AES-NI support in TrueCrypt (Sandy Bridge problem)

Here's the original post that started this:

For now what we know is that:

• Some laptops have an option in the BIOS that lets you enable/disable AES-NI. Check this first before doing anything else.
• You can test if your system supports it using not only Truecrypt as described above, but also using CPU-Z or Intel's Processor Identification Utility
• A list of CPUs supporting AES-NI can be found here.
• If your CPU is listed as supported, you may need a patched BIOS to enable it.
• On some setups the BIOS update also needs to embed the latest microcode update for the CPU in order for it to work.

Don't hesitate to let your vendor know AES-NI is a feature you want if it doesn't work on your laptop. If you have contacts at hardware and review web sites, try bringing it up (politely) with people who run them, in an effort to give this more exposure. Also have a look through this thread, as people have been posting links to modified BIOSes for certain systems. Using a such a BIOS is at your own risk however, and the risk of bricking your computer is very real if you do it wrong.

 

There's often a BIOS switch to enable that feature, and it's usually disabled by default... have you checked that?

 

No BIOS switch or option, I checked. G73s normally don't come with a AES-NI capable CPU either, so I doubt Asus will add support for it. This is rather annoying, as AES-NI was a large reason for me to upgrade in the first place.

EDIT: Long shot - would it be possible to use UEFI to set/bypass it?

 

I though AES-NI was allways enabled. It's enabled on my i7 620m, and there is no way to disable it. Why would they disable such feature on a ''pretty highend'' processor, that doesn't make sense. I don't even think there is a bios option at all to enable/disable aes-ni.

 

is your 'upgrade' processor a real production chip or is it an engineering sample?

 

I bought the computer already configured from XoticPC, so I assume it's a production chip. I just got it, so I don't see a reason why it would be an engineering sample.

 

I'm unclear here....

Was your laptop factory configured (from Asus) with the 2720 or did XoticPC 'upgrade' the machine with a CPU they themselves installed in their shop?

 

AES-NI is an instruction set just like SSE is. On Intels site it says your chip has it so it is up to the software to detect and use it. Load up Cpuz it should list it in the supported instruction sets.

Intel® Core? i7-2720QM Processor (6M Cache, 2.20 GHz)with SPEC Code(s)SR00W, SR014

Intel® Advanced Encryption Standard Instructions (AES-NI) - Intel® Software Network - Intel® Software Network

 

Upgrade. AES-NI is simply not detected by anything that it should show up as. CPU-Z specifically does not list it. Is there a way to check if it's an engineering sample, beyond opening up the laptop and removing the heatsink? (though I doubt that's the issue - I figure Xotic wouldn't be stupid enough to do that)

EDIT: Ran the Intel CPU ID check and it says AES-NI is not supported, but it also doesn't say anything about it being an engineering sample, like it should if that was the case.

 

So what CPU *does* CPUID and/or the Intel CPU check say is installed?

 

Try the Intel demo.
Demo: Advantage of Westmere Crypto Acceleration Engine - Intel® Software Network - Intel® Software Network

 

2720QM. As for the Intel Demo, it starts up, but runs in SSE mode. If I try to change to ippCpuAES, it just shuts down.

 

Well, I think we've established that there is a problem and that you should probably send the machine back to where you got it.

 

Intel did not put AES in the last i7 quads, maybe the CPU dose not have it?

 

Yes, but we haven't determined whether it's limited to the CPU I got, or the combination of Asus G73SW + CPU. Sending it back is rather useless (not to mention costly given that it would involve international shipping) if it turns out to be a BIOS issue (or something else specific to the laptop model) and can't be fixed by swapping out the CPU.

 

Again, you are going to have to ask XoticPC. They sold you the modified rig......

 

it SHOULD support AES

http://i54.tinypic.com/dyr71x.jpg

 

You may need to get the latest OpenSSL dll or some Windows update depending on which lib the software is using.

 

whaaaaa huh?

 

Definitely not openssl or anything like that, since it affects all software that's supposed to be able to utilize it. For all points and purposes AES-NI simply doesn't exist on my CPU. I will give you it's remotely possible something is somehow blocking it, maybe a damaged system file or something, but highly unlikely.

 

Skywise PM replied to.

Everyone else. Here is what I found with some digging.

The OEM and public release versions from Intel should in fact support AES-NI.

It is likely that anyone with an ES or Engineering Sample might not have AES-NI. There were two version of ES produced. Unfortunately they all use the same part number when it comes to OEMs.

S-spec numbers
ES/QS processors Production processors
Part number Q1CG Q1NC SR012
FF8062700834709 + + +

Q1CG Does not support AES-NI
Q1NC Does support AES-NI

SR012 of course does support AES-NI as it is the release version (public and OEM)

CPU-Z Report (partial)
Specification Intel(R) Core(TM) i7-2820QM CPU @ 2.30GHz (Engineering Sample)

It is hard to say that unless a vendor tests the computer with CPU-Z or other PCU ID software, they might not even know until the buyer contacts them.

