AES-256-GCM not available

Question

AES-256-GCM not available

MartinJakomin opened this issue 5 years ago · 10 comments

Since the new update, I can not run the loki storage server due to the failure in crypto_aead_aes256gcm_is_available() function. Maybe it is due to the incompatible CPU (which worked fine till now). I suggest you revert this commit to sustain the backward compatibility or find a solution.

Describe the bug
loki-storage wont start since the new update: "AES-256-GCM is not available on this CPU"

To Reproduce
run loki-launcher or loki-storage-server

Desktop (please complete the following information):

Device: VPS
OS + Version: Debian 10
Release Version or Github commit hash: 330581b

Answer 1 · 2020-03-20T15:59:47.000Z

Can you copy a cat /proc/cpuinfo here? Not supporting AES suggests it is a very old model, but it could also be something in the VPS layer not properly passing through instructions.

Answer 2 · 2020-03-20T16:03:01.000Z

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 6
model name      : Common KVM processor
stepping        : 1
microcode       : 0x1
cpu MHz         : 2394.230
cache size      : 16384 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 2
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx lm constant_tsc nopl xtopology cpuid tsc_known_freq pni cx16 x2apic hypervisor lahf_lm cpuid_fault pti
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs
bogomips        : 4788.46
clflush size    : 64
cache_alignment : 128
address sizes   : 40 bits physical, 48 bits virtual
power management:

Do not know if it helps, but I was able to test (with no errors) AES256gcm through openssl: openssl speed -elapsed -evp aes-256-gcm

Answer 3 · 2020-03-20T16:25:45.000Z

Based on cpuinfo, your CPU is advertising its supported instructions of 14 year old, late generation Pentium 4 (family 15, model 6 = Pentium 4 Cedar Mill). It's not actually such a CPU because the CPU clockspeed (2.4GHz), cache (16MB), and number of cores don't match.

This looks like an ISP issue: they are providing a virtual environment that says the CPU only supports instructions that were supported on a 14-year old CPU. This is a terrible KVM configuration, and terrible for performance (aside from the compatibility issue here): the CPU most likely supports various modern instructions but the KVM environment is preventing them from being used by telling the OS that the CPU is 14 years old.

Answer 4 · 2020-03-20T16:40:23.000Z

Hmmm... Is there a possible solution for this? Or must I Change my VPS provider?

Answer 5 · 2020-03-20T16:52:07.000Z

In theory it might be possible to rebuild libsodium with the feature support hard-coded to enabled. I don't know if it will work, but it might.

A better solution is to ask your ISP to improve their KVM configuration; what they are offering here seems pretty crappy.

Answer 6 · 2020-03-20T16:54:48.000Z

They are cheap 🙈

Will ask their support. Thanks for now.

Answer 7 · 2020-03-22T16:49:55.000Z

It was problem with virtualization. Everything works fine now.

Answer 8 · 2021-02-18T19:29:53.000Z

Thought this was an interesting project and attempted to start a service node, but I am also having this issue, though my VPS processor flags do support AES.

Describe the bug
oxen-storage server won't start, giving error [error] [main] AES-256-GCM is not available on this CPU

To Reproduce
run ./oxen-storage 0.0.0.0 22021 --lmq-port 22020 --log-level error --oxend-rpc-ip 127.0.0.1 --oxend-rpc-port 22023
or
systemctl restart oxen-storage-server

Server Specs (please complete the following information):
Device: VPS
OS + Version: Ubuntu 18.04 Bionic
Release Version or Github commit hash: Storage Server 2.0.8

cat /proc/cpuinfo Output designated below:

processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 44
model name	: Westmere E56xx/L56xx/X56xx (Nehalem-C)
stepping	: 1
microcode	: 0x1
cpu MHz		: 2400.084
cache size	: 4096 KB
physical id	: 0
siblings	: 1
core id		: 0
cpu cores	: 1
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx lm constant_tsc nopl cpuid tsc_known_freq pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt aes hypervisor lahf_lm pti
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit
bogomips	: 4800.16
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

Any idea what I could ask the VPS provider to focus on, or a way to resolve this problem?

Answer 9 · 2021-02-19T12:35:52.000Z

@jagerman Any ideas on what could be causing the test/detection of AES to fail here?
@MartinJakomin Maybe you can show me your new cat /proc/cpuinfo?

Answer 10 · 2021-02-21T00:27:25.000Z

Any ideas on what could be causing the test/detection of AES to fail here?

That's a bit odd: the CPU being advertised there (Nehalem-C) should support the needed AES instructions, but it isn't being advertised in the CPU flags. Possibly a VPS setting controlling what gets passed through?