Issue #341: aes256gcm on Linux x86_64 and aes-ni processor - strongSwan

Issue #341

aes256gcm on Linux x86_64 and aes-ni processor

Added by Wojciech Slusarczyk over 12 years ago. Updated over 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Andreas Steffen

Category:

kernel

Affected version:

5.0.4

Resolution:

No change required

Description

Hello,

During testing the Suite B algorithms with strongSwan 5.0.4 I came across the problem with aes256gcm on Linux x86_64 with AES-NI processor - it does not work. Other aes256 modes i.e ctr or cbc do work, other algorithms (i.e aes128gcm) also work. First thought, there is something wrong with the kernel, but after successfully running ~$ openssl speed -evp aes-256-gcm with hardware support and without (OPENSSL_ia32cap=~0x200000200000000) on a 64-bit platform, I am not sure if that is a bug in the kernel. Short recognition:

Fedora 18, x86_64, i7-3612QM - aes256gcm does not work
Fedora 18, i686, i7-3612QM - aes256gcm works
Fedora 18, x86_64, i3-2328M - aes256gcm works
Fedora 17, x86_64, i3-2328M - aes256gcm works
CentOS 6.4, i686, i7-3612QM - aes256gcm works

Fragment of logs from affected machine:

May 29 20:51:14 vostro charon: 12[KNL] virtual IP 192.168.1.2 installed on wlan0
May 29 20:51:14 vostro charon: 12[KNL] adding SAD entry with SPI cb825510 and reqid {1} (mark 0/0x00000000)
May 29 20:51:14 vostro charon: 12[KNL] using encryption algorithm AES_GCM_16 with key size 288
May 29 20:51:14 vostro charon: 12[KNL] using replay window of 32 packets
May 29 20:51:14 vostro charon: 12[KNL] sending XFRM_MSG_UPDSA: => 380 bytes 0x7eff071854e0 May 29 20:51:14 vostro charon: 12[KNL] 0: 7C 01 00 00 1A 00 05 00 CA 00 00 00 73 15 00 00 |...........s... May 29 20:51:14 vostro charon: 12[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 64: 00 00 00 00 00 00 00 00 AC 10 01 65 00 00 00 00 ...........e.... May 29 20:51:14 vostro charon: 12[KNL] 80: 00 00 00 00 00 00 00 00 CB 82 55 10 32 00 00 00 ..........U.2... May 29 20:51:14 vostro charon: 12[KNL] 96: 25 00 79 48 00 00 00 00 00 00 00 00 00 00 00 00 %.yH............ May 29 20:51:14 vostro charon: 12[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ May 29 20:51:14 vostro charon: 12[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ May 29 20:51:14 vostro charon: 12[KNL] 144: 94 0A 00 00 00 00 00 00 10 0E 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 224: 01 00 00 00 02 00 01 20 20 00 00 00 00 00 00 00 ....... ....... May 29 20:51:14 vostro charon: 12[KNL] 240: 70 00 12 00 72 66 63 34 31 30 36 28 67 63 6D 28 p...rfc4106(gcm( May 29 20:51:14 vostro charon: 12[KNL] 256: 61 65 73 29 29 00 00 00 00 00 00 00 00 00 00 00 aes))........... May 29 20:51:14 vostro charon: 12[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 304: 00 00 00 00 20 01 00 00 80 00 00 00 35 57 0E CA .... .......5W.. May 29 20:51:14 vostro charon: 12[KNL] 320: 9D A2 2D C8 C6 92 B1 12 06 D2 CE 02 7B E1 FA C1 ..-.........{... May 29 20:51:14 vostro charon: 12[KNL] 336: A1 18 B1 40 1C 2E 15 9F BF 76 E3 7F AD F0 1F 68 ........v.....h
May 29 20:51:14 vostro charon: 12[KNL] 352: 1C 00 04 00 02 00 11 94 11 94 00 00 00 00 00 00 ................
May 29 20:51:14 vostro charon: 12[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 ............
May 29 20:51:14 vostro charon: 12[KNL] received netlink error: Invalid argument (22)
May 29 20:51:14 vostro charon: 12[KNL] unable to add SAD entry with SPI cb825510
May 29 20:51:14 vostro charon: 12[KNL] adding SAD entry with SPI cc7f334c and reqid {1} (mark 0/0x00000000)
