Force kernel AES-NI usage on a VPS without the aes CPU flag
First of all, thanks to @rm_ for his brilliant blog post on forcing OpenSSL to use the AES-NI instruction set when the CPU of a VPS does not report its existence while it is actually supported. This is a counterpart that forces the Linux kernel to use AES-NI when QEMU does not pass through that flag, which is useful for IPSec, disk encryption, etc.
It turns out to be fairly simple with a kernel module. Just shove these two lines into any hello world boilerplate that you can find in a "how to write Linux kernel modules" tutorial.
#include <linux/bitops.h> set_bit(153, (unsigned long *)(boot_cpu_data.x86_capability));
The magic number 153 is taken from
arch/x86/include/asm/cpufeatures.h. It is trivial to enforce the usage of another CPU feature (e.g., AVX) with another magic number.
After inserting your own module, manually
modprobe aesni_intel should do the trick.
On one of my KVM servers, the result of
cryptsetup benchmark increased from
# Algorithm | Key | Encryption | Decryption aes-cbc 128b 169.8 MiB/s 167.3 MiB/s
... to ...
# Algorithm | Key | Encryption | Decryption aes-cbc 128b 678.2 MiB/s 2201.4 MiB/s