AMD + Older Intel CPUs To See Much Faster AES-NI XTS Crypto Performance On Linux 5.12
AMD processors along with older Intel processors will enjoy much faster AES-NI XTS crypto performance with the Linux 5.12 kernel this spring.
Processors supporting AES-NI instructions and that also are subject to Retpolines as part of their Spectre V2 mitigations will enjoy a big speed-up with AES-NI XTS for that next version of the Linux kernel. This includes past and current AMD processors as well as older Intel CPUs, but recent Intel processors do not need the return trampolines and thus not subject to this speed-up as they are not currently handicapped.
This AES-NI XTS speed-up is from what was recently uncovered in that AES-NI XTS performance regressed hard from Retpolines with the kernel driver's indirect calls. It surprisingly took about three years for developers to notice just how bad the performance was and thus rework the kernel code to avoid the overhead within the AES-NI driver.
That code is now queued in the "cryptodev" Git code ahead of the Linux 5.12 merge window next month.
One of the patches notes a 65% speed-up on a Core i7 8650U processor when switching to the direct calls and then ironed out with the second patch. So if your system relies upon Retpolines and you didn't force disable the mitigations, Linux 5.12 should see much faster AES-NI XTS performance that is important for the likes of disk encryption.
Last month I did publish some older Intel CPUs + AMD Ryzen CPU AES-NI XTS benchmarks looking at that massive overhead on affected processors.
Via the cryptsetup benchmark on OpenBenchmarking.org you can see more metrics around processors and their current crypto performance.