Public bug reported:
Description
When SEV-SNP is enabled on Ubuntu 24.04, RSA operations experience a
significant performance degradation (approximately 66% slower) compared
to when SEV-SNP is disabled. This appears to be caused by the loss of
crucial CPU instruction sets when SEV-SNP is enabled. The same
performance degradation is not observed on Amazon Linux 2023 with SEV-
SNP enabled.
Environment
• OS Version: Ubuntu 24.04.1 LTS (Noble Numbat)
• Kernel Version: 6.8.0-1018-aws
• CPU: AMD EPYC 7R13 Processor
• Instance Type: AWS EC2 (SEV-SNP capable instance)
• AMI ID: ami-036841078a4b68e14
Performance Comparisons
Performance Comparison: SEV-SNP Enabled vs Disabled
Test Environment
OS: Ubuntu 24.04.1 LTS (Noble Numbat)
Kernel: 6.8.0-1018-aws
Test Command: openssl speed -multi 2 rsa
Results
RSA Key Size SEV-SNP Enabled (sign/s) SEV-SNP Disabled (sign/s)
Performance Impact
512 bits 11,365.3 33,597.3 -66.2%
1024 bits 4,334.5 12,942.3 -66.5%
2048 bits 637.5 1,854.3 -65.6%
3072 bits 203.1 592.6 -65.7%
4096 bits 89.4 260.2 -65.6%
7680 bits 9.9 28.7 -65.5%
15360 bits 1.8 5.3 -66.0%
Analysis
• SEV-SNP significantly impacts RSA performance, with a consistent decrease of
about 65-66% across all key sizes.
==================================================================
Performance Comparison: SEV-SNP Enabled vs Disabled on Amazon Linux 2023
Test Environment
• OS: Amazon Linux 2023.6.20241212
• Kernel: 6.1.119-129.201.amzn2023.x86_64
• Test Command: openssl speed -multi 2 rsa
• AMI: ami-0b4624933067d393a
Results
RSA Key Size SEV-SNP Enabled (sign/s) SEV-SNP Disabled (sign/s)
PerformImpact
512 bits 33,067.8 35,244.7
-6.2%
1024 bits 12,338.7 13,159.0
-6.2%
2048 bits 1,755.9 1,881.4
-6.7%
3072 bits 560.0 599.6
-6.6%
4096 bits 245.6 262.4
-6.4%
7680 bits 27.2 29.0
-6.2%
15360 bits 5.0 5.4
-7.4%
Analysis
• The performance impact of SEV-SNP on Amazon Linux 2023 is significantly lower
compared to the previous Ubuntu test.
• The decrease in performance is consistently around 6-7% across all RSA key
sizes.
• Both SEV-SNP enabled and disabled instances show much higher performance
compared to the Ubuntu instances in the previous test.
Comparison with Ubuntu Results
RSA Key Size AL2023 Impact Ubuntu Impact
512 bits -6.2% -66.2%
1024 bits -6.2% -66.5%
2048 bits -6.7% -65.6%
3072 bits -6.6% -65.7%
4096 bits -6.4% -65.6%
7680 bits -6.2% -65.5%
15360 bits -7.4% -66.0%
==========================================================
Missing CPU Flags with SEV-SNP Enabled:
AVX
AVX2
VAES
VPCLMULQDQ
FMA
XSAVE
XSAVEOPT
XSAVEC
XGETBV1
RDPRU
Impact on Crypto Subsystem:
• Loss of optimized implementations:
sha256-avx2
sha512-avx2
sha1-avx2
polyval-clmulni
Various VAES-based implementations
Expected Behavior
SEV-SNP should maintain access to these CPU instruction sets while providing
memory encryption and integrity protection, as demonstrated by Amazon Linux
2023's implementation of SEV-SNP, which shows only a 6-7% performance impact.
Additional Evidence
1. The performance impact is consistent across different key sizes
2. The same hardware and configuration on Amazon Linux 2023 shows only 6-7%
performance degradation with SEV-SNP enabled
3. The missing CPU flags directly correlate with the performance degradation
observed
Steps to Reproduce
1. Launch an SEV-SNP capable instance using Ubuntu 24.04 AMI
2. Enable SEV-SNP
3. Run openssl speed -multi 2 rsa
4. Compare results with SEV-SNP disabled instance
5. Verify CPU flags using cat /proc/cpuinfo
Supporting Data
• Complete CPU flags comparison
• Crypto subsystem configuration from both environments
• Full OpenSSL benchmark results
• Sosreport data available if needed
Impact
This issue significantly impacts workloads that rely on RSA operations in
SEV-SNP enabled environments, potentially affecting:
• TLS/SSL performance
• Certificate operations
• Secure communication systems
• Authentication systems
Workaround
Currently, the only known workaround is to use Amazon Linux 2023 instead of
Ubuntu 24.04 for workloads requiring both SEV-SNP and optimal RSA performance.
