AES-NI XTS Crypto Performance Looking Good For AMD With Linux 5.12 Fix
Written by Michael Larabel in AMD on 1 March 2021 at 04:26 PM EST. 5 Comments
Of the performance-related changes with Linux 5.12 worth noting is faster AES-NI XTS performance for systems relying upon return trampolines "Retpolines" as part of the CPU's Spectre V2 mitigations. On the Intel side this primarily impacts older CPUs where Retpolines is still used while on the AMD side through Zen 3 the Retpolines is still relied upon, which as shown by these benchmarks is now much better off for AMD Ryzen AES XTS performance as measured by Cryptsetup.

As reported last year, AES-NI regressed heavily under Retpolines and seemingly went unnoticed for the better part of three years. Now with Linux 5.12 the AES-NI kernel module code has been reworked so it doesn't face such overhead in Retpolines-enabled environments and in turn really helps out with performance.

I previously ran some benchmarks while now for getting an idea as to the impact with Linux 5.12 mainline, I carried out some fresh cryptsetup benchmarks with two AMD systems of Linux 5.11 stable versus Linux 5.12 Git at the end of the merge window.

The AMD Ryzen 5 (Zen 2) laptop is seeing much better AES-XTS performance:

Again, such change is just expected for AES-XTS with the AES-NI kernel module change for Linux 5.12 on Retpoline-enabled systems. It's not a novel improvement but rather addressing a Retpoline-induced performance regression that went unnoticed until recently.

And now for some Ryzen 9 5950X benchmarks with Cryptsetup on Linux 5.11 vs. 5.12 Git in the default kernel configuration where Retpolines remains in use for Zen 3:

The AES-NI work is among many new/improved features with Linux 5.12 and will debut as stable in about two months time. It's also quite likely this AES-NI work as a "regression fix" will be back-ported to stable kernel series too.
