AES-NI extension on guest CPU?

pret

Renowned Member
Feb 20, 2013
5
0
66
Hi,

I am planing a new home server. I have ordered a Intel Xeon E1230v2. The CPU supports the AES-NI extension. I want to install a Fileserver VM with a dedicated Controller Card (PCIe Passthrough, VT-d is available). Since I want to use encryption on Linux (luks/dmcrypt) I was wondering if it is possible to use the AES-NI extension in the guest VM. Has anybody ever tried this or does anyone know if it is possible? I did some googleing and I did not get any information about successful use of AES-NI in KVM guest VMs.

regards
pret

P.S. in hardforum I found the information that ESXi is supporting this feature in guest vms, so I think it could be possible for proxmox/kvm as well
 
That's why I'm asking. I'm not able to test it yet. If some people tried it and nobody succeeded I won't put any effort into it and just use ESXi. But if someone confirms if it works I am going to give it a try.
When I'm using the cpu=host option. Will there be every cpu-feature available in the vm? Or are there some things that won't work. Or is it possible that some cpu-features will be shown but don't work?
 
That's why I'm asking. I'm not able to test it yet. If some people tried it and nobody succeeded I won't put any effort into it and just use ESXi. But if someone confirms if it works I am going to give it a try.
When I'm using the cpu=host option. Will there be every cpu-feature available in the vm? Or are there some things that won't work. Or is it possible that some cpu-features will be shown but don't work?

AFAIK - using cpu=host basically gives you're VM complete access to the CPU.

All i can suggest is that you look at these two pages:

https://pve.proxmox.com/wiki/Allow_Guests_Access_to_Host_CPU

http://www.linux-kvm.org/page/Tuning_KVM
 
Hi,

I did a test with host and VM (cpu=host). I executed command #cat /proc/cpuinfo
Result for host:
fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 sse4_2 x2apic popcnt aes xsave avx lahf_lm ida arat epb xsaveopt pln pts dts tpr_shadow vnmi flexpriority ept vpid
Result for VM:
fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc arch_perfmon rep_good nopl pni pclmulqdq ssse3 cx16 sse4_1 sse4_2 x2apic popcnt aes xsave avx hypervisor lahf_lm xsaveopt

As you can see VM cpu support less capabilities, it's hard to guess if AES-NI will be mapped on your machine, but we already know that it's not equally mapped 1:1.
I guess that if capability is mapped then software running on VM will detect it and try to use (propably logs will say if something goes wrong).

Edit: I see that aes flag is mapped beetween my cpu and VM cpu. So maybe your aes-ni will works too...

Regards,
michu
 
Last edited:
  • Like
Reactions: mjw

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!