Skip to content

Use AWS-LC AES-GCM implementation #5492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Use AWS-LC AES-GCM implementation #5492

wants to merge 3 commits into from

Conversation

@Manciukic
Copy link
Contributor

@Manciukic Manciukic commented Oct 24, 2025
edited
Loading

Changes

Replace the aes-gcm crate with the AES-GCM implementation inside aws-lc-rs.

Also, adds a performance test to verify there is no significant regression. From my testing, some instance/kernel combinations are faster and some are slower. The biggest regression is 15us (5%) on m7a.
A/B passed on this new test: https://buildkite.com/firecracker/mancio-test-perf/builds/75

Reason

Remove dependency on aes-gcm package which is using deprecated functions from generic-array@0.14.9. The package hasn't received a stable update in 2 years.
This gets rid of 16 dependencies (from 219 to 203).

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkbuild --all to verify that the PR passes
    build checks on all supported architectures.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@codecov
Copy link

codecov bot commented Oct 24, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.82%. Comparing base (b7d041f) to head (f8c2e2d).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5492      +/-   ##
==========================================
- Coverage   82.82%   82.82%   -0.01%     
==========================================
  Files         269      269              
  Lines       27747    27733      -14     
==========================================
- Hits        22981    22969      -12     
+ Misses       4766     4764       -2
Flag Coverage Δ
5.10-m5n.metal 82.98% <100.00%> (-0.01%) ⬇️
5.10-m6a.metal 82.25% <100.00%> (-0.01%) ⬇️
5.10-m6g.metal 79.65% <100.00%> (-0.01%) ⬇️
5.10-m6i.metal 82.98% <100.00%> (-0.01%) ⬇️
5.10-m7a.metal-48xl 82.24% <100.00%> (-0.01%) ⬇️
5.10-m7g.metal 79.65% <100.00%> (-0.01%) ⬇️
5.10-m7i.metal-24xl 82.95% <100.00%> (-0.01%) ⬇️
5.10-m7i.metal-48xl 82.95% <100.00%> (-0.02%) ⬇️
5.10-m8g.metal-24xl 79.64% <100.00%> (-0.01%) ⬇️
5.10-m8g.metal-48xl 79.64% <100.00%> (-0.02%) ⬇️
6.1-m5n.metal 83.01% <100.00%> (-0.01%) ⬇️
6.1-m6a.metal 82.28% <100.00%> (-0.01%) ⬇️
6.1-m6g.metal 79.64% <100.00%> (-0.01%) ⬇️
6.1-m6i.metal 83.01% <100.00%> (?)
6.1-m7a.metal-48xl 82.27% <100.00%> (-0.01%) ⬇️
6.1-m7g.metal 79.64% <100.00%> (-0.02%) ⬇️
6.1-m7i.metal-24xl 83.02% <100.00%> (-0.01%) ⬇️
6.1-m7i.metal-48xl 83.02% <100.00%> (-0.02%) ⬇️
6.1-m8g.metal-24xl 79.64% <100.00%> (-0.01%) ⬇️
6.1-m8g.metal-48xl 79.64% <100.00%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Manciukic
Copy link
Contributor Author

Looking at how much binary size we shaved by removing 16 dependencies, I found out AWS-LC AVX512 implementation is actually adding 600k of binary size (+25%):

# before
$ size build/cargo_target/x86_64-unknown-linux-musl/release/firecracker
   text    data     bss     dec     hex filename
2669753  242609   10776 2923138  2c9a82 build/cargo_target/x86_64-unknown-linux-musl/release/firecracker

# after
$ size build/cargo_target/x86_64-unknown-linux-musl/release/firecracker
   text    data     bss     dec     hex filename
3378329  244617   11000 3633946  37731a build/cargo_target/x86_64-unknown-linux-musl/release/firecracker

$ nm --print-size --size-sort --radix=d build/cargo_target/x86_64-unknown-linux-musl/release/firecracker | tail -5
0000000000479744 0000000000022935 t _ZN137_$LT$firecracker..api_server..parsed_request..ParsedRequest$u20$as$u20$core..convert..TryFrom$LT$$RF$micro_http..request..Request$GT$$GT$8try_from17h8daaa01a70910ab6E
0000000001950608 0000000000024556 t _ZN182_$LT$vmm..device_manager.._..$LT$impl$u20$serde_core..de..Deserialize$u20$for$u20$vmm..device_manager..DevicesState$GT$..deserialize..__Visitor$u20$as$u20$serde_core..de..Visitor$GT$9visit_seq17hf377c1765d6025e8E
0000000001906672 0000000000027248 t _ZN168_$LT$vmm..persist.._..$LT$impl$u20$serde_core..de..Deserialize$u20$for$u20$vmm..persist..MicrovmState$GT$..deserialize..__Visitor$u20$as$u20$serde_core..de..Visitor$GT$9visit_seq17ha7897829b99bf9f8E
0000000002662240 0000000000339921 t aws_lc_0_32_3_aes_gcm_decrypt_avx512
0000000002322304 0000000000339925 t aws_lc_0_32_3_aes_gcm_encrypt_avx512

@Manciukic
Copy link
Contributor Author

Manciukic commented Oct 24, 2025
edited
Loading

I've pushed a change to disable AVX512, let's see how it goes: https://buildkite.com/firecracker/mancio-test-perf/builds/76

The size is now just 8k more:

$ size build/cargo_target/x86_64-unknown-linux-musl/release/firecracker
   text    data     bss     dec     hex filename
2676297  244193   11000 2931490  2cbb22 build/cargo_target/x86_64-unknown-linux-musl/release/firecracker

@Manciukic
test(mmds): add perf test for token generation and verification
2fd28f3 
Adds a perf test that generates and uses a MMDSv2 token 100 times in a
loop.

Signed-off-by: Riccardo Mancini <mancio@amazon.com>
@Manciukic
feat(mmds): use aws-lc for AES-GCM
2d004d7 
The previous dependency is outdated and uses deprecated APIs. With this
change we start using AWS-LC, with no changes visible to our users.

This also gets rid of a bunch of dependencies.

Signed-off-by: Riccardo Mancini <mancio@amazon.com>
@Manciukic
fix(aws-lc): disable AVX512 to reduce binary size by 600k
f8c2e2d 
After replacing aws-gcm with aws-lc AES-GCM implementation, we noticed
the binary size increased by 600k. This is mostly due to the AVX512
functions taking a ridiculous amount of space.

0000000002662240 0000000000339921 t aws_lc_0_32_3_aes_gcm_decrypt_avx512
0000000002322304 0000000000339925 t aws_lc_0_32_3_aes_gcm_encrypt_avx512

This commit disables AVX512 support in AWS-LC as we didn't measure any
performance penalty.

Signed-off-by: Riccardo Mancini <mancio@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Manciukic