I’m running CHR on Intel Haswell, without TSX, to support high availability failover to Intel Xeon CPU E5-2640v3. I’ve confirmed AES pass through by booting the CHR guest using CentOS 7 recovery environment.
Confirming ‘aes’ instruction availability:
grep -m1 -o aes /proc/cpuinfo
We obtain the following benchmarks in the VM:
openssl speed -evp aes-128-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 511101.85k 547731.20k 555776.60k 560752.67k 558724.44k
openssl speed -evp aes-256-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 371521.68k 394245.03k 401446.36k 399955.91k 402183.22k
Directly on slowest hardware:
openssl speed -evp aes-128-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 541865.83k 585278.50k 595671.30k 602248.53k 603339.43k
openssl speed -evp aes-256-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 398849.01k 423887.98k 430012.84k 431852.89k 432622.25k
That equates to 5.2 Gbps, when using AES 128 bit CBC encoding within the virtual guest. I don’t see L2TP IPSec in CHR reporting ‘Hardware AEAD’ when reviewing the installed SAs either…