Needless to say, I have an 2820 ES in my new G73SW-3DE.
Does it perform well? Oh my yes it does.
Would I be able to tell any difference in performance if I had AES-NI? Hard to tell and I really do not know.
Have I contacted the vendor? Yes, just sent them an email before plugging this in.

I do feel that since the vendor usually tests the computer after making any upgrades, they should check to make sure the CPU and anything else that was changed is a fully public release version of hardware. If they want to upgrade with Engineering Samples then they should make it know prior to selling to the customer. Then the customer can ask for OEM. Retail, or go elsewhere if they like.

Okay, now I am done and have to eat some dinner.

Robert

 

Thanks for checking Robert - as mine is not reported as being an engineering sample, I'm thinking this is an Asus issue at this point. I'll let Xotic know so they can perform their own tests.

 

According to the specs on CPU World the Engineering Sample of the 2720 does support AES. So it could very well be something else for yours causing the issue.

 

Well after speaking to the vendor I used, they were totally understanding and supportive. He explained that many of the vendors that have really good prices use Engineering Samples to help keep their sale prices down.

They gave a few options:

• Refund $150 of the purchase price
• Provide shipping both ways and upgrade the processor to the OEM release
• Provide a return shipping and get a full refund of purchase price

I gave them a call and spoke to Rob to discuss the options. He did point out that they would cover any upgrade they did for a full 3 years but said the choice was mine. He then went one more step that sort of made my day (in a good way). He offered to cross-ship a new notebook with the OEM processor. I would then have a few days to get data moved over and then ship the original one with the ES CPU on their dime. Needless to say that is the option I took. It actually works out that I put in an SSD as my primary so I won't have to go thru all the reinstalling or migrating anything over. I might only have to re-activate windows as I had upgraded to Ultimate over Home Premium.

I would recommend that anyone who may be concerned contact the vendor before purchasing and see if you can have the option on an ES CPU or an OEM CPU (or anything else for that matter). I am sure most will have numerous options and be accommodating. They want your business and will do what they can within reason.

Best of luck to all, Robert

 

At least that should get you a retail processor, but it may not fix the underlying problem. Xotic got back to me and they're going to do some investigating on their own. Hopefully they can confirm it and then take it up with Asus.

 

Hi, please let us know if you or the Xotic guys found anything. I am also thinking of upgrading my processor to 2720qm or 2820qm to have the AES-NI intruction set.

 

Xotic said last week they were going to contact a BIOS engineer at Asus, but I haven't heard anything from them since. I think it's safe to say that it won't work on the G53 or G73 as of right now.

 

My G73SW has a Core i7-2630QM processor. I have contacted Intel support and they have clearly stated that this processor should have the AES-NI instruction set. I am going to contact ASUS support with this matter but I don't expect too much. I hope Xotic can acquire some information.

 

fyi, my i7-2920XM has AES-NI and it is detected and functional in truecrypt

 

Okay that's very interesting. Intel has now updated their specification pages to indicate that both the 2630QM and 2635QM CPUs should have AES-NI support after all:

Intel® Core? i7-2630QM Processor (6M Cache, 2.00 GHz)with SPEC Code(s)SR02Y
Intel® Core? i7-2635QM Processor (6M Cache, 2.00 GHz)with SPEC Code(s)SR030

They indicated otherwise, before. It's possible that it's a new stepping that enables it, but CPU world only lists one, and it has AES:

SR02Y (Intel Core i7 Mobile i7-2630QM)

 

I want to bump this, when I launch truecrypt it says I do not have hardware accelerated decryption.
I have an i7 2630qm, just got this laptop, np8130.

Can anyone else verify?

Also when I launch cpuz I do not see AES, but on the Intel page it does have it, what is going on?

 

I just got word from Xotic, who have contacted Asus about this:

I read that basically as "We can't be bothered putting resources on adding the necessary BIOS code". It's certainly not a hardware/chipset issue at this point.

Now the 2630qm/2635qm not supporting AES NI may still be a CPU problem, since the spec sheets originally said it didn't. Until we have more data from people using it on other platforms than Asus, I'm going to go with it being a CPU issue and that Intel's web page are a victim of a typo. Don't let that stop you from complaining to your laptop supplier or Intel though. If someone has any pull with the writers at Anandtech or other hardware sites, you can also try seeing if you can get them to write an article about this issue. It certainly needs to be explored in greater depth at this point.

I'll update the first post in this thread to reflect what we know so far.

 

I already have an open ticket for this issue at ASUS, but they have not replied me yet. If this case is closed without my notebook supporting AES-NI instructions, I will take legal steps.

 

If I had a dollar for every time someone said they would sue someone...