Additional Notes
1. This behavior appears to be specific to Ubuntu's implementation of SEV-SNP
2. The issue affects all RSA operations consistently
3. Similar performance impact is not observed with Amazon Linux 2023
4. The missing CPU instructions are available when SEV-SNP is disabled
** Affects: linux-aws (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd-epyc aws crypto performance rsa sev-snp ubuntu-noble
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-aws in Ubuntu.
https://bugs.launchpad.net/bugs/2095017
Title:
SEV-SNP Causes Significant RSA Performance Degradation on Ubuntu 24.04
Status in linux-aws package in Ubuntu:
New
Bug description:
Description
When SEV-SNP is enabled on Ubuntu 24.04, RSA operations experience a
significant performance degradation (approximately 66% slower)
compared to when SEV-SNP is disabled. This appears to be caused by the
loss of crucial CPU instruction sets when SEV-SNP is enabled. The same
performance degradation is not observed on Amazon Linux 2023 with SEV-
SNP enabled.
Environment
• OS Version: Ubuntu 24.04.1 LTS (Noble Numbat)
• Kernel Version: 6.8.0-1018-aws
• CPU: AMD EPYC 7R13 Processor
• Instance Type: AWS EC2 (SEV-SNP capable instance)
• AMI ID: ami-036841078a4b68e14
Performance Comparisons
Performance Comparison: SEV-SNP Enabled vs Disabled
Test Environment
OS: Ubuntu 24.04.1 LTS (Noble Numbat)
Kernel: 6.8.0-1018-aws
Test Command: openssl speed -multi 2 rsa
Results
RSA Key Size SEV-SNP Enabled (sign/s) SEV-SNP Disabled (sign/s)
Performance Impact
512 bits 11,365.3 33,597.3 -66.2%
1024 bits 4,334.5 12,942.3 -66.5%
2048 bits 637.5 1,854.3 -65.6%
3072 bits 203.1 592.6 -65.7%
4096 bits 89.4 260.2 -65.6%
7680 bits 9.9 28.7 -65.5%
15360 bits 1.8 5.3 -66.0%
Analysis
• SEV-SNP significantly impacts RSA performance, with a consistent decrease
of about 65-66% across all key sizes.
==================================================================
Performance Comparison: SEV-SNP Enabled vs Disabled on Amazon Linux
2023
Test Environment
• OS: Amazon Linux 2023.6.20241212
• Kernel: 6.1.119-129.201.amzn2023.x86_64
• Test Command: openssl speed -multi 2 rsa
• AMI: ami-0b4624933067d393a
Results
RSA Key Size SEV-SNP Enabled (sign/s) SEV-SNP Disabled (sign/s)
PerformImpact
512 bits 33,067.8 35,244.7
-6.2%
1024 bits 12,338.7 13,159.0
-6.2%
2048 bits 1,755.9 1,881.4
-6.7%
3072 bits 560.0 599.6
-6.6%
4096 bits 245.6 262.4
-6.4%
7680 bits 27.2 29.0
-6.2%
15360 bits 5.0 5.4
-7.4%
Analysis
• The performance impact of SEV-SNP on Amazon Linux 2023 is significantly
lower compared to the previous Ubuntu test.
• The decrease in performance is consistently around 6-7% across all RSA key
sizes.
• Both SEV-SNP enabled and disabled instances show much higher performance
compared to the Ubuntu instances in the previous test.
Comparison with Ubuntu Results
RSA Key Size AL2023 Impact Ubuntu Impact
512 bits -6.2% -66.2%
1024 bits -6.2% -66.5%
2048 bits -6.7% -65.6%
3072 bits -6.6% -65.7%
4096 bits -6.4% -65.6%
7680 bits -6.2% -65.5%
15360 bits -7.4% -66.0%
==========================================================
Missing CPU Flags with SEV-SNP Enabled:
AVX
AVX2
VAES
VPCLMULQDQ
FMA
XSAVE
XSAVEOPT
XSAVEC
XGETBV1
RDPRU
Impact on Crypto Subsystem:
• Loss of optimized implementations:
sha256-avx2
sha512-avx2
sha1-avx2
polyval-clmulni
Various VAES-based implementations
Expected Behavior
SEV-SNP should maintain access to these CPU instruction sets while providing
memory encryption and integrity protection, as demonstrated by Amazon Linux
2023's implementation of SEV-SNP, which shows only a 6-7% performance impact.
Additional Evidence
1. The performance impact is consistent across different key sizes
2. The same hardware and configuration on Amazon Linux 2023 shows only 6-7%
performance degradation with SEV-SNP enabled
3. The missing CPU flags directly correlate with the performance degradation
observed
Steps to Reproduce
1. Launch an SEV-SNP capable instance using Ubuntu 24.04 AMI
2. Enable SEV-SNP
3. Run openssl speed -multi 2 rsa
4. Compare results with SEV-SNP disabled instance
5. Verify CPU flags using cat /proc/cpuinfo
Supporting Data
• Complete CPU flags comparison
• Crypto subsystem configuration from both environments
• Full OpenSSL benchmark results
• Sosreport data available if needed
Impact
This issue significantly impacts workloads that rely on RSA operations in
SEV-SNP enabled environments, potentially affecting:
• TLS/SSL performance
• Certificate operations
• Secure communication systems
• Authentication systems
Workaround
Currently, the only known workaround is to use Amazon Linux 2023 instead of
Ubuntu 24.04 for workloads requiring both SEV-SNP and optimal RSA performance.
Additional Notes
1. This behavior appears to be specific to Ubuntu's implementation of SEV-SNP
2. The issue affects all RSA operations consistently
3. Similar performance impact is not observed with Amazon Linux 2023
4. The missing CPU instructions are available when SEV-SNP is disabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/2095017/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
