AES Active although not enabled

jkaay

Hi,

Very new to Pfsense, so please excuse this question if it sounds silly.

My dashboard shows:
AES-NI CPU Crypto: Yes (active)

Although I haven't enabled it in System, Advanced, Misc, Cryptographic Hardware. Which is set to None.

Its was like this on install. Is this usual? As I needed to set this before but for some reason it showing active with out me changing any setting after fresh install. Pfsense 2.5.2.

Any help or opinion will be appreciated.

stephenw10

That only shows that the aes-ni driver module is loaded. It may not be actually in use.

The module is not unloaded if you set crypto hardware to none until the firewall is rebooted. Unless you manually unload it with kldunload.

Steve

jkaay

@stephenw10 Thanks for your response, I got confused as on prior installs, I had to set it in System, Advanced, Misc, Cryptographic Hardware. As it wouldn't say Active until I changed the setting. But on this install it was automatically doing it. Really appreciate your response.

stephenw10

Hmm, well you can check the status of the module at the command line:

[2.5.2-RELEASE][admin@t70.stevew.lan]/root: kldstat
Id Refs Address                Size Name
 1   16 0xffffffff80200000  3aea720 kernel
 2    1 0xffffffff83ceb000     61c0 ichsmb.ko
 3    3 0xffffffff83cf2000     2ef0 smbus.ko
 4    1 0xffffffff83cf5000     2e60 smb.ko
 5    1 0xffffffff83cf8000     1ae8 mdio.ko
 6    1 0xffffffff83f21000     1000 cpuctl.ko
 7    1 0xffffffff83f22000     8cb0 aesni.ko
 8    1 0xffffffff83f2b000      b28 coretemp.ko

jkaay

Id Refs Address Size Name
1 15 0xffffffff80200000 3aea720 kernel
2 1 0xffffffff83ceb000 ee98 aesni.ko
3 1 0xffffffff83cfb000 3bb7f0 zfs.ko
4 2 0xffffffff840b7000 a448 opensolaris.ko
5 1 0xffffffff844e6000 1000 cpuctl.ko

I don't know what any of this means but going to try and figure out what I'm looking at.

stephenw10

It's a list of the loaded kernel modules and it shows the aes-ni module is loaded. That's what the dashboard script looks at to determine whether or not to show 'active'.

Normally that module is not loaded at boot unless you have selected AES-NI for hardware crypto. But, as I said, it is not unloaded if you deselect it until you reboot.

Selecting it adds a line /boot/loader.conf. However if you have the customer file /boot/loader.conf.local you might have a line loading it there even if it's not selected in the gui.

Steve

jkaay

@stephenw10 Thanks Steve for your help its much appreciated.

jkaay