Though I appreciate your fervor, I think you'll have to sue Intel as well, since I've yet to find a single report (outside their web pages) of the 2630QM being AES-NI capable. I did a Google image search, and all CPU-Z screenshots of the 2630QM show it as not having it. I suppose it's theoretically possible that all the manufacturers have AES-NI disabled in the BIOS code for that CPU, but I find it rather unlikely.

 

Well not sue. I don't have neither the money, nor the time for that. But still, I can make official complaints at the Bureau of Consumer Protection (I hope this is the right translation.). This is the second time I have issue with ASUS. I just want to return their "kindness".

Anyway the ticket is still open, I am curious about the outcome. I pointed out, that their official specification does not mention any restriction regarding the CPU or modification of it, therefore it should have the AES-NI instruction set. Furthermore their official site states that they do take responsibility for its contents. But I think, I will not get anything out of this, except an apology. Which does not speeds up the AES encryption on my notebook.

 

ASUS support answered me. None of their notebooks supports AES-NI instruction due to a U.S. regulation. So they are forced to omit the support of this instruction set. They also stated that the processor in G73SW is not OEM or special in any way. Therefore the limitation comes from the BIOS side.

The mailing went trough the local TSD and the person I was in contact with was not a technician so I was not able to get every information I wanted, but as I understood there is no restriction in BIOS for AES-NI. I guess it is simply not enabled.

 

LOL, that's so much bull. Whoever you talked to is just making things up. US regulations is not the problem, or no laptop or computer maker would be able to support AES-NI, and that's clearly not the case.

 

I've bought one of these asus notebooks with the Intel-2630QM and aes-ni disabled. I've filed a ticket with the technical details asking them to release an updated bios image with the instructions enabled by default.

 

Hi guys, recently I asked Intel directly about AES-NI in 2630QM processors and today I received official answer from one Intel guy - now this is interesting:

- So, I should ask in my case Asus for BIOS/microcode update or even maybe about processor revision actually supporting AES-NI? What would you do in this case?

 

I think you should talk to your Intel guy again first and ask for confirmation. If you look at page 15-16, you'll notice that AES-NI is not enabled for the 2630QM or 2635QM. It should have a 6 in the notes field if that was the case.

Basically, I want Intel to either admit the web specifications is a mistake, or that the CPUs do support it. If it's the former, Intel can fix it and clear up the confusion. If it's the latter, people can push their vendors to get support added, and Intel can also do the same from their end. With AMD supporting their own version of AES-NI on upcoming Bulldozer CPUs, it's in their best interest to get the functionality enabled so they can stay competitive.

 

I have this same exact issue with my Lenovo Ideapad y570. It has a i7 2630QM, but both TrueCrypt and CPUz both say that AES-NI is not supported. I checked the BIOS but there is no setting to turn this on or off.

I will try to reach out to Lenovo customer support to see what their take is on this, but to be honest I'm not expecting much.

 

ths thread should be retitled to something like "lack of BIOS support for AES instructions in some laptops".

It's NOT a truecrypt problem.

 

It's not just a BIOS issue either, since it's also possible that it's not enabled in some CPUs, even though they're listed as supporting it. At the time when I started the thread however, all I knew was that AES-NI in Truecrypt didn't work.

But you'll notice that I edited the top post with a new thread title a while back to reflect the new information. Unfortunately I can't change the thread title as listed in the forum, since I don't have mod powers.

 

I'm leaning towards (99% certainty) that it's disabled by the BIOS silently. There's an undocumented flag which can be set on the CPU via a MSR (machine specific register) that disables AES-NI. Hardware vendors have complete control over this though, they probably did it at the request of Intel pending some microcode update, or `insert conspiracy theory here`.

I've seen one bios mod for lenovo notebooks that enables it again.

 

Oh I'm sure it's a BIOS issue that prevents it working in my case. The question is if it's one for ones with 2630QM CPUs however, which I doubt. I've yet to hear of that working with AES-NI, even on laptops that otherwise do support it.

 

I spoke to an Intel technical support representative, they confirmed that the i7-2630QM does support AES-NI as far as they are concerned and referred me to the laptop manufacturer as "whether or not it is enabled" is up to them.

Still waiting to hear from ASUS, will call them tomorrow.

 

ASUS kindly provided me with an updated BIOS image and now I have AES-NI on my 2630QM!

 

That's a first! What laptop do you have? Also, can you provide screenshot proof from CPU-Z? I'm curious as to exactly what stepping etc. is used in your laptop.

 

That's great - what is your ASUS notebook model and how did you contacted them? Using message board or direct email request? I got ASUS N53SN a I would like to see AES-NI in my machine too!

 

K53E, you should go to the ASUS website and file a request for your model, that's what I did.:

ASUSTeK Computer Inc.

I presume they'll probably release a fix per model across the board eventually.

cpuz screenshot: imgur: the simple image sharer