Use AWS-LC AES-GCM implementation

[Manciukic]

Changes

Replace the aes-gcm crate with the AES-GCM implementation inside aws-lc-rs.

Also, adds a performance test to verify there is no significant regression. From my testing, some instance/kernel combinations are faster and some are slower. The biggest regression is 30us (7%) on m6a.
A/B passed on this new test: https://buildkite.com/firecracker/mancio-test-perf/builds/77

I also disabled AVX512 compilation as it was increasing binary size by 600kb with no clear performance gain.

Reason

Remove dependency on aes-gcm package which is using deprecated functions from [email protected]. The package hasn't received a stable update in 2 years.
This gets rid of 16 dependencies (from 219 to 203) and unblocks dependabot PRs.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

• I have read and understand CONTRIBUTING.md.
• I have run tools/devtool checkbuild --all to verify that the PR passes
  build checks on all supported architectures.
• I have run tools/devtool checkstyle to verify that the PR passes the
  automated style checks.
• I have described what is done in these changes, why they are needed, and
  how they are solving the problem in a clear and encompassing way.
• I have updated any relevant documentation (both in code and in the docs)
  in the PR.
• I have mentioned all user-facing changes in CHANGELOG.md.
• If a specific issue led to this PR, this PR closes the issue.
• When making API changes, I have followed the
  Runbook for Firecracker API changes.
• I have tested all new and changed functionalities in unit tests and/or
  integration tests.
• I have linked an issue to every new TODO.

---

• This functionality cannot be added in rust-vmm.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.83%. Comparing base (1d6dc09) to head (1bc19e7).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5492      +/-   ##
==========================================
- Coverage   82.84%   82.83%   -0.01%     
==========================================
  Files         269      269              
  Lines       27737    27723      -14     
==========================================
- Hits        22978    22965      -13     
+ Misses       4759     4758       -1     

Flag	Coverage Δ
5.10-m5n.metal	83.01% <100.00%> (-0.01%)	⬇️
5.10-m6a.metal	82.27% <100.00%> (-0.01%)	⬇️
5.10-m6g.metal	79.66% <100.00%> (-0.01%)	⬇️
5.10-m6i.metal	83.00% <100.00%> (-0.01%)	⬇️
5.10-m7a.metal-48xl	82.27% <100.00%> (-0.02%)	⬇️
5.10-m7g.metal	79.65% <100.00%> (-0.01%)	⬇️
5.10-m7i.metal-24xl	82.98% <100.00%> (-0.01%)	⬇️
5.10-m7i.metal-48xl	82.98% <100.00%> (-0.01%)	⬇️
5.10-m8g.metal-24xl	79.65% <100.00%> (-0.01%)	⬇️
5.10-m8g.metal-48xl	79.65% <100.00%> (-0.02%)	⬇️
6.1-m5n.metal	83.04% <100.00%> (+<0.01%)	⬆️
6.1-m6a.metal	82.31% <100.00%> (-0.02%)	⬇️
6.1-m6g.metal	79.65% <100.00%> (-0.02%)	⬇️
6.1-m6i.metal	83.03% <100.00%> (-0.01%)	⬇️
6.1-m7a.metal-48xl	82.29% <100.00%> (-0.01%)	⬇️
6.1-m7g.metal	79.65% <100.00%> (-0.02%)	⬇️
6.1-m7i.metal-24xl	83.04% <100.00%> (-0.02%)	⬇️
6.1-m7i.metal-48xl	83.04% <100.00%> (-0.01%)	⬇️
6.1-m8g.metal-24xl	79.65% <100.00%> (-0.01%)	⬇️
6.1-m8g.metal-48xl	79.65% <100.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Manciukic]

Looking at how much binary size we shaved by removing 16 dependencies, I found out AWS-LC AVX512 implementation is actually adding 600k of binary size (+25%):

# before
$ size build/cargo_target/x86_64-unknown-linux-musl/release/firecracker
   text    data     bss     dec     hex filename
2669753  242609   10776 2923138  2c9a82 build/cargo_target/x86_64-unknown-linux-musl/release/firecracker

# after
$ size build/cargo_target/x86_64-unknown-linux-musl/release/firecracker
   text    data     bss     dec     hex filename
3378329  244617   11000 3633946  37731a build/cargo_target/x86_64-unknown-linux-musl/release/firecracker

$ nm --print-size --size-sort --radix=d build/cargo_target/x86_64-unknown-linux-musl/release/firecracker | tail -5
0000000000479744 0000000000022935 t _ZN137_$LT$firecracker..api_server..parsed_request..ParsedRequest$u20$as$u20$core..convert..TryFrom$LT$$RF$micro_http..request..Request$GT$$GT$8try_from17h8daaa01a70910ab6E
0000000001950608 0000000000024556 t _ZN182_$LT$vmm..device_manager.._..$LT$impl$u20$serde_core..de..Deserialize$u20$for$u20$vmm..device_manager..DevicesState$GT$..deserialize..__Visitor$u20$as$u20$serde_core..de..Visitor$GT$9visit_seq17hf377c1765d6025e8E
0000000001906672 0000000000027248 t _ZN168_$LT$vmm..persist.._..$LT$impl$u20$serde_core..de..Deserialize$u20$for$u20$vmm..persist..MicrovmState$GT$..deserialize..__Visitor$u20$as$u20$serde_core..de..Visitor$GT$9visit_seq17ha7897829b99bf9f8E
0000000002662240 0000000000339921 t aws_lc_0_32_3_aes_gcm_decrypt_avx512
0000000002322304 0000000000339925 t aws_lc_0_32_3_aes_gcm_encrypt_avx512

[Manciukic]

I've pushed a change to disable AVX512, let's see how it goes: https://buildkite.com/firecracker/mancio-test-perf/builds/76

The size is now just 8k more:

$ size build/cargo_target/x86_64-unknown-linux-musl/release/firecracker
   text    data     bss     dec     hex filename
2676297  244193   11000 2931490  2cbb22 build/cargo_target/x86_64-unknown-linux-musl/release/firecracker