Does Java use AES-NI when available?

Question

I just heard of the instruction set extension AES-NI. Does Java's JIT compiler compile the application to use AES-NI if it is available to enhance performance?

And if yes, does it also do so if it is not sure that AES will be used (like when using TLS)?

I think it's not bundled with JDK, you have to download and build it yourself https://software.intel.com/en-us/articles/intel-aes-ni-performance-testing-on-linuxjava-stack#enable-intel-eas-ni-in-oracle-jvm — Leo, Aug 26 '14 at 12:33
If you just accept answers because they sound plausible, you're going to make assumptions that do not hold true. — Maarten Bodewes, Aug 27 '14 at 15:19

ntoskrnl · Answer 1 · 2014-08-27T16:10:54.223

5

Java 8 and 7u40 and later include support for x86 AES intrinsics for the built-in SunJCE provider, ~~but the feature is not enabled by default~~ (it is).

Search globals.hpp for "AES":

product(bool, UseAES, false,                                              \
        "Control whether AES instructions can be used on x86/x64")        \
...
product(bool, UseAESIntrinsics, false,                                    \
        "Use intrinsics for AES versions of crypto")                      \

You can enable the feature by passing the -XX:+UseAES -XX:+UseAESIntrinsics options to the virtual machine.

edited Aug 27 '14 at 16:10

answered Aug 26 '14 at 17:43

ntoskrnl

5,714
2
27
31

1

Are you sure? Testing on previous versions showed that it was turned on. If you are right, then Oracle switched tactics. Note my close vote for dupe. – Maarten Bodewes Aug 27 '14 at 15:15
2

@owlstead I just tested with `-XX:+PrintFlagsFinal` and it's indeed enabled by default. The flags are likely modified somewhere else in the code, overwriting the values initialized here. The question is definitely a dupe though. – ntoskrnl Aug 27 '14 at 16:07
I think they get changed after the presence of AES-NI is detected. Note that on the first CPU's that contain the instruction, that detection may fail... – Maarten Bodewes Aug 27 '14 at 16:10
1

Note: you need to use the Java server VM to enable intrinsics. – Maarten Bodewes Jul 23 '16 at 20:36

score 0 · Accepted Answer · answered Aug 26 '14 at 14:54

0

I think it's not bundled with JDK, you have to download and build it yourself

See https://software.intel.com/en-us/articles/intel-aes-ni-performance-testing-on-linuxjava-stack#enable-intel-eas-ni-in-oracle-jvm

answered Aug 26 '14 at 14:54

Leo

6,480
4
37
52

2

That applies to some kind of a third party NSS-based security provider. The SunJCE provider supports AES intrinsics too. – ntoskrnl Aug 26 '14 at 17:44

Does Java use AES-NI when available?

2 Answers2