May 29 20:51:14 vostro charon: 12[KNL] using encryption algorithm AES_GCM_16 with key size 288
May 29 20:51:14 vostro charon: 12[KNL] using replay window of 32 packets
May 29 20:51:14 vostro charon: 12[KNL] sending XFRM_MSG_NEWSA: => 380 bytes 0x7eff071854e0 May 29 20:51:14 vostro charon: 12[KNL] 0: 7C 01 00 00 10 00 05 00 CB 00 00 00 73 15 00 00 |...........s... May 29 20:51:14 vostro charon: 12[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 64: 00 00 00 00 00 00 00 00 25 00 79 48 00 00 00 00 ........%.yH.... May 29 20:51:14 vostro charon: 12[KNL] 80: 00 00 00 00 00 00 00 00 CC 7F 33 4C 32 00 00 00 ..........3L2... May 29 20:51:14 vostro charon: 12[KNL] 96: AC 10 01 65 00 00 00 00 00 00 00 00 00 00 00 00 ...e............ May 29 20:51:14 vostro charon: 12[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ May 29 20:51:14 vostro charon: 12[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ May 29 20:51:14 vostro charon: 12[KNL] 144: C3 0A 00 00 00 00 00 00 10 0E 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 224: 01 00 00 00 02 00 01 20 20 00 00 00 00 00 00 00 ....... ....... May 29 20:51:14 vostro charon: 12[KNL] 240: 70 00 12 00 72 66 63 34 31 30 36 28 67 63 6D 28 p...rfc4106(gcm( May 29 20:51:14 vostro charon: 12[KNL] 256: 61 65 73 29 29 00 00 00 00 00 00 00 00 00 00 00 aes))........... May 29 20:51:14 vostro charon: 12[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 304: 00 00 00 00 20 01 00 00 80 00 00 00 B5 1E B0 AD .... ........... May 29 20:51:14 vostro charon: 12[KNL] 320: 92 45 2E EF 8E 14 78 D8 CC 5D 21 A7 2F 0B E0 6D .E....x..]!./..m May 29 20:51:14 vostro charon: 12[KNL] 336: AD 8E 00 47 1B EB FB 72 42 14 2E 10 6D 5D 2F 38 ...G...rB...m]/8 May 29 20:51:14 vostro charon: 12[KNL] 352: 1C 00 04 00 02 00 11 94 11 94 00 00 00 00 00 00 ................ May 29 20:51:14 vostro charon: 12[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 ............ May 29 20:51:14 vostro charon: 12[KNL] received netlink error: Invalid argument (22) May 29 20:51:14 vostro charon: 12[KNL] unable to add SAD entry with SPI cc7f334c May 29 20:51:14 vostro charon: 12[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel May 29 20:51:14 vostro charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA May 29 20:51:14 vostro charon: 12[KNL] deleting SAD entry with SPI cb825510 (mark 0/0x00000000) May 29 20:51:14 vostro charon: 12[KNL] sending XFRM_MSG_DELSA: => 40 bytes 0x7eff07185760
May 29 20:51:14 vostro charon: 12[KNL] 0: 28 00 00 00 11 00 05 00 CC 00 00 00 73 15 00 00 (...........s...
May 29 20:51:14 vostro charon: 12[KNL] 16: AC 10 01 65 00 00 00 00 00 00 00 00 00 00 00 00 ...e............
May 29 20:51:14 vostro charon: 12[KNL] 32: CB 82 55 10 02 00 32 00 ..U...2.
May 29 20:51:14 vostro charon: 12[KNL] deleted SAD entry with SPI cb825510 (mark 0/0x00000000)
May 29 20:51:14 vostro charon: 12[KNL] deleting SAD entry with SPI cc7f334c (mark 0/0x00000000)
May 29 20:51:14 vostro charon: 12[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7eff07185760
May 29 20:51:14 vostro charon: 12[KNL] 0: 28 00 00 00 11 00 05 00 CD 00 00 00 73 15 00 00 (...........s...
May 29 20:51:14 vostro charon: 12[KNL] 16: 25 00 79 48 00 00 00 00 00 00 00 00 00 00 00 00 %.yH............
May 29 20:51:14 vostro charon: 12[KNL] 32: CC 7F 33 4C 02 00 32 00 ..3L..2.
May 29 20:51:14 vostro charon: 12[IKE] received AUTH_LIFETIME of 10078s, scheduling reauthentication in 9538s
May 29 20:51:14 vostro charon: 12[IKE] peer supports MOBIKE

