Intel Back To Working On Key Locker For Linux After Tackling Big Performance Issue

Going back to 2020 Intel's open-source engineers have been working on Key Locker support for Linux for that hardware feature introduced with Tigerlake CPUs. The Key Locker Linux support has been worked on now for nearly three years and finally after a hiatus a new version was sent out after they worked through a significant performance issue now being addressed with forthcoming firmware.

Intel Key Locker as a reminder is their new hardware-enabled means of being able to encrypt/decrypt data with an AES key without having access to the raw key value. The AES keys with Intel Key Locker are converted into handles that can then carry out encryption/decryption on that given system and only until they are revoked or the system state changes. The focus on Intel Key Locker is protecting AES keys with better security.

Intel Key Locker has been present on Core client processors since Tigerlake and continues to be supported at least through Raptor Lake. However, the Linux support has been in flux and not mainlined.

Sent out on Monday were the sixth iteration of the Intel Key Locker patches for the Linux kernel/ This work had been stalled as there was a significant decryption performance issue spotted in the prior patches. In particular, going all the way back to the start of 2022 it was noticed that the Key Locker decryption performance was much slower than the encryption speed... Intel has tracked the root cause down and will be fixed in a forthcoming microcode update for Intel Tigerlake CPUs to ensure similar encryption/decryption performance. But this microcode update needs to go through a "formal process" of release at Intel and is said to be aiming for release toward the end of the calendar year.

The performance fix is a huge deal as right now on Tiger Lake with Key Locker decryption speeds are around 776 MB/s while with the unreleased microcode jumps to around 2305 MB/s. The encryption speed also jumps from 1726 to 2308MB/s. This performance issue appears to be specific to Intel Tiger Lake CPUs.

With yesterday's Linux kernel patches they also provided some numbers for Key Locker on Raptor Lake. Even for the latest-generation Raptor Lake processors, making use of Intel Key Locker is roughly half the speed of just making use of Intel AES-NI acceleration. So with Intel Key Locker there may be better security with the protection around AES keys, but even on Raptor Lake it still comes with big performance implications.

In any event the Intel Key Locker v6 patches are now available with some fixes and the developers working to get back on track with upstreaming the feature into the Linux kernel now that the performance issue / microcode mitigation for Tiger Lake is on the way.