默认情况下启用AES-NI内在函数? [英] AES-NI intrinsics enabled by default?
问题描述
Oracle有关于AES-NI的说法:
添加硬件内在函数以使用高级加密标准
(AES)。 UseAES和UseAESIntrinsics标志可用于为基于硬件的AES内在函数启用
。硬件
必须是2010或更新的Westmere硬件。例如,要启用
硬件AES,请使用以下标志:-XX:+ UseAES -XX: UseAESIntrinsics
要禁用硬件AES,请使用以下标志:
-XX:-UseAES -XX:-UseAESIntrinsics
但它不表示默认情况下是否启用AES内在函数(对于支持它的处理器)。所以问题很简单:如果处理器支持AES-NI,是AES内部使用的吗?
奖金问题:是否有任何方法来测试AES- ?我想你可以基于性能猜测,但这不是一个最佳或肯定的测试方式。
不熟悉AES-NI内在函数:它使用AES-NI指令集替换字节码与预编译的机器码。这是由JVM发生的,因此它不会显示在Java运行时或字节码的API中。
如果检测失败,它将被设置为false,所以你可以简单地使用+ PrintFlagsFinal来查看它是否被使用:
我的笔记本电脑无 AES-NI:
C:\>C:\Program Files \Java\\ \\ jdk1.7.0_51\bin\java-XX:+ PrintFlagsFinal -version |查找UseAES
bool UseAES = false {product}
bool UseAESIntrinsics = false {product}
java版本1.7.0_51
Java(TM)SE运行时环境1.7.0_51-b13)
Java HotSpot(TM)64位服务器虚拟机(构建24.51-b03,混合模式)
桌面上相同与 AES-NI:
C: \\>C:\Program Files\Java\jdk7\bin\java-XX:+ PrintFlagsFinal -version |查找AES
bool UseAES = true {product}
bool UseAESIntrinsics = true {product}
java版本1.7.0_51
Java运行时环境(构建1.7.0_51-b13)
Java HotSpot TM 64位服务器虚拟机(构建24.51-b03,混合模式)
C:\>C: \Program Files(x86)\Java\jre7\bin\java-XX:+ PrintFlagsFinal -version |查找AES
bool UseAES = true {product}
bool UseAESIntrinsics = true {product}
java版本1.7.0_51
Java运行时环境(构建1.7.0_51-b13)
Java HotSpot(TM)客户机VM(构建24.51-b03,混合模式,共享)
因此,它适用于最近的Java 7的x64和i686(WOW64)。该功能引入了 https://bugs.openjdk.java.net/browse/JDK-7184394 ,并反向运行到7u40和7u45。
重要提示:AES-NI只能在服务器VM 上使用。
这是在提交错误报告后由Oracle承认的。这个重要的信息缺失时,他们创建了Java 8的功能列表,它被介绍(它后来被反向移植到7)。可以通过在
java
或javaw上提供
命令行。-server
选项来显式选择服务器VMOracle has this to say about Java 8 with regards to AES-NI:
Hardware intrinsics were added to use Advanced Encryption Standard (AES). The UseAES and UseAESIntrinsics flags are available to enable the hardware-based AES intrinsics for Intel hardware. The hardware must be 2010 or newer Westmere hardware. For example, to enable hardware AES, use the following flags:
-XX:+UseAES -XX:+UseAESIntrinsics
To disable hardware AES use the following flags:
-XX:-UseAES -XX:-UseAESIntrinsics
But it does not indicate if AES intrinsics are enabled by default (for processors that support it). So the question is simple: if the processor supports AES-NI, are AES intrinsics used?
Bonus question: is there any way to test if AES-NI is being used? I guess you can guess based on performance, but that's not an optimal or sure fire way of testing.
For readerS that are not familiar with AES-NI intrinsics: it's replacing byte code with pre-compiled machine code, using the AES-NI instruction set. This happens by the JVM, so it does not show up in the API of the Java runtime or bytecode.
解决方案The flag has a default of true and it will be set to false if the detection fails, so you can simply use +PrintFlagsFinal to see if it is used:
My Laptop without AES-NI:
C:\>"C:\Program Files\Java\jdk1.7.0_51\bin\java" -XX:+PrintFlagsFinal -version | find "UseAES" bool UseAES = false {product} bool UseAESIntrinsics = false {product} java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
Same on Desktop with AES-NI:
C:\>"C:\Program Files\Java\jdk7\bin\java" -XX:+PrintFlagsFinal -version | find "AES" bool UseAES = true {product} bool UseAESIntrinsics = true {product} java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) C:\>"C:\Program Files (x86)\Java\jre7\bin\java" -XX:+PrintFlagsFinal -version | find "AES" bool UseAES = true {product} bool UseAESIntrinsics = true {product} java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) Client VM (build 24.51-b03, mixed mode, sharing)
So, it works for both x64 and i686 (WOW64) with recent Java 7. The feature was introduced with https://bugs.openjdk.java.net/browse/JDK-7184394 and backported to 7u40 and 7u45.
Important: AES-NI may only be available on the server VM.
This was acknowledged by Oracle after a bug report was filed. This vital piece of information was missing when they created the featues list of Java 8 where it was introduced (it later got backported to 7 as well). The server VM can be explicitly choosen by providing the
-server
option on thejava
orjavaw
command line.这篇关于默认情况下启用AES-NI内在函数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!