Any ideas?

regards,
/WS

Related issues

History

#1 Updated by Andreas Steffen over 12 years ago

Category set to kernel
Status changed from New to Feedback
Assignee set to Andreas Steffen

Cześć Wojtek,

I successfully ran the strongSwan 5.0.4 regression tests with a vanilla Linux 3.9 x86_64 kernel from www.kernel.org on an i7-3517U processor:

http://www.strongswan.org/uml/testresults/ikev2/alg-aes-gcm/carol.ip.state

but I'm not sure if the AES-NI driver was really used by that kernel.Which kernel version Fedora 18 x86_64 is using?

Some AES-GCM kernel issues have been reported recently, e.g:

http://marc.info/?l=linux-crypto-vger&m=136578728017773&w=4

but I don't know if the bug affects the Linux Netlink XFRM interface. We are going to have a closer look into this issue and will come back to you with more feedback.

Na razie

Andreas

#2 Updated by Andreas Steffen over 12 years ago

The AES256-GCM regression test is working on our virtual KVM hosts because QUEMU is not passing the AES flag of the host processor:

cat /proc/cpuinfo 
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 2
model name      : QEMU Virtual CPU version 1.4.0
stepping        : 3
microcode       : 0x1
cpu MHz         : 2394.560
cache size      : 4096 KB
fpu             : yes
fpu_exception   : yes
cpuid level     : 4
wp              : yes
flags           : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm rep_good nopl pni vmx cx16 popcnt hypervisor lahf_lm
bogomips        : 4789.12
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:

Running strongSwan 5.0.4 directly on my i7 host under Ubuntu 13.04 with a 3.8.0-22-generic x86_64 kernel I can reproduce your error:

14[KNL] adding SAD entry with SPI c1143b64 and reqid {1}  (mark 0/0x00000000)
14[KNL]   using encryption algorithm AES_GCM_16 with key size 288
14[KNL]   using replay window of 32 packets
14[KNL] sending XFRM_MSG_UPDSA: => 352 bytes @ 0x7f5fbe3134c0
14[KNL]    0: 60 01 00 00 1A 00 05 00 CA 00 00 00 34 60 00 00  `...........4`..
14[KNL]   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]   48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]   64: 00 00 00 00 00 00 00 00 C0 A8 00 FE 00 00 00 00  ................
14[KNL]   80: 00 00 00 00 00 00 00 00 C1 14 3B 64 32 00 00 00  ..........;d2...
14[KNL]   96: C0 A8 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]  112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
14[KNL]  128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
14[KNL]  144: 91 0B 00 00 00 00 00 00 10 0E 00 00 00 00 00 00  ................
14[KNL]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]  192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]  208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]  224: 01 00 00 00 02 00 01 20 20 00 00 00 00 00 00 00  .......  .......
14[KNL]  240: 70 00 12 00 72 66 63 34 31 30 36 28 67 63 6D 28  p...rfc4106(gcm(
14[KNL]  256: 61 65 73 29 29 00 00 00 00 00 00 00 00 00 00 00  aes))...........
14[KNL]  272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]  288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
14[KNL]  304: 00 00 00 00 20 01 00 00 80 00 00 00 9A 88 05 15  .... ...........
14[KNL]  320: 55 15 A1 09 C6 02 29 AC 4D 0A 23 24 94 25 14 9C  U.....).M.#$.%..
14[KNL]  336: B5 30 1F 9F 17 52 30 CF 17 25 01 84 A9 66 DF 0D  .0...R0..%...f..
14[KNL] received netlink error: Invalid argument (22)
14[KNL] unable to add SAD entry with SPI c1143b64

This is clearly a Linux kernel bug in the AES-NI driver because the XFRM interface the strongSwan charon daemon is using does not change if AES-NI is activated in the kernel. BTW - openssl detects and executes the AES-NI instructions directly, not via the kernel API.

#3 Updated by Wojciech Slusarczyk over 12 years ago

Hello Andreas,

This is clearly a Linux kernel bug in the AES-NI driver because the XFRM interface the strongSwan charon daemon is using does not change if AES-NI is activated in the kernel. BTW - openssl detects and executes the AES-NI instructions directly, not via the kernel API.

Thank you for your quick response. Is there any chance to pass by that bug or we need to wait for the kernel folks fixing it?

regards,
/WS

#4 Updated by Andreas Steffen over 12 years ago

Tobias took a look at the aesni-intel kernel source code and he found out that AES-GCM with 256 bit key is just not supported [yet] by the x86_64 assembly code. This is the reason why XFRM returns with an Invalid Value error code. Since there is no fallback to the software implementation just for the AES-GCM 256 bit case, the only workaround we see is to disable or blacklist the aesni-intel kernel module which will disable all AES-NI acceleration in the kernel.

#5 Updated by Wojciech Slusarczyk over 12 years ago

Once again thank you for your help.

/WS

#6 Updated by Tobias Brunner almost 12 years ago

Status changed from Feedback to Closed
Resolution set to No change required

#7 Updated by Yves-Alexis Perez almost 12 years ago

Andreas Steffen wrote:

Tobias took a look at the aesni-intel kernel source code and he found out that AES-GCM with 256 bit key is just not supported [yet] by the x86_64 assembly code. This is the reason why XFRM returns with an Invalid Value error code. Since there is no fallback to the software implementation just for the AES-GCM 256 bit case, the only workaround we see is to disable or blacklist the aesni-intel kernel module which will disable all AES-NI acceleration in the kernel.

I had the same issue, and using aes128gcm16 instead of aes256gcm16 indeed fixed the issue. But since aes256-sha256 works fine, does this mean aes256 doesn't actually use aes-ni at all?

#8 Updated by Tobias Brunner almost 12 years ago

But since aes256-sha256 works fine, does this mean aes256 doesn't actually use aes-ni at all?

No, the limitation to 128 bits only affects the AES-GCM (RFC 4106) wrapper provided by the aesni_intel module.

#9 Updated by Jonathan Davies almost 11 years ago

Tobias Brunner wrote:

But since aes256-sha256 works fine, does this mean aes256 doesn't actually use aes-ni at all?

No, the limitation to 128 bits only affects the AES-GCM (RFC 4106) wrapper provided by the aesni_intel module.

This seems to be worked on upstream: https://marc.info/?t=139362898600001&r=1&w=2

#10 Updated by Jonathan Davies over 10 years ago

Jonathan Davies wrote: