Skip to content

feat: display OpenSSL CPU hardware-acceleration feature flags at startup#963

Open
serene-kitfisto-8899 wants to merge 2 commits into
developfrom
feat/openssl_cpu_features
Open

feat: display OpenSSL CPU hardware-acceleration feature flags at startup#963
serene-kitfisto-8899 wants to merge 2 commits into
developfrom
feat/openssl_cpu_features

Conversation

@serene-kitfisto-8899
Copy link
Copy Markdown
Contributor

@serene-kitfisto-8899 serene-kitfisto-8899 commented May 27, 2026

Summary

Log human-readable OpenSSL CPU hardware-acceleration feature flags at KMS startup for compliance and audit purposes.

Changes

  • crate/server/src/openssl_providers.rs: Add cpu_features_info() -> String that calls OpenSSL_version(OPENSSL_CPU_INFO=9) (raw c_int; openssl-sys does not expose this constant), strips the CPUINFO: prefix and decodes the bitmask per architecture:
    • x86_64: 5×u64 ia32cap words (CPUID leaves 1, 7.0, 7.1, 24) → named flags (AES-NI, PCLMULQDQ, AVX, AVX2, SHA, VAES, RDRAND, etc.)
    • AArch64: 1×u32 armcap word → ARMV8_AES, ARMV8_SHA256, ARMV8_SHA512, ARMV8_SVE, ARMV8_SVE2, etc.
    • PowerPC: 1×u32 ppccap word → PPC_ALTIVEC, PPC_CRYPTO207, etc.
    • s390x / RISC-V / unknown: raw OpenSSL string logged verbatim

Example output

INFO OpenSSL CPU features (x86_64): MMX, SSE, SSE2, SSE3, PCLMULQDQ, SSSE3, FMA, SSE4.1, SSE4.2, MOVBE, POPCNT, AES-NI, XSAVE, AVX, RDRAND, BMI1, AVX2, BMI2, RDSEED, ADX, SHA, GFNI, VAES, VPCLMULQDQ, AVX-VNNI

Notes

  • No new Rust dependencies introduced.
  • Both FIPS and non-FIPS builds compile clean.
  • Visible under --info flag (lightweight probe mode) since it runs before provider loading.

feat: display OpenSSL CPU hardware-acceleration feature flags at startup
98bc5f0 
Add cpu_features_info() to openssl_providers.rs that calls
OpenSSL_version(OPENSSL_CPU_INFO=9) and decodes the raw bitmask string
into human-readable flag names logged at INFO level immediately after
the existing OpenSSL version line.

Architectures supported:
- x86_64: 5×u64 ia32cap words (CPUID leaves 1, 7.0, 7.1, 24) decoded to
  named flags: MMX, SSE2, AES-NI, PCLMULQDQ, AVX, AVX2, SHA, VAES,
  RDRAND, AVX512F, etc.
- AArch64: 1×u32 armcap word decoded to ARMV8_AES, ARMV8_SHA256,
  ARMV8_SHA512, ARMV8_SVE, etc.
- PowerPC: 1×u32 ppccap word decoded to PPC_ALTIVEC, PPC_CRYPTO207, etc.
- s390x / RISC-V / other: raw OpenSSL string logged verbatim.

No new dependencies introduced. OPENSSL_CPU_INFO constant value (9) is
used as a raw c_int because openssl-sys does not yet expose it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@serene-kitfisto-8899