that we end up with two assembly files, one that generates AES-NI code with or without AVX, and one that generates VAES code with AVX512 / AVX10 with 256-bit or 512-bit vectors. There's no support for VAES alone (without AVX512 / AVX10). This differs slightly from what I did with AES-XTS where one file generates both AVX and AVX512 / AVX10 code including code using VAES alone (without AVX512 / AVX10), and another file generates non-AVX code only. For now this seems like the right choice for each particular algorithm, though, based on how much being limited to 16 SIMD registers and 128-bit vectors resulted in some significantly different design choices for AES-GCM, but not quite as much for AES-XTS. CPUs shipping with VAES alone also seems to be a temporary thing, so we perhaps shouldn't go too much out of our way to support that combination."
The performance improvements for AES-GCM from this new code are very apparent:
Recent Intel and AMD processors are showing very nice gains across the board in the AES-GCM encryption/decryption speed. Hopefully this new code will be tidied up in time for the Linux v6.11 cycle later this year.
[1] https://www.phoronix.com/news/Linux-6.10-Crypto
[2] https://lore.kernel.org/lkml/20240602222221.176625-1-ebiggers@kernel.org/
Kjell