默认情况下启用AES-NI内在函数？ [英] AES-NI intrinsics enabled by default?

问题描述

Oracle有关于AES-NI的说法：

添加硬件内在函数以使用高级加密标准
（AES）。 UseAES和UseAESIntrinsics标志可用于为基于硬件的AES内在函数启用
。硬件
必须是2010或更新的Westmere硬件。例如，要启用
硬件AES，请使用以下标志：

  -XX：+ UseAES -XX： UseAESIntrinsics 
  

要禁用硬件AES，请使用以下标志：

  -XX：-UseAES -XX：-UseAESIntrinsics 
  

但它不表示默认情况下是否启用AES内在函数（对于支持它的处理器）。所以问题很简单：如果处理器支持AES-NI，是AES内部使用的吗？

奖金问题：是否有任何方法来测试AES- ？我想你可以基于性能猜测，但这不是一个最佳或肯定的测试方式。

---

不熟悉AES-NI内在函数：它使用AES-NI指令集替换字节码与预编译的机器码。这是由JVM发生的，因此它不会显示在Java运行时或字节码的API中。

解决方案

如果检测失败，它将被设置为false，所以你可以简单地使用+ PrintFlagsFinal来查看它是否被使用：

我的笔记本电脑无 AES-NI：

  C：\>C：\Program Files \Java\\ \\ jdk1.7.0_51\bin\java-XX：+ PrintFlagsFinal -version |查找UseAES
 bool UseAES = false {product} 
 bool UseAESIntrinsics = false {product} 
 java版本1.7.0_51
 Java（TM）SE运行时环境1.7.0_51-b13）
 Java HotSpot（TM）64位服务器虚拟机（构建24.51-b03，混合模式）
  

桌面上相同与 AES-NI：

  C： \\>C：\Program Files\Java\jdk7\bin\java-XX：+ PrintFlagsFinal -version |查找AES
 bool UseAES = true {product} 
 bool UseAESIntrinsics = true {product} 
 
 java版本1.7.0_51
 Java运行时环境（构建1.7.0_51-b13）
 Java HotSpot TM 64位服务器虚拟机（构建24.51-b03，混合模式）
 
 C：\>C： \Program Files（x86）\Java\jre7\bin\java-XX：+ PrintFlagsFinal -version |查找AES
 bool UseAES = true {product} 
 bool UseAESIntrinsics = true {product} 
 
 java版本1.7.0_51
 Java运行时环境（构建1.7.0_51-b13）
 Java HotSpot（TM）客户机VM（构建24.51-b03，混合模式，共享）
   
 
因此，它适用于最近的Java 7的x64和i686（WOW64）。该功能引入了 https://bugs.openjdk.java.net/browse/JDK-7184394 ，并反向运行到7u40和7u45。
 
 
 
 
 
 
重要提示：AES-NI只能在服务器VM 上使用。
 
 
 
这是在提交错误报告后由Oracle承认的。这个重要的信息缺失时，他们创建了Java 8的功能列表，它被介绍（它后来被反向移植到7）。可以通过在 java 或 javaw上提供 -server 选项来显式选择服务器VM 命令行。
 
Oracle has this to say about Java 8 with regards to AES-NI:

  
Hardware intrinsics were added to use Advanced Encryption Standard
  (AES). The UseAES and UseAESIntrinsics flags are available to enable
  the hardware-based AES intrinsics for Intel hardware. The hardware
  must be 2010 or newer Westmere hardware. For example, to enable
  hardware AES, use the following flags:
-XX:+UseAES -XX:+UseAESIntrinsics
To disable hardware AES use the following flags:
-XX:-UseAES -XX:-UseAESIntrinsics

But it does not indicate if AES intrinsics are enabled by default (for processors that support it). So the question is simple: if the processor supports AES-NI, are AES intrinsics used?

Bonus question: is there any way to test if AES-NI is being used? I guess you can guess based on performance, but that's not an optimal or sure fire way of testing.



For readerS that are not familiar with AES-NI intrinsics: it's replacing byte code with pre-compiled machine code, using the AES-NI instruction set. This happens by the JVM, so it does not show up in the API of the Java runtime or bytecode.
解决方案
The flag has a default of true and it will be set to false if the detection fails, so you can simply use +PrintFlagsFinal to see if it is used:

My Laptop without AES-NI:
C:\>"C:\Program Files\Java\jdk1.7.0_51\bin\java" -XX:+PrintFlagsFinal -version | find "UseAES"
     bool UseAES                                    = false           {product}
     bool UseAESIntrinsics                          = false           {product}
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
Same on Desktop with AES-NI:
C:\>"C:\Program Files\Java\jdk7\bin\java" -XX:+PrintFlagsFinal -version | find "AES"
     bool UseAES                                    = true            {product}
     bool UseAESIntrinsics                          = true            {product}

java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

C:\>"C:\Program Files (x86)\Java\jre7\bin\java" -XX:+PrintFlagsFinal -version | find "AES"
     bool UseAES                                    = true            {product}
     bool UseAESIntrinsics                          = true            {product}

java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) Client VM (build 24.51-b03, mixed mode, sharing)
So, it works for both x64 and i686 (WOW64) with recent Java 7. The feature was introduced with https://bugs.openjdk.java.net/browse/JDK-7184394 and backported to 7u40 and 7u45.



Important: AES-NI may only be available on the server VM.

This was acknowledged by Oracle after a bug report was filed. This vital piece of information was missing when they created the featues list of Java 8 where it was introduced (it later got backported to 7 as well). The server VM can be explicitly choosen by providing the -server option on the java or javaw command line.

                        
这篇关于默认情况下启用AES-NI内在函数？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！