Reindl Harald wrote:
Am 29.06.2013 22:23, schrieb Bill Davidsen:
Mateusz Marzantowicz wrote:
On 28.06.2013 17:21, J.Witvliet@xxxxxxxxx wrote:
It surely works, but at a performance price. And the certainty that you have to enter the LUKS-key each time you
boot.
Intel Sandy/Ivy Bridge processors and later (AMD also) have something
called AES-NI which significantly speeds up disk encryption. I haven't
done any benchmarks but I see no difference between encrypted and plain
LVM in everyday use.
I just discovered that KVM doesn't seem to pass that flag on to virtual machines, which seems like serious suckage.
May be a hardware thing, of course
this has nothing to do with the hardware
the hardware has AES-NI or has not
So far you're right.
VMware vSphere passes the flag to the guest
cat /proc/cpuinfo | grep aes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr
sse sse2 ss ht syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc
aperfmperf pni pclmulqdq ssse3 cx16 sse4_1 sse4_2 popcnt aes hypervisor lahf_lm ida arat epb pln pts dtherm
And right again. Unfortunately I didn't say or mean vSphere, but rather KVM, the
facility used by qemu-kvm to run virtual machines.
Hardware CPU:
vendor_id : GenuineIntel
model name : Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp
lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc
aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3
cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx
lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid
On 2.6.32-358.11.1.el6.i68 VM:
vendor_id : GenuineIntel
model name : QEMU Virtual CPU version 1.0.1
flags : fpu de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pse36
clflush mmx fxsr sse sse2 syscall nx lm unfair_spinlock pni cx16 popcnt
hypervisor lahf_lm
But on 3.9.6-200.fc18.x86_64 VM:
vendor_id : GenuineIntel
model name : QEMU Virtual CPU version 1.0.1
flags : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov
pse36 clflush mmx fxsr sse sse2 syscall nx lm rep_good nopl pni cx16 popcnt
hypervisor lahf_lm
Other than the flag name change, neither VM has aes set, I assume the flag is
blocked for security, although I don't see bugs about it.
Anyway, switching all our servers to something else at this time is not even a
worth discussion, so my note was just a warning for people using the KVM tools
included in Fedora.
--
Bill Davidsen <davidsen@xxxxxxx>
"'Nothing to hide' does not imply 'nothing to fear'"
- me
"AT&T could not seriously contend that a reasonable entity in its position
could have believed that the alleged domestic dragnet was legal."
-judge Vaughn R. Walker of the U.S. District Court
for the Northern District of California, EFF vs. AT&T
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
